sslutil: allow multiple fingerprints per host Certificate pinning via [hostfingerprints] is a useful security feature. Currently, we only support one fingerprint per hostname. This is simple but it fails in the real world: * Switching certificates breaks clients until they change the pinned certificate fingerprint. This incurs client downtime and can require massive amounts of coordination to perform certificate changes. * Some servers operate with multiple certificates on the same hostname. This patch adds support for defining multiple certificate fingerprints per host. This overcomes the deficiencies listed above. I anticipate the primary use case of this feature will be to define both the old and new certificate so a certificate transition can occur with minimal interruption, so this scenario has been called out in the help documentation.

# Extension to write out fake unsupported records into the merge state
#
#

from __future__ import absolute_import

from mercurial import (
    cmdutil,
    merge,
)

cmdtable = {}
command = cmdutil.command(cmdtable)

@command('fakemergerecord',
         [('X', 'mandatory', None, 'add a fake mandatory record'),
          ('x', 'advisory', None, 'add a fake advisory record')], '')
def fakemergerecord(ui, repo, *pats, **opts):
    ms = merge.mergestate.read(repo)
    records = ms._makerecords()
    if opts.get('mandatory'):
        records.append(('X', 'mandatory record'))
    if opts.get('advisory'):
        records.append(('x', 'advisory record'))
    ms._writerecords(records)