[bug?] launchpad and pycurl

Alexander Belchenko bialix at ukr.net
Mon Jan 29 08:48:22 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Bennetts пишет:
> Alexander Belchenko wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I just discover that any trunk branch of product registered on Launchpad
>> could be retrieved by using URL to launchpad page. I.e.
>>
>> bzr branch http://launchpad.net/bzr-config
>>
>> But there is problem with pycurl:
>>
>> $ bzr branch https://launchpad.net/bzr-config
>> bzr: ERROR: pycurl.error: (60, 'SSL certificate problem, verify that the CA cert is OK.
>> Details:\nerror:14090086:SSL
>>  routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed')
>>
>> Traceback (most recent call last):
> [...]
>> error: (60, 'SSL certificate problem, verify that the CA cert is OK. Details:\nerror:14090086:SSL
>> routines:SSL3_GET_
>> SERVER_CERTIFICATE:certificate verify failed')
> [...]
>> What's wrong here? Is this bug in pycurl itself?
> 
> There's certainly a bug in bzr here — pycurl thinks there's something wrong with
> the SSL certificate of the server, which is a legitimate sort of error for an
> SSL client to report, so it shouldn't cause a traceback.  That is, it ought to
> produce a human-friendly error explaining what's wrong.  I've filed
> https://bugs.launchpad.net/bzr/+bug/82086 about this.
> 
> There's arguably a seperate bug in pycurl, which is that the error message in
> the exception is hardly helpful.  If you google for "curl 14090086" you quickly
> find http://curl.haxx.se/docs/faq.html#4.12 which explains in plain English
> what's actually wrong.  You'd think they could use that text to improve the
> hopelessly vague "SSL certificate problem, verify that the CA cert is OK"
> message.  bzr could check the error code and give a more precise message for
> this case to workaround this, though.
> 
> In your case, Launchpad's certificate is apparently signed by
> http://www.starfieldtech.com/ (just looking at the details my web browser
> reports when surfing https://launchpad.net/), so I'd guess the problem for you
> is that the curl installation you're using doesn't include their CA cert.  The
> FAQ link above links to http://curl.haxx.se/docs/sslcerts.html, which suggests
> ways to tell the curl library about more CA certs.

The problem for me that I don't use curl library alone.
I use pycurl extension for python. Right now it's in version
libcurl/7.15.5 OpenSSL/0.9.8c zlib/1.2.3 c-ares/1.3.1

So if something wrong with bundled certificates I completely doomed.

I think bzr *should* provide the way to obtain missed certificates.
Especially for Launchpad.net.

Alexander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFvbTWzYr338mxwCURAvIYAJ9Oxomcr5A15uQeypb8zMvd7Ac1+wCgiGIh
zldlxvlQQxOXpcRjHZv5Hl4=
=6rrQ
-----END PGP SIGNATURE-----

More information about the bazaar mailing list