Fix TLS certificate verification error when using an HTTP proxy#341
Conversation
|
You probably want to merge this into 3.3 rather than main. |
|
(I'm a little but confused about the launchpad xmlrpc service, didn't we remove that?) |
|
Hi Jelmer,
Sorry for the confusion. This fix resulted from an issue that I saw with brz 3.0.2 in Ubuntu 20.04 (to which I'm backporting some fixes from this upstream repository for other issues) while trying to run Since I wanted to verify that this issue is also affecting other non-Launchpad The mention of Launchpad here is not really relevant was just to add some context, which I did not do properly. Sorry about that.
Sure. I will re-target this PR against the 3.3 branch. I checked the codebase to see if there are any tests covering this part of the codebase and as I did not find anything, I haven't added any tests here. Please let me know if you want me to try and add some tests as a prerequisite for merging this. |
Before this fix, the proxy hostname was used in the comparison with the TLS certificate of the destination server and caused an error. This makes use of the `host` variable, which is already used in the same function for showing the user a warning in a specific case but not in the SSL socket that is created, in the socket. This issue was observed while running `bzr branch lp:ubuntu-archive-publishing` as an anonymous user through an HTTP(S) proxy and while running `bzr branch https://bzr.savannah.nongnu.org/r/records/trunk`. The former error was triggered by brz trying to connect to the Launchpad xmlrpc service which is available only over https whereas the latter was triggered directly because of the repository being available over https.
Since the same fix applies cleanly on top of the current 3.3 branch, I have re-targeted this PR to the 3.3 branch after cherry-picking this fix to my branch rebased on the 3.3 branch. |
lgp171188
force-pushed
the
fix-tls-certificate-verification-error-when-using-http-proxy
branch
from
483535f to
a6b374a
Compare
2 participants
Before this fix, the proxy hostname was wrongly used in the comparison with the TLS certificate of the destination server and caused an error. This makes use of the
hostvariable, which is already used in the same function for showing the user a warning in a specific case but not in the SSL socket that is created, in the SSL socket.This issue was observed while running
bzr branch lp:ubuntu-archive-publishingas an anonymous user through an HTTP(S) proxy and while runningbzr branch https://bzr.savannah.nongnu.org/r/records/trunk. The former error was triggered bybrztrying to connect to the Launchpad XML-RPC service, which is available only over HTTPS, whereas the latter was triggered directly because of the repository being available over HTTPS.