Closed Bug 1190869 Opened 10 years ago Closed 10 years ago

Update instructions on bzr.bugzilla.org to not check SSL certs

Categories

(Bugzilla :: bugzilla.org, defect)

Product:
Bugzilla
Component:
bugzilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gerv, Assigned: wicked)

Details

The command on the front page of https://bzr.bugzilla.org/ to switch bzr servers needs augmenting with "-Ossl.cert_reqs=none", due to the fact that bzr does not support SSL SNI (see bug 1155525). Gerv
The task requires here is precisely: edit the "bzr pull" and "bzr switch" commands to instead begin: bzr -Ossl.cert_reqs=none pull and bzr -Ossl.cert_reqs=none switch This turns off cert checking, because bzr doesn't support SNI, which this server is using, so the cert check fails. wicked said that if I gave precise instructions, he can update this. :-) Gerv
Assignee: website → wicked
That option seems to be not supported: bzr: ERROR: unknown command "-Ossl.cert_reqs=none" Also, if it's given after the command: bzr: ERROR: no such option: -O This is with Bazaar (bzr) 2.1.1, which is the latest available on RHEL6.
Status: NEW → ASSIGNED
Flags: needinfo?(gerv)
The switch doesn't work with bzr 2.3.3 either, that's available for RHEL5 via rpmforge.
Support for the new ssl.cert_reqs setting has been added in bzr 2.5.0, released on Feb 24, 2012. http://doc.bazaar.canonical.com/beta/en/whats-new/whats-new-in-2.5.html#ssl-certificate-verification-support-in-urllib-https-backend
So that means versions of bzr older than 2.5.0 won't work with this server at all, because they don't support SNI, and don't support turning SSL checking off. (Unless there's another command-line parameter which does the same thing?) So we either need to move the BZR server to its own VM and not use SNI, or we need to tell people that they will need to temporarily install a newer copy of bzr in order to migrate to git, or they can use the bzr-less method of upgrading. I guess the latter two options are preferable; we aren't going to put a lot of work into maintaining the bzr server. So, the updated instructions are: edit the "bzr pull" and "bzr switch" commands to instead begin: bzr -Ossl.cert_reqs=none pull and bzr -Ossl.cert_reqs=none switch Add a note somewhere on the page saying "You will need to be using bzr version 2.5.0 or later in order to talk to this server." Gerv
Flags: needinfo?(gerv)
(In reply to Gervase Markham [:gerv] from comment #5) > So we either need to move the BZR server to its own VM and not use SNI, or We could use virtual hosts to set the host to match but we'd need a new cert for the bzr server. Is that something we could do, justdave or is it too expensive? Or maybe just disable SSL as it's not really that useful anyway for this service, IMHO. > we need to tell people that they will need to temporarily install a newer > copy of bzr in order to migrate to git, or they can use the bzr-less method Installing a newer bzr version is not that simple and in some environments it's simply impossible.
Flags: needinfo?(justdave)
To be honest, the bzr server is ULTRAAAAAA slow. It's a royal pain to do a checkout from it. Do not waste your time on it. If you don't have bzr 2.5.0 or newer, then move to git. 4.2 is almost EOL, and I heard that this bzr server will go away once 4.4 reaches EOL. So we are talking about months only. Does it worth paying $dollars$ for a few months only?
(In reply to Teemu Mannermaa (:wicked) from comment #6) > Installing a newer bzr version is not that simple and in some environments > it's simply impossible. I'm sure it's possible to install a local copy or a statically-linked binary. But fundamentally, you are trying to get this work just for a single operation ("bzr diff") that some installs won't need anyway if they haven't got customizations. As I said, we are not spending money or time on this server. We should fix the instructions as best we can. Gerv
From my experimenting back when we first set this up, versions of bzr prior to 2.5.0 that we could find at the time did *not* do certificate checking and had no way to enable it. Versions newer than 2.5.0 both did certificate checking and supported SNI. The directions that are currently there were made the way they are on that assumption. From what I could tell the strict certificate checks got added at the same time as SNI support did. Did one of the distros backport the certificate checking without the SNI to go with it or something? Anyways, yes, this isn't worth spending money on a new cert for. Let's just fix the instructions to match what people are running into.
Flags: needinfo?(justdave)
OK :-) New text, then: "If you get a certificate error about a hostname mismatch, then try adding "-Ossl.cert_reqs=none" directly after "bzr" in the command. If this option is rejected as not supported, then you will need to use a newer version of bzr to access the server. Gerv
(In reply to Gervase Markham [:gerv] from comment #10) > is rejected as not supported, then you will need to use a newer version of > bzr to access the server. I still think updating bzr is way too hard but you mentioned we have some alternate steps one can use? One that doesn't depend on accessing a bzr server? Where are those so we can point users to them instead of fighting with bzr?
Flags: needinfo?(gerv)
Meanwhile, I've added a note about this option to the list on the bzr.b.o index page.
This will do. Gerv
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(gerv)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.