How can I disable SSL certificate for specific branch using .bzr/branch/branch.conf?

Asked by Ryo IGARASHI on 2012-02-22

From bzr package (Debian sid) 2.5.0~bzr6458-1, SSL certificate verification is ON by default.
I totally agree that this is a good change for security reason, and I don't want to turn it off system-wide.

However, one of my working repository (company private) does not have a good SSL certificate,
and I want to disable SSL certificate verification for this specific repository only.

I think this kind of branch-specific setting can be set by writing something .bzr/branch/branch.conf file
but could not find documentation about them. And "bzr help ssl.ca_certs" does not give enough information for me.

Is such option in branch.conf available? Or how can I disable SSL certificate verification temporally?

Question information

Language:
English Edit question
Status:
Answered
For:
Bazaar Edit question
Assignee:
No assignee Edit question
Last query:
2012-02-22
Last reply:
2012-02-22
Vincent Ladeuil (vila) said : #1

There are two options to control cert verification, ssl.ca_certs and ssl.ca_reqs.

The default value for ssl.ca_certs should be ok for debian and points to the relevant ca bundle.

You probably want to use ssl.ca_reqs for temporraily disabling verification.

So, here is the relevant code in bzrlib/transport/http/_urllib2_wrappers.py:

    def connect_to_origin(self):
        # FIXME JRV 2011-12-18: Use location config here?
        config_stack = config.GlobalStack()
        cert_reqs = config_stack.get('ssl.cert_reqs')

This means that, as of today, there is only two ways to override the default value for ssl.cert_reqs:
- set it to 'none' in ~/.bazaar/bazaar.conf
- use -Ossl.ca_reqs=none as a command-line parameter

The FIXME says that we may want to allow setting it in locations.conf but really the plan is to allow it in authentication.conf.

While locations.conf allows you to set options for a set of branches (including remote branches), authentication.conf is aimed at specifying options on a per-host or per-domain basis. Your use case perfectly fits this IMHO since you said: 'my working repository (company private) does not have a good SSL certificate,
and I want to disable SSL certificate verification for this specific repository only' which means a specific host or at worst a subtree of this host.

Additionnally authentication.conf should also support setting ssl.ca_certs to your host ssl certificate and a self-signed value for ssl.ca_reqs.

The relevant bug is https://bugs.launchpad.net/bzr/+bug/924220

If you want to track it: https://bugs.launchpad.net/bzr/+bug/924220/+affectsmetoo

Can you help with this problem?

Provide an answer of your own, or ask Ryo IGARASHI for more information if necessary.

To post a message you must log in.