url: verify correctness of https server certificates (issue2407) Pythons SSL module verifies that certificates received for HTTPS are valid according to the specified cacerts, but it doesn't verify that the certificate is for the host we connect to. We now explicitly verify that the commonName in the received certificate matches the requested hostname and is valid for the time being. This is a minimal patch where we try to fail to the safe side, but we do still rely on Python's SSL functionality and do not try to implement the standards fully and correctly. CRLs and subjectAltName are not handled and proxies haven't been considered. This change might break connections to some sites if cacerts is specified and the certificates (by our definition) isn't correct. The workaround is to disable cacerts which in most cases isn't much worse than it was before with cacerts.

#!/bin/sh

echo "[extensions]" >> $HGRCPATH
echo "mq=" >> $HGRCPATH

hg init a
cd a

echo 'base' > base
hg ci -Ambase -d '1 0'

hg qnew -d '1 0' a
hg qnew -d '1 0' b
hg qnew -d '1 0' c

hg qdel

hg qdel c
hg qpop
hg qdel c
hg qseries
ls .hg/patches
hg qpop
hg qdel -k 1
ls .hg/patches
hg qdel -r a
hg qapplied
hg log --template '{rev} {desc}\n'

hg qnew d
hg qnew e
hg qnew f

hg qdel -r e
hg qdel -r qbase:e
hg qapplied
hg log --template '{rev} {desc}\n'

cd ..
hg init b
cd b

echo 'base' > base
hg ci -Ambase -d '1 0'

hg qfinish
hg qfinish -a

hg qnew -d '1 0' a
hg qnew -d '1 0' b
hg qnew c # XXX fails to apply by /usr/bin/patch if we put a date

hg qfinish 0
hg qfinish b

hg qpop
hg qfinish -a c
hg qpush

hg qfinish qbase:b
hg qapplied
hg log --template '{rev} {desc}\n'

hg qfinish -a c
hg qapplied
hg log --template '{rev} {desc}\n'
ls .hg/patches