[PATCH 2 of 2] url: check server certificates when connecting through proxy (issue2407)
Mads Kiilerich
mads at kiilerich.com
Tue Nov 2 19:36:21 CDT 2010
Thomas Arendsen Hein wrote, On 11/02/2010 09:42 AM:
> * Mads Kiilerich<mads at kiilerich.com> [20101102 01:26]:
>> Thomas Arendsen Hein wrote, On 11/01/2010 08:56 PM:
>>> * Mads Kiilerich<mads at kiilerich.com> [20101101 12:01]:
>>>> FWIW I don't understand why httpconnection.connect unconditionally wraps
>>>> in SSL if SSL is available and we are using proxy and we can CONNECT.
>>>> Shouldn't that only be done for https connections - which won't end up
>>>> in that code anyway? And what's the story behind the comment that we
>>>> don't support client x509 certificates?
>>> What I just found out: Your patch works fine with Python 2.6, but
>>> with Python 2.5 + ssl 1.15 it does not. Even test-https.t fails
>>> in this case:
>> ssl 1.15 - that is http://pypi.python.org/pypi/ssl/1.15 ? Do https work
>> for you without proxy? (Apparently, according to the test failures you
>> included ...)
> Yes, yes.
>
>> Mr Stuart says in line 300: 'certificate checking requires Python 2.6'.
>> This module claims to be 'quite similar to the 2.6 ssl module'. Almost,
>> but not completely... The ssl module might be ok, but the rest of the
>> url/http libs are so different that I don't think it is feasible to
>> support all combinations. I tend to consider it a bug that we try to use
>> this ssl module on 2.5.
> Without proxy it works quite well.
>
>> Thomas, you confirmed that it worked for 2.6 (and it also works for 2.7
>> - I promise!), so unless we get a better offer I would like like to push
>> this "partial" fix to stable. The tests should be run with 2.6+ ssl only.
> Confirmed to work with (and without) proxy with 2.6.
>
> With 2.5 https access through proxy works, too, just no certifiate
> checking is done.
Really? The test output showed that it failed, also without cacerts.
> And the tests fail, which is a reason to not push
> it to stable in this way.
>
>> Unless someone wants to fix it for 2.5 I think we should make sure that
>> url.py only uses the ssl module from 2.6.
> As it currently works without using a proxy, this would be very bad.
>
> Python 2.5 is e.g. current Debian stable, so it is not that uncommon
> to encounter it.
>
> What should probably be done is that if web.cacerts is set, https
> access should abort if certs can't be verified.
I can commit the patch and ensure that the test is run with 2.6+ only
(as intended), so you don't get test failure.
It is not clear to me if that gives a regression for you with
2.5+ssl+proxy but no cacert.
Should I do that? Or will you take over and improve on the patch?
/Mads
More information about the Mercurial-devel
mailing list