Mercurial > hg
changeset 29287:fbccb334efe7
sslutil: store flag for whether cert verification is disabled
This patch effectively moves the ui.insecureconnections check to
_hostsettings(). After this patch, validatesocket() no longer uses the
ui instance for anything except writing messages.
This patch also enables us to introduce a per-host config option
for disabling certificate verification.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Mon, 30 May 2016 11:20:31 -0700 |
| parents | a05a91a3f120 |
| children | 7dee15dee53c |
| files | mercurial/sslutil.py |
| diffstat | 1 files changed, 6 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Mon May 30 11:19:43 2016 -0700 +++ b/mercurial/sslutil.py Mon May 30 11:20:31 2016 -0700 @@ -117,6 +117,8 @@ # Path to file containing concatenated CA certs. Used by # SSLContext.load_verify_locations(). 'cafile': None, + # Whether certificate verification should be disabled. + 'disablecertverification': False, # Whether the legacy [hostfingerprints] section has data for this host. 'legacyfingerprint': False, # ssl.CERT_* constant used by SSLContext.verify_mode. @@ -151,6 +153,7 @@ # If --insecure is used, don't take CAs into consideration. elif ui.insecureconnections: + s['disablecertverification'] = True s['verifymode'] = ssl.CERT_NONE # Try to hook up CA certificate validation unless something above @@ -372,13 +375,13 @@ (host, nicefingerprint)) return - # If insecure connections were explicitly requested via --insecure, - # print a warning and do no verification. + # If insecure connections were explicitly requested, print a warning + # and do no verification. # # It may seem odd that this is checked *after* host fingerprint pinning. # This is for backwards compatibility (for now). The message is also # the same as below for BC. - if ui.insecureconnections: + if settings['disablecertverification']: ui.warn(_('warning: %s certificate with fingerprint %s not ' 'verified (check %s or web.cacerts ' 'config setting)\n') %