[bitbake-devel] [bitbake][PATCH] fetcher/svn : Warning on SSL verifaction failure

[Zoltan Kuscsik]

OE core appends --trust-server-cert argument to
the svn command by default.  This change adds a
warning on invalid SSL server certificate.

We use wget to verify the certification as it
is more reliable than Python methods for SSL certificate
check.
---
 lib/bb/fetch2/svn.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/bb/fetch2/svn.py b/lib/bb/fetch2/svn.py
index 1733c2b..d3a7cac 100644
--- a/lib/bb/fetch2/svn.py
+++ b/lib/bb/fetch2/svn.py
@@ -28,6 +28,7 @@ import sys
 import logging
 import bb
 import re
+import subprocess
 from   bb import data
 from   bb.fetch2 import FetchMethod
 from   bb.fetch2 import FetchError
@@ -173,6 +174,20 @@ class Svn(FetchMethod):
         """
         bb.fetch2.check_network_access(d, self._buildsvncommand(ud, d, "log1"))
 
+        if(ud.parm.get('protocol', 'svn') == 'https'):
+            svn_url = "https://%s%s" % (ud.host, ud.path)
+            try:
+                # Use wget to check the SSL certificate.
+                # The --spider argument ensures that we don't actually
+                # download anything.
+                wget_ssl_check_command = " wget --spider --timeout=30 %s" % svn_url
+                (output, errors) = bb.process.run(wget_ssl_check_command , shell=True, stderr=subprocess.PIPE)
+            except  bb.process.ExecutionError as e:
+                # wget returns 5 exit code on SSL verification failure
+                if(e.exitcode == 5):
+                    logger.warning("SVN repository %s has invalid SSL certificate." % svn_url)
+
+
         output = runfetchcmd("LANG=C LC_ALL=C " + self._buildsvncommand(ud, d, "log1"), d, True)
 
         # skip the first line, as per output of svn log
-- 
1.9.1