##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: use CA loaded state to drive validation logic...
Gregory Szorc -
r29113:5b9577ed default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -155,9 +155,11 def wrapsocket(sock, keyfile, certfile,
155
155
156 if ca_certs is not None:
156 if ca_certs is not None:
157 sslcontext.load_verify_locations(cafile=ca_certs)
157 sslcontext.load_verify_locations(cafile=ca_certs)
158 caloaded = True
158 else:
159 else:
159 # This is a no-op on old Python.
160 # This is a no-op on old Python.
160 sslcontext.load_default_certs()
161 sslcontext.load_default_certs()
162 caloaded = _canloaddefaultcerts
161
163
162 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
164 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
163 # check if wrap_socket failed silently because socket had been
165 # check if wrap_socket failed silently because socket had been
@@ -165,6 +167,9 def wrapsocket(sock, keyfile, certfile,
165 # - see http://bugs.python.org/issue13721
167 # - see http://bugs.python.org/issue13721
166 if not sslsocket.cipher():
168 if not sslsocket.cipher():
167 raise error.Abort(_('ssl connection failed'))
169 raise error.Abort(_('ssl connection failed'))
170
171 sslsocket._hgcaloaded = caloaded
172
168 return sslsocket
173 return sslsocket
169
174
170 def _verifycert(cert, hostname):
175 def _verifycert(cert, hostname):
@@ -280,12 +285,6 def sslkwargs(ui, host):
280 kws['cert_reqs'] = ssl.CERT_REQUIRED
285 kws['cert_reqs'] = ssl.CERT_REQUIRED
281 return kws
286 return kws
282
287
283 # This is effectively indicating that no CAs can be loaded because
284 # we can't get here if web.cacerts is set or if we can find
285 # CA certs elsewhere. Using a config option (which is later
286 # consulted by validator.__call__ is not very obvious).
287 # FUTURE fix this
288 ui.setconfig('web', 'cacerts', '!', 'defaultcacerts')
289 return kws
288 return kws
290
289
291 class validator(object):
290 class validator(object):
@@ -342,23 +341,23 class validator(object):
342 (host, nicefingerprint))
341 (host, nicefingerprint))
343 return
342 return
344
343
345 # No pinned fingerprint. Establish trust by looking at the CAs.
344 if not sock._hgcaloaded:
346 cacerts = self.ui.config('web', 'cacerts')
345 if strict:
347 if cacerts != '!':
346 raise error.Abort(_('%s certificate with fingerprint %s not '
347 'verified') % (host, nicefingerprint),
348 hint=_('check hostfingerprints or '
349 'web.cacerts config setting'))
350 else:
351 self.ui.warn(_('warning: %s certificate with fingerprint %s '
352 'not verified (check hostfingerprints or '
353 'web.cacerts config setting)\n') %
354 (host, nicefingerprint))
355
356 return
357
348 msg = _verifycert(peercert2, host)
358 msg = _verifycert(peercert2, host)
349 if msg:
359 if msg:
350 raise error.Abort(_('%s certificate error: %s') % (host, msg),
360 raise error.Abort(_('%s certificate error: %s') % (host, msg),
351 hint=_('configure hostfingerprint %s or use '
361 hint=_('configure hostfingerprint %s or use '
352 '--insecure to connect insecurely') %
362 '--insecure to connect insecurely') %
353 nicefingerprint)
363 nicefingerprint)
354 self.ui.debug('%s certificate successfully verified\n' % host)
355 elif strict:
356 raise error.Abort(_('%s certificate with fingerprint %s not '
357 'verified') % (host, nicefingerprint),
358 hint=_('check hostfingerprints or web.cacerts '
359 'config setting'))
360 else:
361 self.ui.warn(_('warning: %s certificate with fingerprint %s not '
362 'verified (check hostfingerprints or web.cacerts '
363 'config setting)\n') %
364 (host, nicefingerprint))
General Comments 0
You need to be logged in to leave comments. Login now