# HG changeset patch # User Gregory Szorc # Date 1464632431 25200 # Node ID fbccb334efe7ed8fdde9774c6374345c871ebe04 # Parent a05a91a3f120946fcd330b117d3b7e87efcf7fb4 sslutil: store flag for whether cert verification is disabled This patch effectively moves the ui.insecureconnections check to _hostsettings(). After this patch, validatesocket() no longer uses the ui instance for anything except writing messages. This patch also enables us to introduce a per-host config option for disabling certificate verification. diff -r a05a91a3f120 -r fbccb334efe7 mercurial/sslutil.py --- a/mercurial/sslutil.py Mon May 30 11:19:43 2016 -0700 +++ b/mercurial/sslutil.py Mon May 30 11:20:31 2016 -0700 @@ -117,6 +117,8 @@ # Path to file containing concatenated CA certs. Used by # SSLContext.load_verify_locations(). 'cafile': None, + # Whether certificate verification should be disabled. + 'disablecertverification': False, # Whether the legacy [hostfingerprints] section has data for this host. 'legacyfingerprint': False, # ssl.CERT_* constant used by SSLContext.verify_mode. @@ -151,6 +153,7 @@ # If --insecure is used, don't take CAs into consideration. elif ui.insecureconnections: + s['disablecertverification'] = True s['verifymode'] = ssl.CERT_NONE # Try to hook up CA certificate validation unless something above @@ -372,13 +375,13 @@ (host, nicefingerprint)) return - # If insecure connections were explicitly requested via --insecure, - # print a warning and do no verification. + # If insecure connections were explicitly requested, print a warning + # and do no verification. # # It may seem odd that this is checked *after* host fingerprint pinning. # This is for backwards compatibility (for now). The message is also # the same as below for BC. - if ui.insecureconnections: + if settings['disablecertverification']: ui.warn(_('warning: %s certificate with fingerprint %s not ' 'verified (check %s or web.cacerts ' 'config setting)\n') %