Comment 3 for bug 82086

Revision history for this message
Vincent Ladeuil (vila) wrote : Re: [Bug 82086] Re: pycurl transport causes tracebacks if the server's SSL cert cannot be verified.

>>>>> "bialix" == Alexander Belchenko <email address hidden> writes:

    bialix> John A Meinel пишет:
    >> A simple fix is to just create an "InvalidCertificate" error, with
    >> 'internal_error=False', and a fairly nice error message.
    >> The page you mentioned is for the "curl" commandline front
    >> end. For the library, usually this is more relevant:
    >> And specifically:
    >> This can easily go along with the earlier discussion with
    >> vila, about how to enable self-certified hosts. (env var,
    >> or config entry). We just allow for a way to not require
    >> verification for specific hosts.

I thought about that too, but telling people to disable
certificate verification for *launchpad* ... seems... not the
right thing to do.

    bialix> Can we automatically fallback from pycurl to urllib
    bialix> if certificate check failed? At least with warning to
    bialix> user?

Ouchy, not simply I'm afraid.

Embedding a correct crt file (curl, not libcurl, include such a
file in its distribution*) in the windows distribution may be
more appropriate. And I agree with Andrew's suggestion to talk
about that with pycurl upstream to include the CA for launchpad
(a quick check seems to reveal that starfield is not included so

All in all, I think we should:
1 - issue a nicer error,
2 - allow users to disable certificate verification,
3 - distribute a valid crt file for windows

I can work on 1 and 2, but would appreciate feedback on 3.


*: it's named 'curl-ca-bundle.crt', but it seems it does not
 include the CA for launchpad. On the ubuntu side,
 ca-certificates is a dedicated package.