On Tue, Jan 22, 2013 at 04:22:36PM +0100, Stefan Sperling wrote:
> A python script I use is failing to connect to a HTTPS site because
> the certificate was changed and the corresponding CA root cert isn't
> in the cert list shipped with py-httplib2. It works fine when the
> system list of CA certs is used instead.
>
> I think it's a good idea in general to make this use the system
> list of CA certs instead of a custom list.
>
> One fix would be to patch the code to read file from a different location.
> That would require adding two patch files, one for the python2 code
> and one for the python3 code.
>
> A smaller fix is to symlink httplib2's cacert file to /etc/ssl/cert.pem,
> which is what the diff below does. There's a warning during pkg_create
> because of the symlink but the warning is bogus:
> Warning: symlink(s) point to non-existent
> /usr/ports/pobj/py-httplib2-0.7.7/fake
> -amd64/etc/ssl/cert.pem
>
> /usr/ports/pobj/py-httplib2-0.7.7/fake-amd64/usr/local/lib/python2.7/sit
> e-packages/httplib2/cacerts.txt
>
> ok?
Sure, but you should use /etc/ssl/cert.pem and not BASESYSCONFDIR.
cert.pem is part of the base system and will always be under /etc/ssl
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/py-httplib2/Makefile,v
> retrieving revision 1.9
> diff -u -p -r1.9 Makefile
> --- Makefile 29 Dec 2012 18:28:49 -0000 1.9
> +++ Makefile 22 Jan 2013 15:15:50 -0000
> @@ -3,6 +3,7 @@
> COMMENT = Python HTTP client library
>
> MODPY_EGG_VERSION = 0.7.7
> +REVISION = 0
> DISTNAME = httplib2-${MODPY_EGG_VERSION}
> PKGNAME = py-${DISTNAME}
>
> @@ -31,6 +32,8 @@ post-install:
> ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/${MODPY_PY_PREFIX}httplib2
> ${INSTALL_DATA} ${WRKSRC}/README \
> ${PREFIX}/share/doc/${MODPY_PY_PREFIX}httplib2
> + ln -sf ${BASESYSCONFDIR}/ssl/cert.pem \
> +
> ${PREFIX}/lib/python${MODPY_VERSION}/site-packages/httplib2/cacerts.txt
>
> do-regress:
> ${MODPY_BIN} ${WRKSRC}/python${MODPY_MAJOR_VERSION}/httplib2test.py
>
--
Antoine
