Mercurial > hg-stable
view tests/test-issue522.out @ 12592:f2937d6492c5 stable
url: verify correctness of https server certificates (issue2407)
Pythons SSL module verifies that certificates received for HTTPS are valid
according to the specified cacerts, but it doesn't verify that the certificate
is for the host we connect to.
We now explicitly verify that the commonName in the received certificate
matches the requested hostname and is valid for the time being.
This is a minimal patch where we try to fail to the safe side, but we do still
rely on Python's SSL functionality and do not try to implement the standards
fully and correctly. CRLs and subjectAltName are not handled and proxies
haven't been considered.
This change might break connections to some sites if cacerts is specified and
the certificates (by our definition) isn't correct. The workaround is to
disable cacerts which in most cases isn't much worse than it was before with
cacerts.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Fri, 01 Oct 2010 00:46:59 +0200 |
parents | db426935fa94 |
children |
line wrap: on
line source
reverting foo changeset 2:4d9e78aaceee backs out changeset 1:b515023e500e 1 files updated, 0 files merged, 0 files removed, 0 files unresolved searching for copies back to rev 1 unmatched files in local: bar resolving manifests overwrite None partial False ancestor bbd179dfa0a7 local 71766447bdbb+ remote 4d9e78aaceee foo: remote is newer -> g updating: foo 1/1 files (100.00%) getting foo 1 files updated, 0 files merged, 0 files removed, 0 files unresolved (branch merge, don't forget to commit) n 0 -2 unset foo M foo c6fc755d7e68f49f880599da29f15add41f42f5a 644 foo rev offset length base linkrev nodeid p1 p2 0 0 5 0 0 2ed2a3912a0b 000000000000 000000000000 1 5 9 1 1 6f4310b00b9a 2ed2a3912a0b 000000000000 2 14 5 2 2 c6fc755d7e68 6f4310b00b9a 000000000000