##// END OF EJS Templates
sslutil: use CA loaded state to drive validation logic...
Gregory Szorc -
r29113:5b9577ed default
parent child Browse files
Show More
@@ -155,9 +155,11 b' def wrapsocket(sock, keyfile, certfile, '
155 155
156 156 if ca_certs is not None:
157 157 sslcontext.load_verify_locations(cafile=ca_certs)
158 caloaded = True
158 159 else:
159 160 # This is a no-op on old Python.
160 161 sslcontext.load_default_certs()
162 caloaded = _canloaddefaultcerts
161 163
162 164 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
163 165 # check if wrap_socket failed silently because socket had been
@@ -165,6 +167,9 b' def wrapsocket(sock, keyfile, certfile, '
165 167 # - see http://bugs.python.org/issue13721
166 168 if not sslsocket.cipher():
167 169 raise error.Abort(_('ssl connection failed'))
170
171 sslsocket._hgcaloaded = caloaded
172
168 173 return sslsocket
169 174
170 175 def _verifycert(cert, hostname):
@@ -280,12 +285,6 b' def sslkwargs(ui, host):'
280 285 kws['cert_reqs'] = ssl.CERT_REQUIRED
281 286 return kws
282 287
283 # This is effectively indicating that no CAs can be loaded because
284 # we can't get here if web.cacerts is set or if we can find
285 # CA certs elsewhere. Using a config option (which is later
286 # consulted by validator.__call__ is not very obvious).
287 # FUTURE fix this
288 ui.setconfig('web', 'cacerts', '!', 'defaultcacerts')
289 288 return kws
290 289
291 290 class validator(object):
@@ -342,23 +341,23 b' class validator(object):'
342 341 (host, nicefingerprint))
343 342 return
344 343
345 # No pinned fingerprint. Establish trust by looking at the CAs.
346 cacerts = self.ui.config('web', 'cacerts')
347 if cacerts != '!':
348 msg = _verifycert(peercert2, host)
349 if msg:
350 raise error.Abort(_('%s certificate error: %s') % (host, msg),
351 hint=_('configure hostfingerprint %s or use '
352 '--insecure to connect insecurely') %
353 nicefingerprint)
354 self.ui.debug('%s certificate successfully verified\n' % host)
355 elif strict:
356 raise error.Abort(_('%s certificate with fingerprint %s not '
357 'verified') % (host, nicefingerprint),
358 hint=_('check hostfingerprints or web.cacerts '
359 'config setting'))
360 else:
361 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
362 'verified (check hostfingerprints or web.cacerts '
363 'config setting)\n') %
364 (host, nicefingerprint))
344 if not sock._hgcaloaded:
345 if strict:
346 raise error.Abort(_('%s certificate with fingerprint %s not '
347 'verified') % (host, nicefingerprint),
348 hint=_('check hostfingerprints or '
349 'web.cacerts config setting'))
350 else:
351 self.ui.warn(_('warning: %s certificate with fingerprint %s '
352 'not verified (check hostfingerprints or '
353 'web.cacerts config setting)\n') %
354 (host, nicefingerprint))
355
356 return
357
358 msg = _verifycert(peercert2, host)
359 if msg:
360 raise error.Abort(_('%s certificate error: %s') % (host, msg),
361 hint=_('configure hostfingerprint %s or use '
362 '--insecure to connect insecurely') %
363 nicefingerprint)
General Comments 0
You need to be logged in to leave comments. Login now