upstream/mercurial-mirror Commit - r13328:a939f08f

url: add --insecure option to bypass verification of ssl certificates...

Yuya Nishihara -

r13328:a939f08f stable

parent child

doc/hgrc.5.txt

0 +3 0

                 You can use OpenSSL's CA certificate file if your platform has one.
                 On most Linux systems this will be ``/etc/ssl/certs/ca-certificates.crt``.
                 Otherwise you will have to generate this file manually.
+                To disable SSL verification temporarily, specify ``--insecure`` from
+                command line.
             ``contact``
                 Name or email address of the person in charge of the repository.
                 Defaults to ui.username or ``$EMAIL`` or "unknown" if unset or empty.

mercurial/commands.py

0 +2 0

                  _('specify ssh command to use'), _('CMD')),
                 ('', 'remotecmd', '',
                  _('specify hg command to run on the remote side'), _('CMD')),
+                ('', 'insecure', None,
+                 _('do not verify server certificate (ignoring web.cacerts config)')),
             ]
             walkopts = [

mercurial/dispatch.py

0 +3 0

                 if options['noninteractive']:
                     ui.setconfig('ui', 'interactive', 'off')
+                if cmdoptions.get('insecure', False):
+                    ui.setconfig('web', 'cacerts', '')
                 if options['help']:
                     return commands.help_(ui, cmd, options['version'])
                 elif options['version']:

mercurial/url.py

0 +3 -2

                                     ca_certs=cacerts)
                             msg = _verifycert(self.sock.getpeercert(), self.host)
                             if msg:
-                                raise util.Abort(_('%s certificate error: %s') %
+                                raise util.Abort(_('%s certificate error: %s '
-                                                 (self.host, msg))
+                                                   '(use --insecure to connect '
+                                                   'insecurely)') % (self.host, msg))
                             self.ui.debug('%s certificate successfully verified\n' %
                                           self.host)
                         else:

tests/test-debugcomplete.t

0 +7 -7

               $ hg debugcommands
               add: include, exclude, subrepos, dry-run
               annotate: rev, follow, no-follow, text, user, file, date, number, changeset, line-number, include, exclude
-              clone: noupdate, updaterev, rev, branch, pull, uncompressed, ssh, remotecmd
+              clone: noupdate, updaterev, rev, branch, pull, uncompressed, ssh, remotecmd, insecure
               commit: addremove, close-branch, include, exclude, message, logfile, date, user
               diff: rev, change, text, git, nodates, show-function, reverse, ignore-all-space, ignore-space-change, ignore-blank-lines, unified, stat, include, exclude, subrepos
               export: output, switch-parent, rev, text, git, nodates
               forget: include, exclude
-              init: ssh, remotecmd
+              init: ssh, remotecmd, insecure
               log: follow, follow-first, date, copies, keyword, rev, removed, only-merges, user, only-branch, branch, prune, patch, git, limit, no-merges, stat, style, template, include, exclude
               merge: force, tool, rev, preview
-              pull: update, force, rev, branch, ssh, remotecmd
+              pull: update, force, rev, branch, ssh, remotecmd, insecure
-              push: force, rev, branch, new-branch, ssh, remotecmd
+              push: force, rev, branch, new-branch, ssh, remotecmd, insecure
               remove: after, force, include, exclude
               serve: accesslog, daemon, daemon-pipefds, errorlog, port, address, prefix, name, web-conf, webdir-conf, pid-file, stdio, templates, style, ipv6, certificate
               status: all, modified, added, removed, deleted, clean, unknown, ignored, no-status, copies, print0, rev, change, include, exclude, subrepos
               bisect: reset, good, bad, skip, command, noupdate
               branch: force, clean
               branches: active, closed
-              bundle: force, rev, branch, base, all, type, ssh, remotecmd
+              bundle: force, rev, branch, base, all, type, ssh, remotecmd, insecure
               cat: output, rev, decode, include, exclude
               copy: after, force, include, exclude, dry-run
               debugancestor:
               help:
               identify: rev, num, id, branch, tags
               import: strip, base, force, no-commit, exact, import-branch, message, logfile, date, user, similarity
-              incoming: force, newest-first, bundle, rev, branch, patch, git, limit, no-merges, stat, style, template, ssh, remotecmd, subrepos
+              incoming: force, newest-first, bundle, rev, branch, patch, git, limit, no-merges, stat, style, template, ssh, remotecmd, insecure, subrepos
               locate: rev, print0, fullpath, include, exclude
               manifest: rev
-              outgoing: force, rev, newest-first, branch, patch, git, limit, no-merges, stat, style, template, ssh, remotecmd, subrepos
+              outgoing: force, rev, newest-first, branch, patch, git, limit, no-merges, stat, style, template, ssh, remotecmd, insecure, subrepos
               parents: rev, style, template
               paths:
               recover:

tests/test-https.t

0 +16 -1

               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
+              $ P=`pwd` hg -R copy-pull pull --insecure
+              warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+              pulling from https://localhost:$HGPORT/
+              searching for changes
+              no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
-              abort: 127.0.0.1 certificate error: certificate is for localhost
+              abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
               [255]
+              $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
+              warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+              pulling from https://127.0.0.1:$HGPORT/
+              searching for changes
+              no changes found
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
+              $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
+              warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+              pulling from https://localhost:$HGPORT/
+              searching for changes
+              no changes found
             Test server cert which isn't valid yet

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages