# HG changeset patch # User Gregory Szorc # Date 1464747668 25200 # Node ID bc5f55493397d62d3e2d69fb671e5101f31e7245 # Parent 15e533b7909cabf25e4de59ea038b593c58cf03a sslutil: make cert fingerprints messages more actionable The previous warning and abort messages were difficult to understand. This patch makes them slightly better. I think there is still room to tweak the messaging. And as we adopt new security defaults, these messages will certainly change again. But at least this takes us a step in the right direction. References to "section" have been removed because if no fingerprint is defined, "section" can never be "hostfingerprints." So just print "hostsecurity" every time. diff -r 15e533b7909c -r bc5f55493397 mercurial/sslutil.py --- a/mercurial/sslutil.py Mon May 30 15:43:03 2016 -0700 +++ b/mercurial/sslutil.py Tue May 31 19:21:08 2016 -0700 @@ -397,15 +397,15 @@ hint=_('check %s configuration') % section) if not sock._hgstate['caloaded']: - ui.warn(_('warning: %s certificate with fingerprint %s ' - 'not verified (check %s or web.cacerts config ' - 'setting)\n') % - (host, nicefingerprint, section)) + ui.warn(_('warning: certificate for %s not verified ' + '(set hostsecurity.%s:certfingerprints=%s or web.cacerts ' + 'config settings)\n') % (host, host, nicefingerprint)) return msg = _verifycert(peercert2, host) if msg: raise error.Abort(_('%s certificate error: %s') % (host, msg), - hint=_('configure %s %s or use ' - '--insecure to connect insecurely') % - (section, nicefingerprint)) + hint=_('set hostsecurity.%s:certfingerprints=%s ' + 'config setting or use --insecure to connect ' + 'insecurely') % + (host, nicefingerprint)) diff -r 15e533b7909c -r bc5f55493397 tests/test-https.t --- a/tests/test-https.t Mon May 30 15:43:03 2016 -0700 +++ b/tests/test-https.t Tue May 31 19:21:08 2016 -0700 @@ -176,7 +176,7 @@ clone via pull $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS - warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting) + warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings) requesting all changes adding changesets adding manifests @@ -203,7 +203,7 @@ $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc $ hg pull $DISABLECACERTS pulling from https://localhost:$HGPORT/ - warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting) + warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings) searching for changes adding changesets adding manifests @@ -244,7 +244,7 @@ $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ pulling from https://127.0.0.1:$HGPORT/ abort: 127.0.0.1 certificate error: certificate is for localhost - (configure hostsecurity sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or use --insecure to connect insecurely) + (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) [255] $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure pulling from https://127.0.0.1:$HGPORT/