From 93e3c62b99832d7643eb82f2ad0ae58b0c8b1fe2 Mon Sep 17 00:00:00 2001
From: John Ralls <jralls@ceridwen.us>
Date: Sun, 27 Sep 2015 12:19:44 -0700
Subject: [PATCH] Bug 8897 - Can not download new or updated add-ons

Apple provides a hacked OpenSSL that checks Keychain for certs after failing
to find them elsewhere (and normally there is no elsewhere). The versions
provided for OS X versions < 10.8 are obsolete, preventing building
osm-gps-maps's dependencies, so we provide our own but it can't be similarly
hacked to use Keychain because that is a private API to which Apple doesn't
provide headers.

This is at root a Python problem, see https://bugs.python.org/issue17128

To work around it, disable certificate verification for this one URL for
macs only. This does create the small security risk of a MITM attack injecting
malicious add-ons, but since the URL is user-editable a phishing attack is
more likely and there's nothing that SSL can do about that.
---
 gramps/gen/plug/utils.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/gramps/gen/plug/utils.py b/gramps/gen/plug/utils.py
index b1edff39c..0b704e4bf 100644
--- a/gramps/gen/plug/utils.py
+++ b/gramps/gen/plug/utils.py
@@ -53,7 +53,7 @@ from ..utils.configmanager import safe_eval
 from ..config import config
 from ..const import GRAMPS_LOCALE as glocale
 _ = glocale.translation.sgettext
-from ..constfunc import conv_to_unicode
+from ..constfunc import conv_to_unicode, mac
 
 #-------------------------------------------------------------------------
 #
@@ -176,6 +176,12 @@ class Zipfile(object):
 def available_updates():
     whattypes = config.get('behavior.check-for-update-types')
     from urllib.request import urlopen
+    if mac():
+        from ssl import create_default_context, CERT_NONE
+        context = create_default_context()
+        context.check_hostname = False
+        context.verify_mode = CERT_NONE
+
     LOG.debug("Checking for updated addons...")
     langs = glocale.get_language_list()
     langs.append("en")
@@ -186,12 +192,12 @@ def available_updates():
                (config.get("behavior.addons-url"), lang))
         LOG.debug("   trying: %s" % URL)
         try:
-            fp = urlopen(URL, timeout=10) # seconds
+            fp = urlopen(URL, timeout=10, context=context) # seconds
         except:
             try:
                 URL = ("%s/listings/addons-%s.txt" %
                        (config.get("behavior.addons-url"), lang[:2]))
-                fp = urlopen(URL, timeout=10)
+                fp = urlopen(URL, timeout=10, context=context)
             except Exception as err: # some error
                 LOG.warning("Failed to open addon metadata for {lang} {url}: {err}".
 						format(lang=lang, url=URL, err=err))