pycurl transport causes tracebacks if the server's SSL cert cannot be verified.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Confirmed
|
Medium
|
Unassigned | ||
Breezy |
Fix Released
|
Medium
|
Jelmer Vernooij |
Bug Description
Originally reported on the mailing list by Alexander Belchenko:
https:/
If the curl library cannot verify the server's SSL certificate (e.g. because it is self-signed, or the CA cert used is missing from the system, or because it's a bad SSL certificate), it causes an ugly traceback like:
$ bzr branch https:/
bzr: ERROR: pycurl.error: (60, 'SSL certificate problem, verify that the CA cert is OK.
Details:
routines:
Traceback (most recent call last):
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
File "bzrlib\
error: (60, 'SSL certificate problem, verify that the CA cert is OK. Details:
routines:SSL3_GET_
SERVER_
(In the case of Launchpad, it appears Alexander doesn't have the necessary CA cert.)
bzr should not show the user a traceback. It's a legitimate problem that should be reported cleanly to the user, explaining the likely causes and perhaps also remedies.
Related branches
- Martin Packman: Approve
-
Diff: 991 lines (+20/-691)9 files modifiedbreezy/tests/features.py (+0/-1)
breezy/tests/http_server.py (+0/-22)
breezy/tests/https_server.py (+0/-14)
breezy/tests/test_bzrdir.py (+0/-12)
breezy/tests/test_http.py (+11/-169)
breezy/transport/__init__.py (+4/-18)
breezy/transport/http/__init__.py (+1/-1)
breezy/transport/http/_pycurl.py (+0/-454)
doc/en/release-notes/brz-3.0.txt (+4/-0)
Changed in bzr: | |
assignee: | nobody → v-ladeuil |
Changed in bzr: | |
status: | Confirmed → Fix Released |
Changed in bzr: | |
status: | Fix Released → Triaged |
Changed in bzr: | |
status: | Triaged → Confirmed |
Changed in brz: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → 3.0.0 |
Changed in brz: | |
status: | Triaged → Fix Released |
assignee: | nobody → Jelmer Vernooij (jelmer) |
A simple fix is to just create an "InvalidCertifi cate" error, with 'internal_ error=False' , and a fairly nice error message.
The page you mentioned is for the "curl" commandline front end. For the library, usually this is more relevant: curl.haxx. se/libcurl/ c/curl_ easy_setopt. html
http://
And specifically: curl.haxx. se/libcurl/ c/curl_ easy_setopt. html#SSL
http://
This can easily go along with the earlier discussion with vila, about how to enable self-certified hosts. (env var, or config entry). We just allow for a way to not require verification for specific hosts.