Mercurial: mercurial/sslutil.py comparison

comparison mercurial/sslutil.py @ 29112:5edc5acecc83

sslutil: handle ui.insecureconnections in validator Right now, web.cacerts=! means one of two things: 1) Use of --insecure 2) No CAs could be found and were loaded (see sslkwargs) This isn't very obvious and makes changing behavior of these different scenarios independent of the other impossible. This patch changes the validator code to explicit handle the case of --insecure being used. As the inline comment indicates, there is room to possibly change messaging and logic here. For now, we are backwards compatible.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Thu, 05 May 2016 00:37:28 -0700
parents	843df550b465
children	5b9577edf745

comparison

equal deleted inserted replaced

-:843df550b465
+:5edc5acecc83
 hint=_('check hostfingerprint configuration'))
 self.ui.debug('%s certificate matched fingerprint %s\n' %
 (host, nicefingerprint))
 return
+# If insecure connections were explicitly requested via --insecure,
+# print a warning and do no verification.
+#
+# It may seem odd that this is checked *after* host fingerprint pinning.
+# This is for backwards compatibility (for now). The message is also
+# the same as below for BC.
+if self.ui.insecureconnections:
+self.ui.warn(_('warning: %s certificate with fingerprint %s not '
+'verified (check hostfingerprints or web.cacerts '
+'config setting)\n') %
+(host, nicefingerprint))
+return
 # No pinned fingerprint. Establish trust by looking at the CAs.
 cacerts = self.ui.config('web', 'cacerts')
 if cacerts != '!':
 msg = _verifycert(peercert2, host)
 if msg:

Mercurial > hg

comparison mercurial/sslutil.py @ 29112:5edc5acecc83