74
lazy_import.lazy_import(globals(), """
79
# Note for packagers: if there is no package providing certs for your platform,
80
# the curl project produces http://curl.haxx.se/ca/cacert.pem weekly.
81
_ssl_ca_certs_known_locations = [
82
u'/etc/ssl/certs/ca-certificates.crt', # Ubuntu/debian/gentoo
83
u'/etc/pki/tls/certs/ca-bundle.crt', # Fedora/CentOS/RH
84
u'/etc/ssl/ca-bundle.pem', # OpenSuse
85
u'/etc/ssl/cert.pem', # OpenSuse
86
u"/usr/local/share/certs/ca-root-nss.crt", # FreeBSD
87
# XXX: Needs checking, can't trust the interweb ;) -- vila 2012-01-25
88
u'/etc/openssl/certs/ca-certificates.crt', # Solaris
90
def default_ca_certs():
91
if sys.platform == 'win32':
92
return os.path.join(os.path.dirname(sys.executable), u"cacert.pem")
93
elif sys.platform == 'darwin':
94
# FIXME: Needs some default value for osx, waiting for osx installers
95
# guys feedback -- vila 2012-01-25
98
# Try known locations for friendly OSes providing the root certificates
99
# without making them hard to use for any https client.
100
for path in _ssl_ca_certs_known_locations:
101
if os.path.exists(path):
104
# A default path that makes sense and will be mentioned in the error
105
# presented to the user, even if not correct for all platforms
106
return _ssl_ca_certs_known_locations[0]
109
def ca_certs_from_store(path):
110
if not os.path.exists(path):
111
raise ValueError("ca certs path %s does not exist" % path)
115
def cert_reqs_from_store(unicode_str):
119
"required": ssl.CERT_REQUIRED,
120
"none": ssl.CERT_NONE
123
raise ValueError("invalid value %s" % unicode_str)
125
def default_ca_reqs():
126
if sys.platform in ('win32', 'darwin'):
127
# FIXME: Once we get a native access to root certificates there, this
128
# won't needed anymore. See http://pad.lv/920455 -- vila 2012-02-15
133
opt_ssl_ca_certs = config.Option('ssl.ca_certs',
134
from_unicode=ca_certs_from_store,
135
default=default_ca_certs,
138
Path to certification authority certificates to trust.
140
This should be a valid path to a bundle containing all root Certificate
141
Authorities used to verify an https server certificate.
143
Use ssl.cert_reqs=none to disable certificate verification.
146
opt_ssl_cert_reqs = config.Option('ssl.cert_reqs',
147
default=default_ca_reqs,
148
from_unicode=cert_reqs_from_store,
151
Whether to require a certificate from the remote side. (default:required)
154
* none: Certificates ignored
155
* required: Certificates required and validated
158
checked_kerberos = False
77
162
class addinfourl(urllib2.addinfourl):
300
385
# XXX: Needs refactoring at the caller level.
301
386
def __init__(self, host, port=None, proxied_host=None,
302
report_activity=None):
387
report_activity=None, ca_certs=None):
303
388
AbstractHTTPConnection.__init__(self, report_activity=report_activity)
304
389
# Use strict=True since we don't support HTTP/0.9
305
390
httplib.HTTPConnection.__init__(self, host, port, strict=True)
306
391
self.proxied_host = proxied_host
392
# ca_certs is ignored, it's only relevant for https
308
394
def connect(self):
309
395
if 'http' in debug.debug_flags:
312
398
self._wrap_socket_for_reporting(self.sock)
315
# Build the appropriate socket wrapper for ssl
317
# python 2.6 introduced a better ssl package
319
_ssl_wrap_socket = ssl.wrap_socket
321
# python versions prior to 2.6 don't have ssl and ssl.wrap_socket instead
322
# they use httplib.FakeSocket
323
def _ssl_wrap_socket(sock, key_file, cert_file):
324
ssl_sock = socket.ssl(sock, key_file, cert_file)
325
return httplib.FakeSocket(sock, ssl_sock)
401
# These two methods were imported from Python 3.2's ssl module
403
def _dnsname_to_pat(dn, max_wildcards=1):
405
for frag in dn.split(r'.'):
406
if frag.count('*') > max_wildcards:
407
# Python Issue #17980: avoid denials of service by refusing more
408
# than one wildcard per fragment. A survery of established
409
# policy among SSL implementations showed it to be a
412
"too many wildcards in certificate DNS name: " + repr(dn))
414
# When '*' is a fragment by itself, it matches a non-empty dotless
418
# Otherwise, '*' matches any dotless fragment.
419
frag = re.escape(frag)
420
pats.append(frag.replace(r'\*', '[^.]*'))
421
return re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
424
def match_hostname(cert, hostname):
425
"""Verify that *cert* (in decoded format as returned by
426
SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 rules
427
are mostly followed, but IP addresses are not accepted for *hostname*.
429
CertificateError is raised on failure. On success, the function
433
raise ValueError("empty or no certificate")
435
san = cert.get('subjectAltName', ())
436
for key, value in san:
438
if _dnsname_to_pat(value).match(hostname):
440
dnsnames.append(value)
442
# The subject is only checked when subjectAltName is empty
443
for sub in cert.get('subject', ()):
444
for key, value in sub:
445
# XXX according to RFC 2818, the most specific Common Name
447
if key == 'commonName':
448
if _dnsname_to_pat(value).match(hostname):
450
dnsnames.append(value)
451
if len(dnsnames) > 1:
452
raise errors.CertificateError(
453
"hostname %r doesn't match either of %s"
454
% (hostname, ', '.join(map(repr, dnsnames))))
455
elif len(dnsnames) == 1:
456
raise errors.CertificateError("hostname %r doesn't match %r" %
457
(hostname, dnsnames[0]))
459
raise errors.CertificateError("no appropriate commonName or "
460
"subjectAltName fields were found")
328
463
class HTTPSConnection(AbstractHTTPConnection, httplib.HTTPSConnection):
330
465
def __init__(self, host, port=None, key_file=None, cert_file=None,
331
466
proxied_host=None,
332
report_activity=None):
467
report_activity=None, ca_certs=None):
333
468
AbstractHTTPConnection.__init__(self, report_activity=report_activity)
334
469
# Use strict=True since we don't support HTTP/0.9
335
470
httplib.HTTPSConnection.__init__(self, host, port,
336
471
key_file, cert_file, strict=True)
337
472
self.proxied_host = proxied_host
473
self.ca_certs = ca_certs
339
475
def connect(self):
340
476
if 'http' in debug.debug_flags:
345
481
self.connect_to_origin()
347
483
def connect_to_origin(self):
348
ssl_sock = _ssl_wrap_socket(self.sock, self.key_file, self.cert_file)
484
# FIXME JRV 2011-12-18: Use location config here?
485
config_stack = config.GlobalStack()
486
cert_reqs = config_stack.get('ssl.cert_reqs')
487
if self.proxied_host is not None:
488
host = self.proxied_host.split(":", 1)[0]
491
if cert_reqs == ssl.CERT_NONE:
492
ui.ui_factory.show_user_warning('not_checking_ssl_cert', host=host)
493
ui.ui_factory.suppressed_warnings.add('not_checking_ssl_cert')
496
if self.ca_certs is None:
497
ca_certs = config_stack.get('ssl.ca_certs')
499
ca_certs = self.ca_certs
502
"No valid trusted SSL CA certificates file set. See "
503
"'bzr help ssl.ca_certs' for more information on setting "
506
ssl_sock = ssl.wrap_socket(self.sock, self.key_file, self.cert_file,
507
cert_reqs=cert_reqs, ca_certs=ca_certs)
508
except ssl.SSLError, e:
511
"See `bzr help ssl.ca_certs` for how to specify trusted CA"
513
"Pass -Ossl.cert_reqs=none to disable certificate "
514
"verification entirely.\n")
516
if cert_reqs == ssl.CERT_REQUIRED:
517
peer_cert = ssl_sock.getpeercert()
518
match_hostname(peer_cert, host)
349
520
# Wrap the ssl socket before anybody use it
350
521
self._wrap_socket_for_reporting(ssl_sock)
660
833
% (request, request.connection.sock.getsockname())
661
834
response = connection.getresponse()
662
835
convert_to_addinfourl = True
836
except (ssl.SSLError, errors.CertificateError):
837
# Something is wrong with either the certificate or the hostname,
838
# re-trying won't help
663
840
except (socket.gaierror, httplib.BadStatusLine, httplib.UnknownProtocol,
664
841
socket.error, httplib.HTTPException):
665
842
response = self.retry_or_raise(http_class, request, first_try)