Show More
| @@ -173,6 +173,8 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
| 173 |
|
173 | |||
| 174 | sslsocket._hgstate = { |
|
174 | sslsocket._hgstate = { | |
| 175 | 'caloaded': caloaded, |
|
175 | 'caloaded': caloaded, | |
|
|
176 | 'hostname': serverhostname, | |||
|
|
177 | 'ui': ui, | |||
| 176 | } |
|
178 | } | |
| 177 |
|
179 | |||
| 178 | return sslsocket |
|
180 | return sslsocket | |
| @@ -290,12 +292,12 b' def sslkwargs(ui, host):' | |||||
| 290 | return kws |
|
292 | return kws | |
| 291 |
|
293 | |||
| 292 | class validator(object): |
|
294 | class validator(object): | |
| 293 | def __init__(self, ui, host): |
|
295 | def __init__(self, ui=None, host=None): | |
| 294 | self.ui = ui |
|
296 | pass | |
| 295 | self.host = host |
|
|||
| 296 |
|
297 | |||
| 297 | def __call__(self, sock, strict=False): |
|
298 | def __call__(self, sock, strict=False): | |
| 298 |
host = s |
|
299 | host = sock._hgstate['hostname'] | |
|
|
300 | ui = sock._hgstate['ui'] | |||
| 299 |
|
301 | |||
| 300 | if not sock.cipher(): # work around http://bugs.python.org/issue13721 |
|
302 | if not sock.cipher(): # work around http://bugs.python.org/issue13721 | |
| 301 | raise error.Abort(_('%s ssl connection error') % host) |
|
303 | raise error.Abort(_('%s ssl connection error') % host) | |
| @@ -311,7 +313,7 b' class validator(object):' | |||||
| 311 |
|
313 | |||
| 312 | # If a certificate fingerprint is pinned, use it and only it to |
|
314 | # If a certificate fingerprint is pinned, use it and only it to | |
| 313 | # validate the remote cert. |
|
315 | # validate the remote cert. | |
| 314 |
hostfingerprints = |
|
316 | hostfingerprints = ui.configlist('hostfingerprints', host) | |
| 315 | peerfingerprint = util.sha1(peercert).hexdigest() |
|
317 | peerfingerprint = util.sha1(peercert).hexdigest() | |
| 316 | nicefingerprint = ":".join([peerfingerprint[x:x + 2] |
|
318 | nicefingerprint = ":".join([peerfingerprint[x:x + 2] | |
| 317 | for x in xrange(0, len(peerfingerprint), 2)]) |
|
319 | for x in xrange(0, len(peerfingerprint), 2)]) | |
| @@ -326,7 +328,7 b' class validator(object):' | |||||
| 326 | raise error.Abort(_('certificate for %s has unexpected ' |
|
328 | raise error.Abort(_('certificate for %s has unexpected ' | |
| 327 | 'fingerprint %s') % (host, nicefingerprint), |
|
329 | 'fingerprint %s') % (host, nicefingerprint), | |
| 328 | hint=_('check hostfingerprint configuration')) |
|
330 | hint=_('check hostfingerprint configuration')) | |
| 329 |
|
|
331 | ui.debug('%s certificate matched fingerprint %s\n' % | |
| 330 |
|
|
332 | (host, nicefingerprint)) | |
| 331 | return |
|
333 | return | |
| 332 |
|
334 | |||
| @@ -336,8 +338,8 b' class validator(object):' | |||||
| 336 | # It may seem odd that this is checked *after* host fingerprint pinning. |
|
338 | # It may seem odd that this is checked *after* host fingerprint pinning. | |
| 337 | # This is for backwards compatibility (for now). The message is also |
|
339 | # This is for backwards compatibility (for now). The message is also | |
| 338 | # the same as below for BC. |
|
340 | # the same as below for BC. | |
| 339 |
if |
|
341 | if ui.insecureconnections: | |
| 340 |
|
|
342 | ui.warn(_('warning: %s certificate with fingerprint %s not ' | |
| 341 |
|
|
343 | 'verified (check hostfingerprints or web.cacerts ' | |
| 342 |
|
|
344 | 'config setting)\n') % | |
| 343 |
|
|
345 | (host, nicefingerprint)) | |
| @@ -350,7 +352,7 b' class validator(object):' | |||||
| 350 | hint=_('check hostfingerprints or ' |
|
352 | hint=_('check hostfingerprints or ' | |
| 351 | 'web.cacerts config setting')) |
|
353 | 'web.cacerts config setting')) | |
| 352 | else: |
|
354 | else: | |
| 353 |
|
|
355 | ui.warn(_('warning: %s certificate with fingerprint %s ' | |
| 354 |
|
|
356 | 'not verified (check hostfingerprints or ' | |
| 355 |
|
|
357 | 'web.cacerts config setting)\n') % | |
| 356 |
|
|
358 | (host, nicefingerprint)) | |
General Comments 0
You need to be logged in to leave comments.
Login now