bzr, pycurl, and self-signed certs?
Jan Hudec
bulb at ucw.cz
Thu Jan 4 19:18:08 GMT 2007
On Thu, Jan 04, 2007 at 07:09:17PM +0100, Vincent Ladeuil wrote:
> >>>>> "Jan" == Jan Hudec <bulb at ucw.cz> writes:
> Jan> It would be nice if bzr could have a list of trusted
> Jan> certificates in the config file and whenever accessing
> Jan> site with self-signed certificate, ask for confirmation
> Jan> (printing fingerprint and info) and than add that
> Jan> certificate to the list. Ie. similar to how eg. ssh
> Jan> works.
>
> I'm unsure about that. http clients I know of either provide an
> option to accept self-certified hosts (for command-line ones) or
> propose to consult many more details than just fingerprint and
> info (for the browsers I know).
Well. Asking is used in all graphical clients and is certainly the most
useful thing for the user. A slight problem with bzr is, that we want to
keep it scriptable. Maybe bzr could download the certificate, store it
as .pem somewhere and tell the user that if he wants to trust it, he
should move it somewhere/add it's name in some config/whatever.
By the way by 'info' I meant all the attributes of the certificate.
Basically everything that you can decipher from a certificate that can
be of any use for the user.
> So far, the threads mentioned previously* are what I will base my
> work on, but I'm open to discussions.
I tried looking at the curl interface, but unfortunately I was not able
to find a way to get at the certificate. There is a hook that seems to
be called at the right place, but the python bindings don't seem to
expose it (ie. the respective constant does not exist in python).
--------------------------------------------------------------------------------
- Jan Hudec `Bulb' <bulb at ucw.cz>
More information about the bazaar
mailing list