upstream/mercurial-mirror Commit - r15814:c3e958b5

sslutil: show fingerprint when cacerts validation fails

Mads Kiilerich -

r15814:c3e958b5 default

parent child

mercurial/sslutil.py

0 +9 -8

@@ -110,18 +110,19 b' class validator(object):'
110	self.ui.warn(_("warning: certificate for %s can't be verified "	110	self.ui.warn(_("warning: certificate for %s can't be verified "
111	"(Python too old)\n") % host)	111	"(Python too old)\n") % host)
112	return	112	return
113	if cacerts and not hostfingerprint:
114	msg = _verifycert(sock.getpeercert(), host)
115	if msg:
116	raise util.Abort(_('%s certificate error: %s '
117	'(use --insecure to connect '
118	'insecurely)') % (host, msg))
119	self.ui.debug('%s certificate successfully verified\n' % host)
120	else:
121	peercert = sock.getpeercert(True)	113	peercert = sock.getpeercert(True)
122	peerfingerprint = util.sha1(peercert).hexdigest()	114	peerfingerprint = util.sha1(peercert).hexdigest()
123	nicefingerprint = ":".join([peerfingerprint[x:x + 2]	115	nicefingerprint = ":".join([peerfingerprint[x:x + 2]
124	for x in xrange(0, len(peerfingerprint), 2)])	116	for x in xrange(0, len(peerfingerprint), 2)])
		117	if cacerts and not hostfingerprint:
		118	msg = _verifycert(sock.getpeercert(), host)
		119	if msg:
		120	raise util.Abort(_('%s certificate error: %s') % (host, msg),
		121	hint=_('configure hostfingerprint %s or use '
		122	'--insecure to connect insecurely') %
		123	nicefingerprint)
		124	self.ui.debug('%s certificate successfully verified\n' % host)
		125	else:
125	if hostfingerprint:	126	if hostfingerprint:
126	if peerfingerprint.lower() != \	127	if peerfingerprint.lower() != \
127	hostfingerprint.replace(':', '').lower():	128	hostfingerprint.replace(':', '').lower():

tests/test-https.t

0 +2 -1

             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
-              abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
+              abort: 127.0.0.1 certificate error: certificate is for localhost
+              (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
               warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages