bzr branch does not support SNI

Bug #1089352 reported by j^
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Bazaar
In Progress
High
Unassigned
Breezy
Fix Released
High
Unassigned

Bug Description

trying to pull a branch from an https url that uses SNI (Server Name Indication) bzr fails to connect to the right host and complains about a wrong certificate.
Instead it should support SNI and just work.

Revision history for this message
j^ (j) wrote :

with bzr branch https+pycurl:// SNI is supported, since python2.7 does not support SNI, its fixed in 3.2 it might be better to use pycurl if available by default.

Vincent Ladeuil (vila)
Changed in bzr:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Charles (cha3les) wrote :

In bzrlib/transport/http/_urllib2_wrappers.py there is a bit of unnecessary code which fails for SNI situations. The attached patch removes the bad check.

httplib.HTTPSConnection.__init__ already does the correct check. I have tested this against https://wrong.host.badssl.com/ with my patch applied, and things fail properly.

Jelmer Vernooij (jelmer)
Changed in bzr:
importance: Medium → High
Revision history for this message
Vincent Ladeuil (vila) wrote :

Sorry the delay.

I've reproduced the issue against https://bzr.debian.org:

Actual code get the following cert:

{'OCSP': (u'http://ocsp.usertrust.com',),
 'caIssuers': (u'http://crt.usertrust.com/GandiStandardSSLCA2.crt',),
 'crlDistributionPoints': (u'http://crl.usertrust.com/GandiStandardSSLCA2.crl',),
 'issuer': ((('countryName', u'FR'),),
            (('stateOrProvinceName', u'Paris'),),
            (('localityName', u'Paris'),),
            (('organizationName', u'Gandi'),),
            (('commonName', u'Gandi Standard SSL CA 2'),)),
 'notAfter': 'Apr 26 23:59:59 2018 GMT',
 'notBefore': u'Apr 14 00:00:00 2016 GMT',
 'serialNumber': u'4EA82D0B8C8B42D1BFC1061DC9720982',
 'subject': ((('organizationalUnitName', u'Domain Control Validated'),),
             (('organizationalUnitName', u'Gandi Standard Wildcard SSL'),),
             (('commonName', u'*.alioth.debian.org'),)),
 'subjectAltName': (('DNS', '*.alioth.debian.org'),
                    ('DNS', 'alioth.debian.org')),
 'version': 3L}

whereas with SNI it gets the proper:

{'OCSP': (u'http://ocsp.int-x3.letsencrypt.org/',),
 'caIssuers': (u'http://cert.int-x3.letsencrypt.org/',),
 'issuer': ((('countryName', u'US'),),
            (('organizationName', u"Let's Encrypt"),),
            (('commonName', u"Let's Encrypt Authority X3"),)),
 'notAfter': 'Mar 27 11:49:00 2017 GMT',
 'notBefore': u'Dec 27 11:49:00 2016 GMT',
 'serialNumber': u'03667BE3EB8574E879B8D448575FF5DA86B6',
 'subject': ((('commonName', u'git.debian.org'),),),
 'subjectAltName': (('DNS', 'anonscm.debian.org'),
                    ('DNS', 'arch.debian.org'),
                    ('DNS', 'bzr.debian.org'),
                    ('DNS', 'cvs.debian.org'),
                    ('DNS', 'darcs.debian.org'),
                    ('DNS', 'git.debian.org'),
                    ('DNS', 'hg.debian.org'),
                    ('DNS', 'svn.debian.org')),
 'version': 3L}

I'll have a fix shortly.

Changed in bzr:
assignee: nobody → Vincent Ladeuil (vila)
status: Confirmed → In Progress
Revision history for this message
Vincent Ladeuil (vila) wrote :

Oh, and ftr, this wasn't supported by python previously (and is still not supported by the the API bzr was using), but it is now possible to get SNI support by using a different API.

Jelmer Vernooij (jelmer)
Changed in brz:
status: New → Triaged
importance: Undecided → High
Jelmer Vernooij (jelmer)
Changed in brz:
milestone: none → 3.0.0
Jelmer Vernooij (jelmer)
Changed in brz:
status: Triaged → Fix Released
Vincent Ladeuil (vila)
Changed in bzr:
assignee: Vincent Ladeuil (vila) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.