--- a/mercurial/sslutil.py Mon Jan 09 14:43:23 2012 +0100
+++ b/mercurial/sslutil.py Mon Jan 09 14:43:24 2012 +0100
@@ -110,18 +110,19 @@
self.ui.warn(_("warning: certificate for %s can't be verified "
"(Python too old)\n") % host)
return
+ peercert = sock.getpeercert(True)
+ peerfingerprint = util.sha1(peercert).hexdigest()
+ nicefingerprint = ":".join([peerfingerprint[x:x + 2]
+ for x in xrange(0, len(peerfingerprint), 2)])
if cacerts and not hostfingerprint:
msg = _verifycert(sock.getpeercert(), host)
if msg:
- raise util.Abort(_('%s certificate error: %s '
- '(use --insecure to connect '
- 'insecurely)') % (host, msg))
+ raise util.Abort(_('%s certificate error: %s') % (host, msg),
+ hint=_('configure hostfingerprint %s or use '
+ '--insecure to connect insecurely') %
+ nicefingerprint)
self.ui.debug('%s certificate successfully verified\n' % host)
else:
- peercert = sock.getpeercert(True)
- peerfingerprint = util.sha1(peercert).hexdigest()
- nicefingerprint = ":".join([peerfingerprint[x:x + 2]
- for x in xrange(0, len(peerfingerprint), 2)])
if hostfingerprint:
if peerfingerprint.lower() != \
hostfingerprint.replace(':', '').lower():
--- a/tests/test-https.t Mon Jan 09 14:43:23 2012 +0100
+++ b/tests/test-https.t Mon Jan 09 14:43:24 2012 +0100
@@ -180,7 +180,8 @@
cacert mismatch
$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
- abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
+ abort: 127.0.0.1 certificate error: certificate is for localhost
+ (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
[255]
$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)