Mercurial > hg

comparison mercurial/url.py @ 12595:0f83a402faa0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge with stable
author Mads Kiilerich <mads@kiilerich.com>
date Fri, 01 Oct 2010 00:54:03 +0200
parents 9d45f78c465b f2937d6492c5
children 1393a81b3bdc
comparison
equal deleted inserted replaced
12591:4b9f23885a55 12595:0f83a402faa0
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> 5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
6 # 6 #
7 # This software may be used and distributed according to the terms of the 7 # This software may be used and distributed according to the terms of the
8 # GNU General Public License version 2 or any later version. 8 # GNU General Public License version 2 or any later version.
9 9
10 import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO 10 import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO, time
11 import __builtin__ 11 import __builtin__
12 from i18n import _ 12 from i18n import _
13 import keepalive, util 13 import keepalive, util
14 14
15 def _urlunparse(scheme, netloc, path, params, query, fragment, url): 15 def _urlunparse(scheme, netloc, path, params, query, fragment, url):
484 484
485 def _start_transaction(self, h, req): 485 def _start_transaction(self, h, req):
486 _generic_start_transaction(self, h, req) 486 _generic_start_transaction(self, h, req)
487 return keepalive.HTTPHandler._start_transaction(self, h, req) 487 return keepalive.HTTPHandler._start_transaction(self, h, req)
488 488
489 def _verifycert(cert, hostname):
490 '''Verify that cert (in socket.getpeercert() format) matches hostname and is
491 valid at this time. CRLs and subjectAltName are not handled.
492
493 Returns error message if any problems are found and None on success.
494 '''
495 if not cert:
496 return _('no certificate received')
497 notafter = cert.get('notAfter')
498 if notafter and time.time() > ssl.cert_time_to_seconds(notafter):
499 return _('certificate expired %s') % notafter
500 notbefore = cert.get('notBefore')
501 if notbefore and time.time() < ssl.cert_time_to_seconds(notbefore):
502 return _('certificate not valid before %s') % notbefore
503 dnsname = hostname.lower()
504 for s in cert.get('subject', []):
505 key, value = s[0]
506 if key == 'commonName':
507 certname = value.lower()
508 if (certname == dnsname or
509 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):
510 return None
511 return _('certificate is for %s') % certname
512 return _('no commonName found in certificate')
513
489 if has_https: 514 if has_https:
490 class BetterHTTPS(httplib.HTTPSConnection): 515 class BetterHTTPS(httplib.HTTPSConnection):
491 send = keepalive.safesend 516 send = keepalive.safesend
492 517
493 def connect(self): 518 def connect(self):
499 if cacerts: 524 if cacerts:
500 sock = _create_connection((self.host, self.port)) 525 sock = _create_connection((self.host, self.port))
501 self.sock = _ssl_wrap_socket(sock, self.key_file, 526 self.sock = _ssl_wrap_socket(sock, self.key_file,
502 self.cert_file, cert_reqs=CERT_REQUIRED, 527 self.cert_file, cert_reqs=CERT_REQUIRED,
503 ca_certs=cacerts) 528 ca_certs=cacerts)
504 self.ui.debug(_('server identity verification succeeded\n')) 529 msg = _verifycert(self.sock.getpeercert(), self.host)
530 if msg:
531 raise util.Abort('%s certificate error: %s' % (self.host, msg))
532 self.ui.debug(_('%s certificate successfully verified\n') %
533 self.host)
505 else: 534 else:
506 httplib.HTTPSConnection.connect(self) 535 httplib.HTTPSConnection.connect(self)
507 536
508 class httpsconnection(BetterHTTPS): 537 class httpsconnection(BetterHTTPS):
509 response_class = keepalive.HTTPResponse 538 response_class = keepalive.HTTPResponse