##// END OF EJS Templates
sslutil: document and slightly refactor validation logic...
Gregory Szorc -
r28850:3819c349 default
parent child Browse files
Show More
@@ -264,8 +264,6 b' class validator(object):'
264 264
265 265 def __call__(self, sock, strict=False):
266 266 host = self.host
267 cacerts = self.ui.config('web', 'cacerts')
268 hostfingerprints = self.ui.configlist('hostfingerprints', host)
269 267
270 268 if not sock.cipher(): # work around http://bugs.python.org/issue13721
271 269 raise error.Abort(_('%s ssl connection error') % host)
@@ -278,6 +276,10 b' class validator(object):'
278 276 if not peercert:
279 277 raise error.Abort(_('%s certificate error: '
280 278 'no certificate received') % host)
279
280 # If a certificate fingerprint is pinned, use it and only it to
281 # validate the remote cert.
282 hostfingerprints = self.ui.configlist('hostfingerprints', host)
281 283 peerfingerprint = util.sha1(peercert).hexdigest()
282 284 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
283 285 for x in xrange(0, len(peerfingerprint), 2)])
@@ -294,7 +296,11 b' class validator(object):'
294 296 hint=_('check hostfingerprint configuration'))
295 297 self.ui.debug('%s certificate matched fingerprint %s\n' %
296 298 (host, nicefingerprint))
297 elif cacerts != '!':
299 return
300
301 # No pinned fingerprint. Establish trust by looking at the CAs.
302 cacerts = self.ui.config('web', 'cacerts')
303 if cacerts != '!':
298 304 msg = _verifycert(peercert2, host)
299 305 if msg:
300 306 raise error.Abort(_('%s certificate error: %s') % (host, msg),
General Comments 0
You need to be logged in to leave comments. Login now