Mercurial > hg-stable
changeset 24290:b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
The next patch will enable verification by using the system's CA store if
possible, which means we would have to distinguish None (=use default) from
'' (=--insecure). This smells bug-prone and provides no way to override
web.cacerts to forcibly use the system's store by --config argument.
This patch changes the meaning of web.cacerts as follows:
value behavior
------- ---------------------------------------
None/'' use default
'!' never use CA certs (set by --insecure)
<path> verify by the specified CA certificates
Values other than <path> are for internal use and therefore undocumented.
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Wed, 04 Mar 2015 23:27:04 +0900 |
parents | 07fafcd4bc74 |
children | 760a86865f80 |
files | mercurial/dispatch.py mercurial/hg.py mercurial/sslutil.py tests/hghave.py tests/test-https.t |
diffstat | 5 files changed, 18 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/dispatch.py Wed Mar 04 22:41:48 2015 +0900 +++ b/mercurial/dispatch.py Wed Mar 04 23:27:04 2015 +0900 @@ -826,7 +826,7 @@ if cmdoptions.get('insecure', False): for ui_ in uis: - ui_.setconfig('web', 'cacerts', '', '--insecure') + ui_.setconfig('web', 'cacerts', '!', '--insecure') if options['version']: return commands.version_(ui)
--- a/mercurial/hg.py Wed Mar 04 22:41:48 2015 +0900 +++ b/mercurial/hg.py Wed Mar 04 23:27:04 2015 +0900 @@ -672,7 +672,9 @@ for key, val in src.configitems(sect): dst.setconfig(sect, key, val, 'copied') v = src.config('web', 'cacerts') - if v: + if v == '!': + dst.setconfig('web', 'cacerts', v, 'copied') + elif v: dst.setconfig('web', 'cacerts', util.expandpath(v), 'copied') return dst
--- a/mercurial/sslutil.py Wed Mar 04 22:41:48 2015 +0900 +++ b/mercurial/sslutil.py Wed Mar 04 23:27:04 2015 +0900 @@ -134,7 +134,7 @@ dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') if os.path.exists(dummycert): return dummycert - return None + return '!' def sslkwargs(ui, host): kws = {} @@ -142,17 +142,18 @@ if hostfingerprint: return kws cacerts = ui.config('web', 'cacerts') - if cacerts: + if cacerts == '!': + pass + elif cacerts: cacerts = util.expandpath(cacerts) if not os.path.exists(cacerts): raise util.Abort(_('could not find web.cacerts: %s') % cacerts) - elif cacerts is None: - dummycert = _defaultcacerts() - if dummycert: - ui.debug('using %s to enable OS X system CA\n' % dummycert) - ui.setconfig('web', 'cacerts', dummycert, 'dummy') - cacerts = dummycert - if cacerts: + else: + cacerts = _defaultcacerts() + if cacerts and cacerts != '!': + ui.debug('using %s to enable OS X system CA\n' % cacerts) + ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') + if cacerts != '!': kws.update({'ca_certs': cacerts, 'cert_reqs': CERT_REQUIRED, }) @@ -201,7 +202,7 @@ hint=_('check hostfingerprint configuration')) self.ui.debug('%s certificate matched fingerprint %s\n' % (host, nicefingerprint)) - elif cacerts: + elif cacerts != '!': msg = _verifycert(peercert2, host) if msg: raise util.Abort(_('%s certificate error: %s') % (host, msg),
--- a/tests/hghave.py Wed Mar 04 22:41:48 2015 +0900 +++ b/tests/hghave.py Wed Mar 04 23:27:04 2015 +0900 @@ -323,7 +323,7 @@ @check("defaultcacerts", "can verify SSL certs by system's CA certs store") def has_defaultcacerts(): from mercurial import sslutil - return sslutil._defaultcacerts() + return sslutil._defaultcacerts() != '!' @check("windows", "Windows") def has_windows():
--- a/tests/test-https.t Wed Mar 04 22:41:48 2015 +0900 +++ b/tests/test-https.t Wed Mar 04 23:27:04 2015 +0900 @@ -124,7 +124,7 @@ abort: error: *certificate verify failed* (glob) [255] - $ DISABLEOSXDUMMYCERT="--config=web.cacerts=" + $ DISABLEOSXDUMMYCERT="--config=web.cacerts=!" #endif clone via pull @@ -240,7 +240,7 @@ $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc - works without cacerts - $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts= + $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=! 5fed3813f7f5 - fails when cert doesn't match hostname (port is ignored)