← Back to branch summary

~bzr-pqm/bzr/bzr.dev

« back to all changes in this revision

Viewing changes to bzrlib/transport/http/_urllib2_wrappers.py

  • Committer: Vincent Ladeuil
  • Date: 2016-01-31 12:55:31 UTC
  • mto: This revision was merged to the branch mainline in revision 6614.
  • Revision ID: v.ladeuil+lp@free.fr-20160131125531-5magd1q1njwkal3a
Help python2.6 compatibility.

Show diffs side-by-side

added added

removed removed

Lines of Context:
bzrlib/transport/http/_urllib2_wrappers.py
56
56
import urllib2
57
57
import urlparse
58
58
import re
 
59
import ssl
59
60
import sys
60
61
import time
61
62
 
70
71
    transport,
71
72
    ui,
72
73
    urlutils,
73
 
    )
74
 
lazy_import.lazy_import(globals(), """
75
 
import ssl
76
 
""")
 
74
)
 
75
 
 
76
try:
 
77
    _ = (ssl.match_hostname, ssl.CertificateError)
 
78
except AttributeError:
 
79
    # Provide fallbacks for python < 2.7.9
 
80
    def match_hostname(cert, host):
 
81
        trace.warning(
 
82
            '%s cannot be verified, https certificates verification is only'
 
83
            ' available for python versions >= 2.7.9' % (host,))
 
84
    ssl.match_hostname = match_hostname
 
85
    ssl.CertificateError = ValueError
77
86
 
78
87
 
79
88
# Note for packagers: if there is no package providing certs for your platform,
80
89
# the curl project produces http://curl.haxx.se/ca/cacert.pem weekly.
81
90
_ssl_ca_certs_known_locations = [
82
 
    u'/etc/ssl/certs/ca-certificates.crt', # Ubuntu/debian/gentoo
83
 
    u'/etc/pki/tls/certs/ca-bundle.crt', # Fedora/CentOS/RH
84
 
    u'/etc/ssl/ca-bundle.pem', # OpenSuse
85
 
    u'/etc/ssl/cert.pem', # OpenSuse
86
 
    u"/usr/local/share/certs/ca-root-nss.crt", # FreeBSD
 
91
    u'/etc/ssl/certs/ca-certificates.crt',  # Ubuntu/debian/gentoo
 
92
    u'/etc/pki/tls/certs/ca-bundle.crt',  # Fedora/CentOS/RH
 
93
    u'/etc/ssl/ca-bundle.pem',  # OpenSuse
 
94
    u'/etc/ssl/cert.pem',  # OpenSuse
 
95
    u"/usr/local/share/certs/ca-root-nss.crt",  # FreeBSD
87
96
    # XXX: Needs checking, can't trust the interweb ;) -- vila 2012-01-25
88
 
    u'/etc/openssl/certs/ca-certificates.crt', # Solaris
89
 
    ]
 
97
    u'/etc/openssl/certs/ca-certificates.crt',  # Solaris
 
98
]
 
99
 
 
100
 
90
101
def default_ca_certs():
91
102
    if sys.platform == 'win32':
92
103
        return os.path.join(os.path.dirname(sys.executable), u"cacert.pem")
115
126
def cert_reqs_from_store(unicode_str):
116
127
    import ssl
117
128
    try:
118
 
        return {
119
 
            "required": ssl.CERT_REQUIRED,
120
 
            "none": ssl.CERT_NONE
121
 
            }[unicode_str]
 
129
        return {"required": ssl.CERT_REQUIRED,
 
130
                "none": ssl.CERT_NONE}[unicode_str]
122
131
    except KeyError:
123
132
        raise ValueError("invalid value %s" % unicode_str)
124
133
 
 
134
 
125
135
def default_ca_reqs():
126
136
    if sys.platform in ('win32', 'darwin'):
127
137
        # FIXME: Once we get a native access to root certificates there, this
131
141
        return u'required'
132
142
 
133
143
opt_ssl_ca_certs = config.Option('ssl.ca_certs',
134
 
        from_unicode=ca_certs_from_store,
135
 
        default=default_ca_certs,
136
 
        invalid='warning',
137
 
        help="""\
 
144
                                 from_unicode=ca_certs_from_store,
 
145
                                 default=default_ca_certs,
 
146
                                 invalid='warning',
 
147
                                 help="""\
138
148
Path to certification authority certificates to trust.
139
149
 
140
150
This should be a valid path to a bundle containing all root Certificate
144
154
""")
145
155
 
146
156
opt_ssl_cert_reqs = config.Option('ssl.cert_reqs',
147
 
        default=default_ca_reqs,
148
 
        from_unicode=cert_reqs_from_store,
149
 
        invalid='error',
150
 
        help="""\
 
157
                                  default=default_ca_reqs,
 
158
                                  from_unicode=cert_reqs_from_store,
 
159
                                  invalid='error',
 
160
                                  help="""\
151
161
Whether to require a certificate from the remote side. (default:required)
152
162
 
153
163
Possible values:
441
451
                    "'bzr help ssl.ca_certs' for more information on setting "
442
452
                    "trusted CAs.")
443
453
        try:
444
 
            ssl_sock = ssl.wrap_socket(self.sock, self.key_file, self.cert_file,
 
454
            ssl_sock = ssl.wrap_socket(
 
455
                self.sock, self.key_file, self.cert_file,
445
456
                cert_reqs=cert_reqs, ca_certs=ca_certs)
446
 
        except ssl.SSLError, e:
 
457
        except ssl.SSLError:
447
458
            trace.note(
448
459
                "\n"
449
460
                "See `bzr help ssl.ca_certs` for how to specify trusted CA"
452
463
                "verification entirely.\n")
453
464
            raise
454
465
        if cert_reqs == ssl.CERT_REQUIRED:
455
 
            if sys.version_info < (2, 7, 9):
456
 
                # python2.6 doesn't provide ssl.match_hostname
457
 
                trace.warning(
458
 
                    'https certificates verification is only available for'
459
 
                    ' python versions >= 2.7.9')
460
 
            else:
461
 
                peer_cert = ssl_sock.getpeercert()
462
 
                ssl.match_hostname(peer_cert, host)
 
466
            peer_cert = ssl_sock.getpeercert()
 
467
            ssl.match_hostname(peer_cert, host)
463
468
 
464
469
        # Wrap the ssl socket before anybody use it
465
470
        self._wrap_socket_for_reporting(ssl_sock)