##// END OF EJS Templates
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich -
r15814:c3e958b5 default
parent child Browse files
Show More
@@ -110,18 +110,19 b' class validator(object):'
110 self.ui.warn(_("warning: certificate for %s can't be verified "
110 self.ui.warn(_("warning: certificate for %s can't be verified "
111 "(Python too old)\n") % host)
111 "(Python too old)\n") % host)
112 return
112 return
113 peercert = sock.getpeercert(True)
114 peerfingerprint = util.sha1(peercert).hexdigest()
115 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
116 for x in xrange(0, len(peerfingerprint), 2)])
113 if cacerts and not hostfingerprint:
117 if cacerts and not hostfingerprint:
114 msg = _verifycert(sock.getpeercert(), host)
118 msg = _verifycert(sock.getpeercert(), host)
115 if msg:
119 if msg:
116 raise util.Abort(_('%s certificate error: %s '
120 raise util.Abort(_('%s certificate error: %s') % (host, msg),
117 '(use --insecure to connect '
121 hint=_('configure hostfingerprint %s or use '
118 'insecurely)') % (host, msg))
122 '--insecure to connect insecurely') %
123 nicefingerprint)
119 self.ui.debug('%s certificate successfully verified\n' % host)
124 self.ui.debug('%s certificate successfully verified\n' % host)
120 else:
125 else:
121 peercert = sock.getpeercert(True)
122 peerfingerprint = util.sha1(peercert).hexdigest()
123 nicefingerprint = ":".join([peerfingerprint[x:x + 2]
124 for x in xrange(0, len(peerfingerprint), 2)])
125 if hostfingerprint:
126 if hostfingerprint:
126 if peerfingerprint.lower() != \
127 if peerfingerprint.lower() != \
127 hostfingerprint.replace(':', '').lower():
128 hostfingerprint.replace(':', '').lower():
@@ -180,7 +180,8 b' variables in the filename'
180 cacert mismatch
180 cacert mismatch
181
181
182 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
182 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
183 abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
183 abort: 127.0.0.1 certificate error: certificate is for localhost
184 (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
184 [255]
185 [255]
185 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
186 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
186 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
187 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
General Comments 0
You need to be logged in to leave comments. Login now