Mercurial > hg-stable
comparison mercurial/sslutil.py @ 24290:b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
The next patch will enable verification by using the system's CA store if
possible, which means we would have to distinguish None (=use default) from
'' (=--insecure). This smells bug-prone and provides no way to override
web.cacerts to forcibly use the system's store by --config argument.
This patch changes the meaning of web.cacerts as follows:
value behavior
------- ---------------------------------------
None/'' use default
'!' never use CA certs (set by --insecure)
<path> verify by the specified CA certificates
Values other than <path> are for internal use and therefore undocumented.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Wed, 04 Mar 2015 23:27:04 +0900 |
| parents | 922e087ba158 |
| children | 760a86865f80 |
comparison
equal
deleted
inserted
replaced
| 24289:07fafcd4bc74 | 24290:b76d8c641746 |
|---|---|
| 132 def _defaultcacerts(): | 132 def _defaultcacerts(): |
| 133 if _plainapplepython(): | 133 if _plainapplepython(): |
| 134 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') | 134 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') |
| 135 if os.path.exists(dummycert): | 135 if os.path.exists(dummycert): |
| 136 return dummycert | 136 return dummycert |
| 137 return None | 137 return '!' |
| 138 | 138 |
| 139 def sslkwargs(ui, host): | 139 def sslkwargs(ui, host): |
| 140 kws = {} | 140 kws = {} |
| 141 hostfingerprint = ui.config('hostfingerprints', host) | 141 hostfingerprint = ui.config('hostfingerprints', host) |
| 142 if hostfingerprint: | 142 if hostfingerprint: |
| 143 return kws | 143 return kws |
| 144 cacerts = ui.config('web', 'cacerts') | 144 cacerts = ui.config('web', 'cacerts') |
| 145 if cacerts: | 145 if cacerts == '!': |
| 146 pass | |
| 147 elif cacerts: | |
| 146 cacerts = util.expandpath(cacerts) | 148 cacerts = util.expandpath(cacerts) |
| 147 if not os.path.exists(cacerts): | 149 if not os.path.exists(cacerts): |
| 148 raise util.Abort(_('could not find web.cacerts: %s') % cacerts) | 150 raise util.Abort(_('could not find web.cacerts: %s') % cacerts) |
| 149 elif cacerts is None: | 151 else: |
| 150 dummycert = _defaultcacerts() | 152 cacerts = _defaultcacerts() |
| 151 if dummycert: | 153 if cacerts and cacerts != '!': |
| 152 ui.debug('using %s to enable OS X system CA\n' % dummycert) | 154 ui.debug('using %s to enable OS X system CA\n' % cacerts) |
| 153 ui.setconfig('web', 'cacerts', dummycert, 'dummy') | 155 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') |
| 154 cacerts = dummycert | 156 if cacerts != '!': |
| 155 if cacerts: | |
| 156 kws.update({'ca_certs': cacerts, | 157 kws.update({'ca_certs': cacerts, |
| 157 'cert_reqs': CERT_REQUIRED, | 158 'cert_reqs': CERT_REQUIRED, |
| 158 }) | 159 }) |
| 159 return kws | 160 return kws |
| 160 | 161 |
| 199 raise util.Abort(_('certificate for %s has unexpected ' | 200 raise util.Abort(_('certificate for %s has unexpected ' |
| 200 'fingerprint %s') % (host, nicefingerprint), | 201 'fingerprint %s') % (host, nicefingerprint), |
| 201 hint=_('check hostfingerprint configuration')) | 202 hint=_('check hostfingerprint configuration')) |
| 202 self.ui.debug('%s certificate matched fingerprint %s\n' % | 203 self.ui.debug('%s certificate matched fingerprint %s\n' % |
| 203 (host, nicefingerprint)) | 204 (host, nicefingerprint)) |
| 204 elif cacerts: | 205 elif cacerts != '!': |
| 205 msg = _verifycert(peercert2, host) | 206 msg = _verifycert(peercert2, host) |
| 206 if msg: | 207 if msg: |
| 207 raise util.Abort(_('%s certificate error: %s') % (host, msg), | 208 raise util.Abort(_('%s certificate error: %s') % (host, msg), |
| 208 hint=_('configure hostfingerprint %s or use ' | 209 hint=_('configure hostfingerprint %s or use ' |
| 209 '--insecure to connect insecurely') % | 210 '--insecure to connect insecurely') % |