Mercurial > hg
diff mercurial/sslutil.py @ 29268:f200b58497f1
sslutil: reference appropriate config section in messaging
Error messages reference the config section defining the host
fingerprint. Now that we have multiple sections where this config
setting could live, we need to point the user at the appropriate
one.
We default to the new "hostsecurity" section. But we will still
refer them to the "hostfingerprint" section if a value is defined
there.
There are some corner cases where the messaging might be off. e.g.
they could define a SHA-1 fingerprint in both sections. IMO the
messaging needs a massive overhaul. I plan to do this as part
of future refactoring to security settings.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sat, 28 May 2016 12:58:46 -0700 |
| parents | f0ccb6cde3e5 |
| children | a05a91a3f120 |
line wrap: on
line diff
--- a/mercurial/sslutil.py Sat May 28 12:37:36 2016 -0700 +++ b/mercurial/sslutil.py Sat May 28 12:58:46 2016 -0700 @@ -117,6 +117,8 @@ # Path to file containing concatenated CA certs. Used by # SSLContext.load_verify_locations(). 'cafile': None, + # Whether the legacy [hostfingerprints] section has data for this host. + 'legacyfingerprint': False, # ssl.CERT_* constant used by SSLContext.verify_mode. 'verifymode': None, } @@ -140,6 +142,7 @@ for fingerprint in ui.configlist('hostfingerprints', hostname, []): fingerprint = fingerprint.replace(':', '').lower() s['certfingerprints'].append(('sha1', fingerprint)) + s['legacyfingerprint'] = True # If a host cert fingerprint is defined, it is the only thing that # matters. No need to validate CA certs. @@ -350,6 +353,11 @@ nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2] for x in range(0, len(peerfingerprints['sha1']), 2)]) + if settings['legacyfingerprint']: + section = 'hostfingerprint' + else: + section = 'hostsecurity' + if settings['certfingerprints']: fingerprintmatch = False for hash, fingerprint in settings['certfingerprints']: @@ -359,7 +367,7 @@ if not fingerprintmatch: raise error.Abort(_('certificate for %s has unexpected ' 'fingerprint %s') % (host, nicefingerprint), - hint=_('check hostfingerprint configuration')) + hint=_('check %s configuration') % section) ui.debug('%s certificate matched fingerprint %s\n' % (host, nicefingerprint)) return @@ -372,28 +380,28 @@ # the same as below for BC. if ui.insecureconnections: ui.warn(_('warning: %s certificate with fingerprint %s not ' - 'verified (check hostfingerprints or web.cacerts ' + 'verified (check %s or web.cacerts ' 'config setting)\n') % - (host, nicefingerprint)) + (host, nicefingerprint, section)) return if not sock._hgstate['caloaded']: if strict: raise error.Abort(_('%s certificate with fingerprint %s not ' 'verified') % (host, nicefingerprint), - hint=_('check hostfingerprints or ' - 'web.cacerts config setting')) + hint=_('check %s or web.cacerts config ' + 'setting') % section) else: ui.warn(_('warning: %s certificate with fingerprint %s ' - 'not verified (check hostfingerprints or ' - 'web.cacerts config setting)\n') % - (host, nicefingerprint)) + 'not verified (check %s or web.cacerts config ' + 'setting)\n') % + (host, nicefingerprint, section)) return msg = _verifycert(peercert2, host) if msg: raise error.Abort(_('%s certificate error: %s') % (host, msg), - hint=_('configure hostfingerprint %s or use ' + hint=_('configure %s %s or use ' '--insecure to connect insecurely') % - nicefingerprint) + (section, nicefingerprint))