url: validity (notBefore/notAfter) is checked by OpenSSL (
issue2407)
Removing the check from our code makes https with cacerts check work with
Python < 2.6.
--- a/mercurial/url.py Sun Oct 17 04:13:50 2010 +0200
+++ b/mercurial/url.py Sun Oct 17 04:14:06 2010 +0200
@@ -7,7 +7,7 @@
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
-import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO, time
+import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO
import __builtin__
from i18n import _
import keepalive, util
@@ -487,19 +487,13 @@
return keepalive.HTTPHandler._start_transaction(self, h, req)
def _verifycert(cert, hostname):
- '''Verify that cert (in socket.getpeercert() format) matches hostname and is
- valid at this time. CRLs and subjectAltName are not handled.
+ '''Verify that cert (in socket.getpeercert() format) matches hostname.
+ CRLs and subjectAltName are not handled.
Returns error message if any problems are found and None on success.
'''
if not cert:
return _('no certificate received')
- notafter = cert.get('notAfter')
- if notafter and time.time() > ssl.cert_time_to_seconds(notafter):
- return _('certificate expired %s') % notafter
- notbefore = cert.get('notBefore')
- if notbefore and time.time() < ssl.cert_time_to_seconds(notbefore):
- return _('certificate not valid before %s') % notbefore
dnsname = hostname.lower()
for s in cert.get('subject', []):
key, value = s[0]
--- a/tests/test-url.py Sun Oct 17 04:13:50 2010 +0200
+++ b/tests/test-url.py Sun Oct 17 04:14:06 2010 +0200
@@ -1,9 +1,5 @@
#!/usr/bin/env python
import sys
-try:
- import ssl
-except ImportError:
- sys.exit(80)
def check(a, b):
if a != b:
@@ -36,17 +32,7 @@
check(_verifycert(cert('*o'), 'foo'),
'certificate is for *o')
-import time
-lastyear = time.gmtime().tm_year - 1
-nextyear = time.gmtime().tm_year + 1
-check(_verifycert({'notAfter': 'May 9 00:00:00 %s GMT' % lastyear},
- 'example.com'),
- 'certificate expired May 9 00:00:00 %s GMT' % lastyear)
-check(_verifycert({'notBefore': 'May 9 00:00:00 %s GMT' % nextyear},
- 'example.com'),
- 'certificate not valid before May 9 00:00:00 %s GMT' % nextyear)
-check(_verifycert({'notAfter': 'Sep 29 15:29:48 %s GMT' % nextyear,
- 'subject': ()},
+check(_verifycert({'subject': ()},
'example.com'),
'no commonName found in certificate')
check(_verifycert(None, 'example.com'),