Show More
@@ -354,6 +354,18 b' def validatesocket(sock):' | |||||
354 | raise error.Abort(_('%s certificate error: ' |
|
354 | raise error.Abort(_('%s certificate error: ' | |
355 | 'no certificate received') % host) |
|
355 | 'no certificate received') % host) | |
356 |
|
356 | |||
|
357 | if settings['disablecertverification']: | |||
|
358 | # We don't print the certificate fingerprint because it shouldn't | |||
|
359 | # be necessary: if the user requested certificate verification be | |||
|
360 | # disabled, they presumably already saw a message about the inability | |||
|
361 | # to verify the certificate and this message would have printed the | |||
|
362 | # fingerprint. So printing the fingerprint here adds little to no | |||
|
363 | # value. | |||
|
364 | ui.warn(_('warning: connection security to %s is disabled per current ' | |||
|
365 | 'settings; communication is susceptible to eavesdropping ' | |||
|
366 | 'and tampering\n') % host) | |||
|
367 | return | |||
|
368 | ||||
357 | # If a certificate fingerprint is pinned, use it and only it to |
|
369 | # If a certificate fingerprint is pinned, use it and only it to | |
358 | # validate the remote cert. |
|
370 | # validate the remote cert. | |
359 | peerfingerprints = { |
|
371 | peerfingerprints = { | |
@@ -383,19 +395,6 b' def validatesocket(sock):' | |||||
383 | (host, nicefingerprint)) |
|
395 | (host, nicefingerprint)) | |
384 | return |
|
396 | return | |
385 |
|
397 | |||
386 | # If insecure connections were explicitly requested, print a warning |
|
|||
387 | # and do no verification. |
|
|||
388 | # |
|
|||
389 | # It may seem odd that this is checked *after* host fingerprint pinning. |
|
|||
390 | # This is for backwards compatibility (for now). The message is also |
|
|||
391 | # the same as below for BC. |
|
|||
392 | if settings['disablecertverification']: |
|
|||
393 | ui.warn(_('warning: %s certificate with fingerprint %s not ' |
|
|||
394 | 'verified (check %s or web.cacerts ' |
|
|||
395 | 'config setting)\n') % |
|
|||
396 | (host, nicefingerprint, section)) |
|
|||
397 | return |
|
|||
398 |
|
||||
399 | if not sock._hgstate['caloaded']: |
|
398 | if not sock._hgstate['caloaded']: | |
400 | ui.warn(_('warning: %s certificate with fingerprint %s ' |
|
399 | ui.warn(_('warning: %s certificate with fingerprint %s ' | |
401 | 'not verified (check %s or web.cacerts config ' |
|
400 | 'not verified (check %s or web.cacerts config ' |
@@ -235,7 +235,7 b' variables in the filename' | |||||
235 | no changes found |
|
235 | no changes found | |
236 | $ P=`pwd` hg -R copy-pull pull --insecure |
|
236 | $ P=`pwd` hg -R copy-pull pull --insecure | |
237 | pulling from https://localhost:$HGPORT/ |
|
237 | pulling from https://localhost:$HGPORT/ | |
238 | warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
|
238 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
239 | searching for changes |
|
239 | searching for changes | |
240 | no changes found |
|
240 | no changes found | |
241 |
|
241 | |||
@@ -248,7 +248,7 b' cacert mismatch' | |||||
248 | [255] |
|
248 | [255] | |
249 | $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure |
|
249 | $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure | |
250 | pulling from https://127.0.0.1:$HGPORT/ |
|
250 | pulling from https://127.0.0.1:$HGPORT/ | |
251 | warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
|
251 | warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
252 | searching for changes |
|
252 | searching for changes | |
253 | no changes found |
|
253 | no changes found | |
254 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem |
|
254 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem | |
@@ -257,7 +257,7 b' cacert mismatch' | |||||
257 | [255] |
|
257 | [255] | |
258 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure |
|
258 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure | |
259 | pulling from https://localhost:$HGPORT/ |
|
259 | pulling from https://localhost:$HGPORT/ | |
260 | warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
|
260 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
261 | searching for changes |
|
261 | searching for changes | |
262 | no changes found |
|
262 | no changes found | |
263 |
|
263 | |||
@@ -347,7 +347,7 b' Test unvalidated https through proxy' | |||||
347 |
|
347 | |||
348 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback |
|
348 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback | |
349 | pulling from https://localhost:$HGPORT/ |
|
349 | pulling from https://localhost:$HGPORT/ | |
350 | warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
|
350 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
351 | searching for changes |
|
351 | searching for changes | |
352 | no changes found |
|
352 | no changes found | |
353 |
|
353 |
General Comments 0
You need to be logged in to leave comments.
Login now