[PATCH 2 of 2] url: check server certificates when connecting through proxy (issue2407)

Thomas Arendsen Hein thomas at intevation.de
Tue Nov 2 03:42:38 CDT 2010 

* Mads Kiilerich <mads at kiilerich.com> [20101102 01:26]:
> Thomas Arendsen Hein wrote, On 11/01/2010 08:56 PM:
>> * Mads Kiilerich<mads at kiilerich.com>  [20101101 12:01]:
>>> FWIW I don't understand why httpconnection.connect unconditionally wraps
>>> in SSL if SSL is available and we are using proxy and we can CONNECT.
>>> Shouldn't that only be done for https connections - which won't end up
>>> in that code anyway? And what's the story behind the comment that we
>>> don't support client x509 certificates?
>> What I just found out: Your patch works fine with Python 2.6, but
>> with Python 2.5 + ssl 1.15 it does not. Even test-https.t fails
>> in this case:
>
> ssl 1.15 - that is http://pypi.python.org/pypi/ssl/1.15 ? Do https work  
> for you without proxy? (Apparently, according to the test failures you  
> included ...)

Yes, yes.

> Mr Stuart says in line 300: 'certificate checking requires Python 2.6'.  
> This module claims to be 'quite similar to the 2.6 ssl module'. Almost,  
> but not completely... The ssl module might be ok, but the rest of the  
> url/http libs are so different that I don't think it is feasible to  
> support all combinations. I tend to consider it a bug that we try to use  
> this ssl module on 2.5.

Without proxy it works quite well.

> Thomas, you confirmed that it worked for 2.6 (and it also works for 2.7  
> - I promise!), so unless we get a better offer I would like like to push  
> this "partial" fix to stable. The tests should be run with 2.6+ ssl only.

Confirmed to work with (and without) proxy with 2.6.

With 2.5 https access through proxy works, too, just no certifiate
checking is done. And the tests fail, which is a reason to not push
it to stable in this way.

> Unless someone wants to fix it for 2.5 I think we should make sure that  
> url.py only uses the ssl module from 2.6.

As it currently works without using a proxy, this would be very bad.

Python 2.5 is e.g. current Debian stable, so it is not that uncommon
to encounter it.

What should probably be done is that if web.cacerts is set, https
access should abort if certs can't be verified.

Regards,
Thomas

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

More information about the Mercurial-devel mailing list