diff options
| author | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2019-07-23 16:22:19 +0100 |
|---|---|---|
| committer | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2019-07-23 16:22:19 +0100 |
| commit | a1ecf6c5a6d87ed85f89a63c8ed2c591f496a3c4 (patch) | |
| tree | ba3450fa2418e26681eab181638be23c2f3130bf | |
| parent | 92e5cb8a90df986f05a2e9c5435d068486320d7a (diff) | |
dgit: Drop support for old attempts at cert/key pinning
I don't think anyone is using these. We are going to do something
different to try fo fix #932570.
When #790093 is fixed we may need something like archive-query-tls-key
(or even exactly that) but we would have to reimplement it for
WWW::Curl anyway.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
| -rwxr-xr-x | dgit | 24 |
1 files changed, 4 insertions, 20 deletions
@@ -1197,27 +1197,11 @@ sub archive_api_query_cmd ($) { my @cmd = (@curl, qw(-sS)); my $url = access_cfg('archive-query-url'); if ($url =~ m#^https://([-.0-9a-z]+)/#) { - my $host = $1; - my $keys = access_cfg('archive-query-tls-key','RETURN-UNDEF') //''; - foreach my $key (split /\:/, $keys) { - $key =~ s/\%HOST\%/$host/g; - if (!stat $key) { - fail "for $url: stat $key: $!" unless $!==ENOENT; - next; - } - fail f_ "config requested specific TLS key but do not know". - " how to get curl to use exactly that EE key (%s)", - $key; -# push @cmd, "--cacert", $key, "--capath", "/dev/enoent"; -# # Sadly the above line does not work because of changes -# # to gnutls. The real fix for #790093 may involve -# # new curl options. - last; + foreach my $k (qw(archive-query-tls-key + archive-query-tls-curl-ca-args)) { + fail "config option $k is obsolete and no longer supported" + if defined access_cfg($k, 'RETURN-UNDEF'); } - # Fixing #790093 properly will involve providing a value - # for this on clients. - my $kargs = access_cfg('archive-query-tls-curl-ca-args','RETURN-UNDEF'); - push @cmd, split / /, $kargs if defined $kargs; } push @cmd, $url.$subpath; return @cmd; |