##// END OF EJS Templates
sslutil: document and slightly refactor validation logic...
Gregory Szorc -
r28850:3819c349 default
parent child Browse files
Show More
@@ -264,8 +264,6 b' class validator(object):'
264
264
265 def __call__(self, sock, strict=False):
265 def __call__(self, sock, strict=False):
266 host = self.host
266 host = self.host
267 cacerts = self.ui.config('web', 'cacerts')
268 hostfingerprints = self.ui.configlist('hostfingerprints', host)
269
267
270 if not sock.cipher(): # work around http://bugs.python.org/issue13721
268 if not sock.cipher(): # work around http://bugs.python.org/issue13721
271 raise error.Abort(_('%s ssl connection error') % host)
269 raise error.Abort(_('%s ssl connection error') % host)
@@ -278,6 +276,10 b' class validator(object):'
278 if not peercert:
276 if not peercert:
279 raise error.Abort(_('%s certificate error: '
277 raise error.Abort(_('%s certificate error: '
280 'no certificate received') % host)
278 'no certificate received') % host)
279
280 # If a certificate fingerprint is pinned, use it and only it to
281 # validate the remote cert.
282 hostfingerprints = self.ui.configlist('hostfingerprints', host)
281 peerfingerprint = util.sha1(peercert).hexdigest()
283 peerfingerprint = util.sha1(peercert).hexdigest()
282 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
284 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
283 for x in xrange(0, len(peerfingerprint), 2)])
285 for x in xrange(0, len(peerfingerprint), 2)])
@@ -294,7 +296,11 b' class validator(object):'
294 hint=_('check hostfingerprint configuration'))
296 hint=_('check hostfingerprint configuration'))
295 self.ui.debug('%s certificate matched fingerprint %s\n' %
297 self.ui.debug('%s certificate matched fingerprint %s\n' %
296 (host, nicefingerprint))
298 (host, nicefingerprint))
297 elif cacerts != '!':
299 return
300
301 # No pinned fingerprint. Establish trust by looking at the CAs.
302 cacerts = self.ui.config('web', 'cacerts')
303 if cacerts != '!':
298 msg = _verifycert(peercert2, host)
304 msg = _verifycert(peercert2, host)
299 if msg:
305 if msg:
300 raise error.Abort(_('%s certificate error: %s') % (host, msg),
306 raise error.Abort(_('%s certificate error: %s') % (host, msg),
General Comments 0
You need to be logged in to leave comments. Login now