[PATCH 2 of 2] url: check server certificates when connecting through proxy (issue2407)
mads at kiilerich.com
Mon Nov 1 19:26:27 CDT 2010
Thomas Arendsen Hein wrote, On 11/01/2010 08:56 PM:
> * Mads Kiilerich<mads at kiilerich.com> [20101101 12:01]:
>> FWIW I don't understand why httpconnection.connect unconditionally wraps
>> in SSL if SSL is available and we are using proxy and we can CONNECT.
>> Shouldn't that only be done for https connections - which won't end up
>> in that code anyway? And what's the story behind the comment that we
>> don't support client x509 certificates?
> What I just found out: Your patch works fine with Python 2.6, but
> with Python 2.5 + ssl 1.15 it does not. Even test-https.t fails
> in this case:
ssl 1.15 - that is http://pypi.python.org/pypi/ssl/1.15 ? Do https work
for you without proxy? (Apparently, according to the test failures you
Mr Stuart says in line 300: 'certificate checking requires Python 2.6'.
This module claims to be 'quite similar to the 2.6 ssl module'. Almost,
but not completely... The ssl module might be ok, but the rest of the
url/http libs are so different that I don't think it is feasible to
support all combinations. I tend to consider it a bug that we try to use
this ssl module on 2.5.
Thomas, you confirmed that it worked for 2.6 (and it also works for 2.7
- I promise!), so unless we get a better offer I would like like to push
this "partial" fix to stable. The tests should be run with 2.6+ ssl only.
Unless someone wants to fix it for 2.5 I think we should make sure that
url.py only uses the ssl module from 2.6. (That can be verified with
"from ssl import _ssl", right?). 2.5 should always use socket.ssl -
which unfortunately don't have ca_certs support. That might cause a
regression in some cases where it worked, but I don't think we can
support it. I won't try.
More information about the Mercurial-devel