# HG changeset patch # User Mads Kiilerich # Date 2010-12-18 20:58:52 # Node ID 2fa2e6444645563835537e889dd7b5d230348430 # Parent 1c1ca9d393f43ae698ad9e4449d9f094fbaf1f2f https: warn when server certificate isn't verified Mercurial will verify HTTPS server certificates if web.cacerts is configured, but it will by default silently not verify any certificates. We now warn the user that when the certificate isn't verified she won't get the security she might expect from https: warning: localhost certificate not verified (check web.cacerts config setting) Self-signed certificates can be accepted silently by configuring web.cacerts to point to a suitable certificate file. diff --git a/mercurial/url.py b/mercurial/url.py --- a/mercurial/url.py +++ b/mercurial/url.py @@ -527,6 +527,9 @@ if has_https: self.ui.debug('%s certificate successfully verified\n' % self.host) else: + self.ui.warn(_("warning: %s certificate not verified " + "(check web.cacerts config setting)\n") % + self.host) httplib.HTTPSConnection.connect(self) class httpsconnection(BetterHTTPS): diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -106,6 +106,7 @@ Test server address cannot be reused clone via pull $ hg clone https://localhost:$HGPORT/ copy-pull + warning: localhost certificate not verified (check web.cacerts config setting) requesting all changes adding changesets adding manifests @@ -131,6 +132,7 @@ pull $ echo '[hooks]' >> .hg/hgrc $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc $ hg pull + warning: localhost certificate not verified (check web.cacerts config setting) changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/ pulling from https://localhost:$HGPORT/ searching for changes