[PATCH 3 of 9] sslutil: store flag for whether cert verification is disabled
Gregory Szorc
gregory.szorc at gmail.com
Mon May 30 23:03:05 UTC 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1464632431 25200
# Mon May 30 11:20:31 2016 -0700
# Node ID 8730f180323ced5448291e00bd9f996b2b1457ea
# Parent f605df24d053f88dd506ce75471350a2d7753d4a
sslutil: store flag for whether cert verification is disabled
This patch effectively moves the ui.insecureconnections check to
_hostsettings(). After this patch, validatesocket() no longer uses the
ui instance for anything except writing messages.
This patch also enables us to introduce a per-host config option
for disabling certificate verification.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -112,16 +112,18 @@ def _hostsettings(ui, hostname):
Returns a dict of settings relevant to that hostname.
"""
s = {
# List of 2-tuple of (hash algorithm, hash).
'certfingerprints': [],
# Path to file containing concatenated CA certs. Used by
# SSLContext.load_verify_locations().
'cafile': None,
+ # Whether certificate verification should be disabled.
+ 'disablecertverification': False,
# Whether the legacy [hostfingerprints] section has data for this host.
'legacyfingerprint': False,
# ssl.CERT_* constant used by SSLContext.verify_mode.
'verifymode': None,
}
# Look for fingerprints in [hostsecurity] section. Value is a list
# of <alg>:<fingerprint> strings.
@@ -146,16 +148,17 @@ def _hostsettings(ui, hostname):
# If a host cert fingerprint is defined, it is the only thing that
# matters. No need to validate CA certs.
if s['certfingerprints']:
s['verifymode'] = ssl.CERT_NONE
# If --insecure is used, don't take CAs into consideration.
elif ui.insecureconnections:
+ s['disablecertverification'] = True
s['verifymode'] = ssl.CERT_NONE
# Try to hook up CA certificate validation unless something above
# makes it not necessary.
if s['verifymode'] is None:
# Find global certificates file in config.
cafile = ui.config('web', 'cacerts')
@@ -367,23 +370,23 @@ def validatesocket(sock):
if not fingerprintmatch:
raise error.Abort(_('certificate for %s has unexpected '
'fingerprint %s') % (host, nicefingerprint),
hint=_('check %s configuration') % section)
ui.debug('%s certificate matched fingerprint %s\n' %
(host, nicefingerprint))
return
- # If insecure connections were explicitly requested via --insecure,
- # print a warning and do no verification.
+ # If insecure connections were explicitly requested, print a warning
+ # and do no verification.
#
# It may seem odd that this is checked *after* host fingerprint pinning.
# This is for backwards compatibility (for now). The message is also
# the same as below for BC.
- if ui.insecureconnections:
+ if settings['disablecertverification']:
ui.warn(_('warning: %s certificate with fingerprint %s not '
'verified (check %s or web.cacerts '
'config setting)\n') %
(host, nicefingerprint, section))
return
if not sock._hgstate['caloaded']:
ui.warn(_('warning: %s certificate with fingerprint %s '
More information about the Mercurial-devel
mailing list