Show More
@@ -155,9 +155,11 b' def wrapsocket(sock, keyfile, certfile, ' | |||
|
155 | 155 | |
|
156 | 156 | if ca_certs is not None: |
|
157 | 157 | sslcontext.load_verify_locations(cafile=ca_certs) |
|
158 | caloaded = True | |
|
158 | 159 | else: |
|
159 | 160 | # This is a no-op on old Python. |
|
160 | 161 | sslcontext.load_default_certs() |
|
162 | caloaded = _canloaddefaultcerts | |
|
161 | 163 | |
|
162 | 164 | sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname) |
|
163 | 165 | # check if wrap_socket failed silently because socket had been |
@@ -165,6 +167,9 b' def wrapsocket(sock, keyfile, certfile, ' | |||
|
165 | 167 | # - see http://bugs.python.org/issue13721 |
|
166 | 168 | if not sslsocket.cipher(): |
|
167 | 169 | raise error.Abort(_('ssl connection failed')) |
|
170 | ||
|
171 | sslsocket._hgcaloaded = caloaded | |
|
172 | ||
|
168 | 173 | return sslsocket |
|
169 | 174 | |
|
170 | 175 | def _verifycert(cert, hostname): |
@@ -280,12 +285,6 b' def sslkwargs(ui, host):' | |||
|
280 | 285 | kws['cert_reqs'] = ssl.CERT_REQUIRED |
|
281 | 286 | return kws |
|
282 | 287 | |
|
283 | # This is effectively indicating that no CAs can be loaded because | |
|
284 | # we can't get here if web.cacerts is set or if we can find | |
|
285 | # CA certs elsewhere. Using a config option (which is later | |
|
286 | # consulted by validator.__call__ is not very obvious). | |
|
287 | # FUTURE fix this | |
|
288 | ui.setconfig('web', 'cacerts', '!', 'defaultcacerts') | |
|
289 | 288 | return kws |
|
290 | 289 | |
|
291 | 290 | class validator(object): |
@@ -342,23 +341,23 b' class validator(object):' | |||
|
342 | 341 | (host, nicefingerprint)) |
|
343 | 342 | return |
|
344 | 343 | |
|
345 | # No pinned fingerprint. Establish trust by looking at the CAs. | |
|
346 | cacerts = self.ui.config('web', 'cacerts') | |
|
347 | if cacerts != '!': | |
|
348 | msg = _verifycert(peercert2, host) | |
|
349 | if msg: | |
|
350 | raise error.Abort(_('%s certificate error: %s') % (host, msg), | |
|
351 | hint=_('configure hostfingerprint %s or use ' | |
|
352 | '--insecure to connect insecurely') % | |
|
353 |
|
|
|
354 | self.ui.debug('%s certificate successfully verified\n' % host) | |
|
355 | elif strict: | |
|
356 | raise error.Abort(_('%s certificate with fingerprint %s not ' | |
|
357 | 'verified') % (host, nicefingerprint), | |
|
358 | hint=_('check hostfingerprints or web.cacerts ' | |
|
359 | 'config setting')) | |
|
360 |
|
|
|
361 | self.ui.warn(_('warning: %s certificate with fingerprint %s not ' | |
|
362 |
' |
|
|
363 |
' |
|
|
364 |
|
|
|
344 | if not sock._hgcaloaded: | |
|
345 | if strict: | |
|
346 | raise error.Abort(_('%s certificate with fingerprint %s not ' | |
|
347 | 'verified') % (host, nicefingerprint), | |
|
348 | hint=_('check hostfingerprints or ' | |
|
349 | 'web.cacerts config setting')) | |
|
350 | else: | |
|
351 | self.ui.warn(_('warning: %s certificate with fingerprint %s ' | |
|
352 | 'not verified (check hostfingerprints or ' | |
|
353 | 'web.cacerts config setting)\n') % | |
|
354 | (host, nicefingerprint)) | |
|
355 | ||
|
356 | return | |
|
357 | ||
|
358 | msg = _verifycert(peercert2, host) | |
|
359 | if msg: | |
|
360 | raise error.Abort(_('%s certificate error: %s') % (host, msg), | |
|
361 | hint=_('configure hostfingerprint %s or use ' | |
|
362 | '--insecure to connect insecurely') % | |
|
363 | nicefingerprint) |
General Comments 0
You need to be logged in to leave comments.
Login now