[PATCH 2 of 2] sslutil: Only emit debug log messages accessing https repo on python2.4+2.5
Matt Mackall
mpm at selenic.com
Tue Jun 14 20:07:49 UTC 2011
On Tue, 2011-06-14 at 12:24 +0200, Mads Kiilerich wrote:
> Thanks for updating the patches. The first one is fine, and this one is
> so clear that I can say that I don't agree:
>
> On 06/14/2011 05:32 AM, Stephen Thorne wrote:
> > # HG changeset patch
> > # User Stephen Thorne<stephen at thorne.id.au>
> > # Date 1308022297 -36000
> > # Node ID 95f9cf24a44654c375cf4a3940ada279b29cb087
> > # Parent 6a28d54139bdcc49820978ed0c292d8d8c19123f
> > sslutil: Only emit debug log messages accessing https repo on python2.4+2.5
> >
> > When accessing a https repository, a warning would be mitted telling the user
> > there was not hostfingerprint set in the configuration. If a hostfingerprint
> > was added to the http configuration then an Abort would happen every time
> > because socket.getpeercert() is not available and thus the fingerprint can't be
> > verified.
> >
> > The warning has been downgraded to an info on python2.4+2.5 and no longer
> > allows you to cause mercurial to simply Abort when you attempt to configure it
> > to verify the certificate.
>
> If Mercurial has been configured to check the fingerprint of the remote
> server but can't do it then it MUST abort - just like it will abort with
> "certificate checking requires Python 2.6" if web.cacerts has been
> configured.
Indeed, if people have configured a security feature, we need to fail
secure.
> > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> > --- a/mercurial/sslutil.py
> > +++ b/mercurial/sslutil.py
> ...
> > - else: # python 2.5 ?
> > - if hostfingerprint:
> > - raise util.Abort(_('no certificate for %s with '
> > - 'configured hostfingerprint') % host)
>
> A simple solution could be to change this message to something like
> "configured hostfingerprint for %s can't be verified because of missing
> Python SSL capabilities" ... only shorter.
"host fingerprint for %s can't be verified (upgrade Python)"?
>
> > - self.ui.warn(_('warning: %s certificate not verified '
> > - '(check web.cacerts config setting)\n') %
> > - host)
>
> And this one could be "warning: %s certificate for %s can't be verified
> because of missing Python SSL capabilities'.
>
> Would that solve the problem you see, or can you come up with something
> smarter?
>
> /Mads
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at selenic.com
> http://selenic.com/mailman/listinfo/mercurial-devel
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list