From e60d4e6eeb29007768322603a939b287871458fa Mon Sep 17 00:00:00 2001 From: Thomas Leonard Date: Fri, 16 Sep 2011 20:25:10 +0100 Subject: [PATCH] Added CA verification for Fedora and OpenSUSE systems too Also, warn if certificates cannot be found. Sources: - http://mercurial.selenic.com/wiki/CACertificates - http://snakecharmersbasket.com/weblog/mercurial-bitbucket-problems-on-opensuse/ --- zeroinstall/injector/_download_child.py | 42 ++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/zeroinstall/injector/_download_child.py b/zeroinstall/injector/_download_child.py index c58c79d..9d43a7e 100644 --- a/zeroinstall/injector/_download_child.py +++ b/zeroinstall/injector/_download_child.py @@ -8,30 +8,34 @@ from zeroinstall.injector import download import urllib2, httplib -# This works on Debian. It probably needs to be updated to handle other platforms. -ca_file = "/etc/ssl/certs/ca-certificates.crt" +for ca_bundle in ["/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Arch Linux + "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL + "/etc/ssl/ca-bundle.pem", # openSUSE/SLE (claimed) + "/var/lib/ca-certificates/ca-bundle.pem.new"]: # openSUSE (actual) + if os.path.exists(ca_bundle): + class ValidatingHTTPSConnection(httplib.HTTPSConnection): + def connect(self): + sock = socket.create_connection((self.host, self.port), self.timeout) + if self._tunnel_host: + self.sock = sock + self._tunnel() + self.sock = ssl.wrap_socket(sock, cert_reqs = ssl.CERT_REQUIRED, ca_certs = ca_bundle) -if os.path.exists(ca_file): - class ValidatingHTTPSConnection(httplib.HTTPSConnection): - def connect(self): - sock = socket.create_connection((self.host, self.port), self.timeout) - if self._tunnel_host: - self.sock = sock - self._tunnel() - self.sock = ssl.wrap_socket(sock, cert_reqs = ssl.CERT_REQUIRED, ca_certs = ca_file) + class ValidatingHTTPSHandler(urllib2.HTTPSHandler): + def https_open(self, req): + return self.do_open(self.getConnection, req) - class ValidatingHTTPSHandler(urllib2.HTTPSHandler): - def https_open(self, req): - return self.do_open(self.getConnection, req) + def getConnection(self, host, timeout=300): + return ValidatingHTTPSConnection(host) - def getConnection(self, host, timeout=300): - return ValidatingHTTPSConnection(host) + urlopener = urllib2.build_opener(ValidatingHTTPSHandler) - urlopener = urllib2.build_opener(ValidatingHTTPSHandler) - - # Builds an opener that overrides the default HTTPS handler with our one - _my_urlopen = urllib2.build_opener(ValidatingHTTPSHandler()).open + # Builds an opener that overrides the default HTTPS handler with our one + _my_urlopen = urllib2.build_opener(ValidatingHTTPSHandler()).open + break else: + from logging import warn + warn("No root CA's found; security of HTTPS connections cannot be verified") _my_urlopen = urllib2.urlopen def download_in_thread(url, target_file, if_modified_since, notify_done): -- 2.11.4.GIT