Show More
| @@ -354,6 +354,18 b' def validatesocket(sock):' | |||||
| 354 | raise error.Abort(_('%s certificate error: ' |
|
354 | raise error.Abort(_('%s certificate error: ' | |
| 355 | 'no certificate received') % host) |
|
355 | 'no certificate received') % host) | |
| 356 |
|
356 | |||
|
|
357 | if settings['disablecertverification']: | |||
|
|
358 | # We don't print the certificate fingerprint because it shouldn't | |||
|
|
359 | # be necessary: if the user requested certificate verification be | |||
|
|
360 | # disabled, they presumably already saw a message about the inability | |||
|
|
361 | # to verify the certificate and this message would have printed the | |||
|
|
362 | # fingerprint. So printing the fingerprint here adds little to no | |||
|
|
363 | # value. | |||
|
|
364 | ui.warn(_('warning: connection security to %s is disabled per current ' | |||
|
|
365 | 'settings; communication is susceptible to eavesdropping ' | |||
|
|
366 | 'and tampering\n') % host) | |||
|
|
367 | return | |||
|
|
368 | ||||
| 357 | # If a certificate fingerprint is pinned, use it and only it to |
|
369 | # If a certificate fingerprint is pinned, use it and only it to | |
| 358 | # validate the remote cert. |
|
370 | # validate the remote cert. | |
| 359 | peerfingerprints = { |
|
371 | peerfingerprints = { | |
| @@ -383,19 +395,6 b' def validatesocket(sock):' | |||||
| 383 | (host, nicefingerprint)) |
|
395 | (host, nicefingerprint)) | |
| 384 | return |
|
396 | return | |
| 385 |
|
397 | |||
| 386 | # If insecure connections were explicitly requested, print a warning |
|
|||
| 387 | # and do no verification. |
|
|||
| 388 | # |
|
|||
| 389 | # It may seem odd that this is checked *after* host fingerprint pinning. |
|
|||
| 390 | # This is for backwards compatibility (for now). The message is also |
|
|||
| 391 | # the same as below for BC. |
|
|||
| 392 | if settings['disablecertverification']: |
|
|||
| 393 | ui.warn(_('warning: %s certificate with fingerprint %s not ' |
|
|||
| 394 | 'verified (check %s or web.cacerts ' |
|
|||
| 395 | 'config setting)\n') % |
|
|||
| 396 | (host, nicefingerprint, section)) |
|
|||
| 397 | return |
|
|||
| 398 |
|
||||
| 399 | if not sock._hgstate['caloaded']: |
|
398 | if not sock._hgstate['caloaded']: | |
| 400 | ui.warn(_('warning: %s certificate with fingerprint %s ' |
|
399 | ui.warn(_('warning: %s certificate with fingerprint %s ' | |
| 401 | 'not verified (check %s or web.cacerts config ' |
|
400 | 'not verified (check %s or web.cacerts config ' | |
| @@ -235,7 +235,7 b' variables in the filename' | |||||
| 235 | no changes found |
|
235 | no changes found | |
| 236 | $ P=`pwd` hg -R copy-pull pull --insecure |
|
236 | $ P=`pwd` hg -R copy-pull pull --insecure | |
| 237 | pulling from https://localhost:$HGPORT/ |
|
237 | pulling from https://localhost:$HGPORT/ | |
| 238 | warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
|
238 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 239 | searching for changes |
|
239 | searching for changes | |
| 240 | no changes found |
|
240 | no changes found | |
| 241 |
|
241 | |||
| @@ -248,7 +248,7 b' cacert mismatch' | |||||
| 248 | [255] |
|
248 | [255] | |
| 249 | $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure |
|
249 | $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure | |
| 250 | pulling from https://127.0.0.1:$HGPORT/ |
|
250 | pulling from https://127.0.0.1:$HGPORT/ | |
| 251 | warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
|
251 | warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 252 | searching for changes |
|
252 | searching for changes | |
| 253 | no changes found |
|
253 | no changes found | |
| 254 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem |
|
254 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem | |
| @@ -257,7 +257,7 b' cacert mismatch' | |||||
| 257 | [255] |
|
257 | [255] | |
| 258 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure |
|
258 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure | |
| 259 | pulling from https://localhost:$HGPORT/ |
|
259 | pulling from https://localhost:$HGPORT/ | |
| 260 | warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
|
260 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 261 | searching for changes |
|
261 | searching for changes | |
| 262 | no changes found |
|
262 | no changes found | |
| 263 |
|
263 | |||
| @@ -347,7 +347,7 b' Test unvalidated https through proxy' | |||||
| 347 |
|
347 | |||
| 348 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback |
|
348 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback | |
| 349 | pulling from https://localhost:$HGPORT/ |
|
349 | pulling from https://localhost:$HGPORT/ | |
| 350 | warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
|
350 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 351 | searching for changes |
|
351 | searching for changes | |
| 352 | no changes found |
|
352 | no changes found | |
| 353 |
|
353 | |||
General Comments 0
You need to be logged in to leave comments.
Login now