##// END OF EJS Templates
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)...
Yuya Nishihara -
r24290:b76d8c64 default
parent child Browse files
Show More
@@ -826,7 +826,7 b' def _dispatch(req):'
826
826
827 if cmdoptions.get('insecure', False):
827 if cmdoptions.get('insecure', False):
828 for ui_ in uis:
828 for ui_ in uis:
829 ui_.setconfig('web', 'cacerts', '', '--insecure')
829 ui_.setconfig('web', 'cacerts', '!', '--insecure')
830
830
831 if options['version']:
831 if options['version']:
832 return commands.version_(ui)
832 return commands.version_(ui)
@@ -672,7 +672,9 b' def remoteui(src, opts):'
672 for key, val in src.configitems(sect):
672 for key, val in src.configitems(sect):
673 dst.setconfig(sect, key, val, 'copied')
673 dst.setconfig(sect, key, val, 'copied')
674 v = src.config('web', 'cacerts')
674 v = src.config('web', 'cacerts')
675 if v:
675 if v == '!':
676 dst.setconfig('web', 'cacerts', v, 'copied')
677 elif v:
676 dst.setconfig('web', 'cacerts', util.expandpath(v), 'copied')
678 dst.setconfig('web', 'cacerts', util.expandpath(v), 'copied')
677
679
678 return dst
680 return dst
@@ -134,7 +134,7 b' def _defaultcacerts():'
134 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
134 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
135 if os.path.exists(dummycert):
135 if os.path.exists(dummycert):
136 return dummycert
136 return dummycert
137 return None
137 return '!'
138
138
139 def sslkwargs(ui, host):
139 def sslkwargs(ui, host):
140 kws = {}
140 kws = {}
@@ -142,17 +142,18 b' def sslkwargs(ui, host):'
142 if hostfingerprint:
142 if hostfingerprint:
143 return kws
143 return kws
144 cacerts = ui.config('web', 'cacerts')
144 cacerts = ui.config('web', 'cacerts')
145 if cacerts:
145 if cacerts == '!':
146 pass
147 elif cacerts:
146 cacerts = util.expandpath(cacerts)
148 cacerts = util.expandpath(cacerts)
147 if not os.path.exists(cacerts):
149 if not os.path.exists(cacerts):
148 raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
150 raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
149 elif cacerts is None:
151 else:
150 dummycert = _defaultcacerts()
152 cacerts = _defaultcacerts()
151 if dummycert:
153 if cacerts and cacerts != '!':
152 ui.debug('using %s to enable OS X system CA\n' % dummycert)
154 ui.debug('using %s to enable OS X system CA\n' % cacerts)
153 ui.setconfig('web', 'cacerts', dummycert, 'dummy')
155 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
154 cacerts = dummycert
156 if cacerts != '!':
155 if cacerts:
156 kws.update({'ca_certs': cacerts,
157 kws.update({'ca_certs': cacerts,
157 'cert_reqs': CERT_REQUIRED,
158 'cert_reqs': CERT_REQUIRED,
158 })
159 })
@@ -201,7 +202,7 b' class validator(object):'
201 hint=_('check hostfingerprint configuration'))
202 hint=_('check hostfingerprint configuration'))
202 self.ui.debug('%s certificate matched fingerprint %s\n' %
203 self.ui.debug('%s certificate matched fingerprint %s\n' %
203 (host, nicefingerprint))
204 (host, nicefingerprint))
204 elif cacerts:
205 elif cacerts != '!':
205 msg = _verifycert(peercert2, host)
206 msg = _verifycert(peercert2, host)
206 if msg:
207 if msg:
207 raise util.Abort(_('%s certificate error: %s') % (host, msg),
208 raise util.Abort(_('%s certificate error: %s') % (host, msg),
@@ -323,7 +323,7 b' def has_ssl():'
323 @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
323 @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
324 def has_defaultcacerts():
324 def has_defaultcacerts():
325 from mercurial import sslutil
325 from mercurial import sslutil
326 return sslutil._defaultcacerts()
326 return sslutil._defaultcacerts() != '!'
327
327
328 @check("windows", "Windows")
328 @check("windows", "Windows")
329 def has_windows():
329 def has_windows():
@@ -124,7 +124,7 b" Apple's OpenSSL. This trick do not work "
124 abort: error: *certificate verify failed* (glob)
124 abort: error: *certificate verify failed* (glob)
125 [255]
125 [255]
126
126
127 $ DISABLEOSXDUMMYCERT="--config=web.cacerts="
127 $ DISABLEOSXDUMMYCERT="--config=web.cacerts=!"
128 #endif
128 #endif
129
129
130 clone via pull
130 clone via pull
@@ -240,7 +240,7 b' Fingerprints'
240 $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
240 $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
241
241
242 - works without cacerts
242 - works without cacerts
243 $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
243 $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
244 5fed3813f7f5
244 5fed3813f7f5
245
245
246 - fails when cert doesn't match hostname (port is ignored)
246 - fails when cert doesn't match hostname (port is ignored)
General Comments 0
You need to be logged in to leave comments. Login now