[PATCH 2 of 2] url: check server certificates when connecting through proxy (issue2407)

Mads Kiilerich mads at kiilerich.com
Mon Nov 1 19:26:27 CDT 2010

Thomas Arendsen Hein wrote, On 11/01/2010 08:56 PM:
> * Mads Kiilerich<mads at kiilerich.com>  [20101101 12:01]:
>> FWIW I don't understand why httpconnection.connect unconditionally wraps
>> in SSL if SSL is available and we are using proxy and we can CONNECT.
>> Shouldn't that only be done for https connections - which won't end up
>> in that code anyway? And what's the story behind the comment that we
>> don't support client x509 certificates?
> What I just found out: Your patch works fine with Python 2.6, but
> with Python 2.5 + ssl 1.15 it does not. Even test-https.t fails
> in this case:

ssl 1.15 - that is http://pypi.python.org/pypi/ssl/1.15 ? Do https work 
for you without proxy? (Apparently, according to the test failures you 
included ...)

Mr Stuart says in line 300: 'certificate checking requires Python 2.6'. 
This module claims to be 'quite similar to the 2.6 ssl module'. Almost, 
but not completely... The ssl module might be ok, but the rest of the 
url/http libs are so different that I don't think it is feasible to 
support all combinations. I tend to consider it a bug that we try to use 
this ssl module on 2.5.

Thomas, you confirmed that it worked for 2.6 (and it also works for 2.7 
- I promise!), so unless we get a better offer I would like like to push 
this "partial" fix to stable. The tests should be run with 2.6+ ssl only.

Unless someone wants to fix it for 2.5 I think we should make sure that 
url.py only uses the ssl module from 2.6. (That can be verified with 
"from ssl import _ssl", right?). 2.5 should always use socket.ssl - 
which unfortunately don't have ca_certs support. That might cause a 
regression in some cases where it worked, but I don't think we can 
support it. I won't try.


More information about the Mercurial-devel mailing list