Mercurial > hg-stable
changeset 15814:c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Mon, 09 Jan 2012 14:43:24 +0100 |
parents | 3ae04eb5e38a |
children | edc3a901a63d |
files | mercurial/sslutil.py tests/test-https.t |
diffstat | 2 files changed, 10 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Mon Jan 09 14:43:23 2012 +0100 +++ b/mercurial/sslutil.py Mon Jan 09 14:43:24 2012 +0100 @@ -110,18 +110,19 @@ self.ui.warn(_("warning: certificate for %s can't be verified " "(Python too old)\n") % host) return + peercert = sock.getpeercert(True) + peerfingerprint = util.sha1(peercert).hexdigest() + nicefingerprint = ":".join([peerfingerprint[x:x + 2] + for x in xrange(0, len(peerfingerprint), 2)]) if cacerts and not hostfingerprint: msg = _verifycert(sock.getpeercert(), host) if msg: - raise util.Abort(_('%s certificate error: %s ' - '(use --insecure to connect ' - 'insecurely)') % (host, msg)) + raise util.Abort(_('%s certificate error: %s') % (host, msg), + hint=_('configure hostfingerprint %s or use ' + '--insecure to connect insecurely') % + nicefingerprint) self.ui.debug('%s certificate successfully verified\n' % host) else: - peercert = sock.getpeercert(True) - peerfingerprint = util.sha1(peercert).hexdigest() - nicefingerprint = ":".join([peerfingerprint[x:x + 2] - for x in xrange(0, len(peerfingerprint), 2)]) if hostfingerprint: if peerfingerprint.lower() != \ hostfingerprint.replace(':', '').lower():
--- a/tests/test-https.t Mon Jan 09 14:43:23 2012 +0100 +++ b/tests/test-https.t Mon Jan 09 14:43:24 2012 +0100 @@ -180,7 +180,8 @@ cacert mismatch $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ - abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely) + abort: 127.0.0.1 certificate error: certificate is for localhost + (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely) [255] $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)