From a1ecf6c5a6d87ed85f89a63c8ed2c591f496a3c4 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 23 Jul 2019 16:22:19 +0100 Subject: [PATCH] dgit: Drop support for old attempts at cert/key pinning I don't think anyone is using these. We are going to do something different to try fo fix #932570. When #790093 is fixed we may need something like archive-query-tls-key (or even exactly that) but we would have to reimplement it for WWW::Curl anyway. Signed-off-by: Ian Jackson --- dgit | 24 ++++-------------------- 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/dgit b/dgit index ca6fe56a..00f86c66 100755 --- a/dgit +++ b/dgit @@ -1197,27 +1197,11 @@ sub archive_api_query_cmd ($) { my @cmd = (@curl, qw(-sS)); my $url = access_cfg('archive-query-url'); if ($url =~ m#^https://([-.0-9a-z]+)/#) { - my $host = $1; - my $keys = access_cfg('archive-query-tls-key','RETURN-UNDEF') //''; - foreach my $key (split /\:/, $keys) { - $key =~ s/\%HOST\%/$host/g; - if (!stat $key) { - fail "for $url: stat $key: $!" unless $!==ENOENT; - next; - } - fail f_ "config requested specific TLS key but do not know". - " how to get curl to use exactly that EE key (%s)", - $key; -# push @cmd, "--cacert", $key, "--capath", "/dev/enoent"; -# # Sadly the above line does not work because of changes -# # to gnutls. The real fix for #790093 may involve -# # new curl options. - last; + foreach my $k (qw(archive-query-tls-key + archive-query-tls-curl-ca-args)) { + fail "config option $k is obsolete and no longer supported" + if defined access_cfg($k, 'RETURN-UNDEF'); } - # Fixing #790093 properly will involve providing a value - # for this on clients. - my $kargs = access_cfg('archive-query-tls-curl-ca-args','RETURN-UNDEF'); - push @cmd, split / /, $kargs if defined $kargs; } push @cmd, $url.$subpath; return @cmd; -- 2.30.2