changeset 29287:fbccb334efe7

sslutil: store flag for whether cert verification is disabled This patch effectively moves the ui.insecureconnections check to _hostsettings(). After this patch, validatesocket() no longer uses the ui instance for anything except writing messages. This patch also enables us to introduce a per-host config option for disabling certificate verification.
author Gregory Szorc <gregory.szorc@gmail.com>
date Mon, 30 May 2016 11:20:31 -0700
parents a05a91a3f120
children 7dee15dee53c
files mercurial/sslutil.py
diffstat 1 files changed, 6 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Mon May 30 11:19:43 2016 -0700
+++ b/mercurial/sslutil.py	Mon May 30 11:20:31 2016 -0700
@@ -117,6 +117,8 @@
         # Path to file containing concatenated CA certs. Used by
         # SSLContext.load_verify_locations().
         'cafile': None,
+        # Whether certificate verification should be disabled.
+        'disablecertverification': False,
         # Whether the legacy [hostfingerprints] section has data for this host.
         'legacyfingerprint': False,
         # ssl.CERT_* constant used by SSLContext.verify_mode.
@@ -151,6 +153,7 @@
 
     # If --insecure is used, don't take CAs into consideration.
     elif ui.insecureconnections:
+        s['disablecertverification'] = True
         s['verifymode'] = ssl.CERT_NONE
 
     # Try to hook up CA certificate validation unless something above
@@ -372,13 +375,13 @@
                  (host, nicefingerprint))
         return
 
-    # If insecure connections were explicitly requested via --insecure,
-    # print a warning and do no verification.
+    # If insecure connections were explicitly requested, print a warning
+    # and do no verification.
     #
     # It may seem odd that this is checked *after* host fingerprint pinning.
     # This is for backwards compatibility (for now). The message is also
     # the same as below for BC.
-    if ui.insecureconnections:
+    if settings['disablecertverification']:
         ui.warn(_('warning: %s certificate with fingerprint %s not '
                   'verified (check %s or web.cacerts '
                   'config setting)\n') %