# HG changeset patch # User Mads Kiilerich # Date 2012-01-09 13:43:24 # Node ID c3e958b50a223f54c8b10d912334f988b01b1533 # Parent 3ae04eb5e38a30b4bba97e8b1927431280a98821 sslutil: show fingerprint when cacerts validation fails diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -110,18 +110,19 @@ class validator(object): self.ui.warn(_("warning: certificate for %s can't be verified " "(Python too old)\n") % host) return + peercert = sock.getpeercert(True) + peerfingerprint = util.sha1(peercert).hexdigest() + nicefingerprint = ":".join([peerfingerprint[x:x + 2] + for x in xrange(0, len(peerfingerprint), 2)]) if cacerts and not hostfingerprint: msg = _verifycert(sock.getpeercert(), host) if msg: - raise util.Abort(_('%s certificate error: %s ' - '(use --insecure to connect ' - 'insecurely)') % (host, msg)) + raise util.Abort(_('%s certificate error: %s') % (host, msg), + hint=_('configure hostfingerprint %s or use ' + '--insecure to connect insecurely') % + nicefingerprint) self.ui.debug('%s certificate successfully verified\n' % host) else: - peercert = sock.getpeercert(True) - peerfingerprint = util.sha1(peercert).hexdigest() - nicefingerprint = ":".join([peerfingerprint[x:x + 2] - for x in xrange(0, len(peerfingerprint), 2)]) if hostfingerprint: if peerfingerprint.lower() != \ hostfingerprint.replace(':', '').lower(): diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -180,7 +180,8 @@ variables in the filename cacert mismatch $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ - abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely) + abort: 127.0.0.1 certificate error: certificate is for localhost + (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely) [255] $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)