# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1326116604 -3600
# Node ID c3e958b50a223f54c8b10d912334f988b01b1533
# Parent  3ae04eb5e38a30b4bba97e8b1927431280a98821
sslutil: show fingerprint when cacerts validation fails

diff -r 3ae04eb5e38a -r c3e958b50a22 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Mon Jan 09 14:43:23 2012 +0100
+++ b/mercurial/sslutil.py	Mon Jan 09 14:43:24 2012 +0100
@@ -110,18 +110,19 @@
             self.ui.warn(_("warning: certificate for %s can't be verified "
                            "(Python too old)\n") % host)
             return
+        peercert = sock.getpeercert(True)
+        peerfingerprint = util.sha1(peercert).hexdigest()
+        nicefingerprint = ":".join([peerfingerprint[x:x + 2]
+            for x in xrange(0, len(peerfingerprint), 2)])
         if cacerts and not hostfingerprint:
             msg = _verifycert(sock.getpeercert(), host)
             if msg:
-                raise util.Abort(_('%s certificate error: %s '
-                                   '(use --insecure to connect '
-                                   'insecurely)') % (host, msg))
+                raise util.Abort(_('%s certificate error: %s') % (host, msg),
+                                 hint=_('configure hostfingerprint %s or use '
+                                        '--insecure to connect insecurely') %
+                                      nicefingerprint)
             self.ui.debug('%s certificate successfully verified\n' % host)
         else:
-            peercert = sock.getpeercert(True)
-            peerfingerprint = util.sha1(peercert).hexdigest()
-            nicefingerprint = ":".join([peerfingerprint[x:x + 2]
-                for x in xrange(0, len(peerfingerprint), 2)])
             if hostfingerprint:
                 if peerfingerprint.lower() != \
                         hostfingerprint.replace(':', '').lower():
diff -r 3ae04eb5e38a -r c3e958b50a22 tests/test-https.t
--- a/tests/test-https.t	Mon Jan 09 14:43:23 2012 +0100
+++ b/tests/test-https.t	Mon Jan 09 14:43:24 2012 +0100
@@ -180,7 +180,8 @@
 cacert mismatch
 
   $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
-  abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
+  abort: 127.0.0.1 certificate error: certificate is for localhost
+  (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
   [255]
   $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
   warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)