diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -377,14 +377,8 @@ def validatesocket(sock): def fmtfingerprint(s): return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)]) - legacyfingerprint = fmtfingerprint(peerfingerprints['sha1']) nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256']) - if settings['legacyfingerprint']: - section = 'hostfingerprint' - else: - section = 'hostsecurity' - if settings['certfingerprints']: for hash, fingerprint in settings['certfingerprints']: if peerfingerprints[hash].lower() == fingerprint: @@ -392,8 +386,15 @@ def validatesocket(sock): (host, hash, fmtfingerprint(fingerprint))) return + # Pinned fingerprint didn't match. This is a fatal error. + if settings['legacyfingerprint']: + section = 'hostfingerprint' + nice = fmtfingerprint(peerfingerprints['sha1']) + else: + section = 'hostsecurity' + nice = '%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash])) raise error.Abort(_('certificate for %s has unexpected ' - 'fingerprint %s') % (host, legacyfingerprint), + 'fingerprint %s') % (host, nice), hint=_('check %s configuration') % section) if not sock._hgstate['caloaded']: diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -314,7 +314,7 @@ Fingerprints [255] $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ - abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca + abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca (check hostsecurity configuration) [255]