upstream/mercurial-mirror Commit - r29259:ec247e85

sslutil: move SSLContext.verify_mode value into _hostsettings...

Gregory Szorc -

r29259:ec247e85 default

parent child

mercurial/sslutil.py

0 +19 -12

                  s = {
                      # List of 2-tuple of (hash algorithm, hash).
                      'certfingerprints': [],
+                     # ssl.CERT_* constant used by SSLContext.verify_mode.
+                     'verifymode': None,
                  }
                  # Fingerprints from [hostfingerprints] are always SHA-1.
                      fingerprint = fingerprint.replace(':', '').lower()
                      s['certfingerprints'].append(('sha1', fingerprint))
+                 # If a host cert fingerprint is defined, it is the only thing that
+                 # matters. No need to validate CA certs.
+                 if s['certfingerprints']:
+                     s['verifymode'] = ssl.CERT_NONE
+                 # If --insecure is used, don't take CAs into consideration.
+                 elif ui.insecureconnections:
+                     s['verifymode'] = ssl.CERT_NONE
+                 # TODO assert verifymode is not None once we integrate cacert
+                 # checking in this function.
                  return s
-             def _determinecertoptions(ui, host):
+             def _determinecertoptions(ui, settings):
                  """Determine certificate options for a connections.
                  Returns a tuple of (cert_reqs, ca_certs).
                  """
-                 # If a host key fingerprint is on file, it is the only thing that matters
-                 # and CA certs don't come into play.
-                 hostfingerprint = ui.config('hostfingerprints', host)
-                 if hostfingerprint:
-                     return ssl.CERT_NONE, None
-                 # The code below sets up CA verification arguments. If --insecure is
-                 # used, we don't take CAs into consideration, so return early.
-                 if ui.insecureconnections:
+                 if settings['verifymode'] == ssl.CERT_NONE:
                      return ssl.CERT_NONE, None
                  cacerts = ui.config('web', 'cacerts')
                  if not serverhostname:
                      raise error.Abort('serverhostname argument is required')
-                 cert_reqs, ca_certs = _determinecertoptions(ui, serverhostname)
+                 settings = _hostsettings(ui, serverhostname)
+                 cert_reqs, ca_certs = _determinecertoptions(ui, settings)
                  # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
                  # that both ends support, including TLS protocols. On legacy stacks,
                  sslsocket._hgstate = {
                      'caloaded': caloaded,
                      'hostname': serverhostname,
-                     'settings': _hostsettings(ui, serverhostname),
+                     'settings': settings,
                      'ui': ui,
                  }

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages