[RFC] SSL certificates bundle for windows bzr installers

Alexander Belchenko bialix at ukr.net
Sun Feb 18 14:13:48 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here the problem and bug report: https://launchpad.net/bzr/+bug/82086

Vincent says:

"...All in all, I think we should:
1 - issue a nicer error,
2 - allow users to disable certificate verification,
3 - distribute a valid crt file for windows

I can work on 1 and 2, but would appreciate feedback on 3."

The point 1 and 2 is clear for me and out of question.
I agree, we should implement this functionality.

I want to talk more about point 3.

After conversation with Daniel Stenberg in pycurl mailing list
I found the only one way to make pycurl work with https:// transport:
with passing CAINFO option to curl object.
On Windows bzr *should* *explicitly* specify path to bundle with
SSL certificates when https+pycurl:// used. Probably this step
also required on another platforms too, probably it depends
on pycurl build version in specific Linux distribution.

Anyway, this means that I need include certificates bundle in windows installers.
For python-based installation this file will be installed
to C:\Python25\share directory (os.path.join(sys.prefix, 'share')).
For standalone bzr.exe this file will be installed to
the application directory (default: C:\Program Files\Bazaar).
PycurlHttpsTransport should check for presence of the file with
cert bundle in corresponding location, and pass full path
to bundle to curl with CAINFO option.

There is one bundle in curl source code packages (in curl-7.16.1.tar.gz
it's the file named 'ca-bundle.crt' in 'lib' directory).
Another bundle can be downloaded from page: http://curl.haxx.se/docs/caextract.html
(file cacert.pem). This bundle is converted from Mozilla sources.

Both this bundles works OK with launchpad.net (I make simple test to get
front page from https:/launchpad.net).

ca-bundle.crt has size about 240KB, but license is not clear for me: is we can
distribute this file with our installers?
cacert.pem has size about 420KB, and the page says about license:
"This new file is only a converted version of the original one and thus it is licensed under the
same licenses: MPL 1.1, GPL v2.0 or LGPL 2.1". So I assume we could using this file
without any restrictions.

My main question: is I can add one of this bundle to bzr source tree to simplify
build process of windows installers?

I'd like to add it to source because this make my build process fully automated
(today I make each installer in one simply step: running make with corresponding target).

- --
Alexander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF2F8czYr338mxwCURAlvTAKCQ7v9nyXWo1L1uOfQpkBEH7/se4QCffsS6
TzsSd91a6ACfTRCyIDwBgFg=
=0jsU
-----END PGP SIGNATURE-----




More information about the bazaar mailing list