##// END OF EJS Templates
sslutil: move SSLContext.verify_mode value into _hostsettings...
Gregory Szorc -
r29259:ec247e85 default
parent child Browse files
Show More
@@ -114,6 +114,8 b' def _hostsettings(ui, hostname):'
114 114 s = {
115 115 # List of 2-tuple of (hash algorithm, hash).
116 116 'certfingerprints': [],
117 # ssl.CERT_* constant used by SSLContext.verify_mode.
118 'verifymode': None,
117 119 }
118 120
119 121 # Fingerprints from [hostfingerprints] are always SHA-1.
@@ -121,22 +123,26 b' def _hostsettings(ui, hostname):'
121 123 fingerprint = fingerprint.replace(':', '').lower()
122 124 s['certfingerprints'].append(('sha1', fingerprint))
123 125
126 # If a host cert fingerprint is defined, it is the only thing that
127 # matters. No need to validate CA certs.
128 if s['certfingerprints']:
129 s['verifymode'] = ssl.CERT_NONE
130
131 # If --insecure is used, don't take CAs into consideration.
132 elif ui.insecureconnections:
133 s['verifymode'] = ssl.CERT_NONE
134
135 # TODO assert verifymode is not None once we integrate cacert
136 # checking in this function.
137
124 138 return s
125 139
126 def _determinecertoptions(ui, host):
140 def _determinecertoptions(ui, settings):
127 141 """Determine certificate options for a connections.
128 142
129 143 Returns a tuple of (cert_reqs, ca_certs).
130 144 """
131 # If a host key fingerprint is on file, it is the only thing that matters
132 # and CA certs don't come into play.
133 hostfingerprint = ui.config('hostfingerprints', host)
134 if hostfingerprint:
135 return ssl.CERT_NONE, None
136
137 # The code below sets up CA verification arguments. If --insecure is
138 # used, we don't take CAs into consideration, so return early.
139 if ui.insecureconnections:
145 if settings['verifymode'] == ssl.CERT_NONE:
140 146 return ssl.CERT_NONE, None
141 147
142 148 cacerts = ui.config('web', 'cacerts')
@@ -181,7 +187,8 b' def wrapsocket(sock, keyfile, certfile, '
181 187 if not serverhostname:
182 188 raise error.Abort('serverhostname argument is required')
183 189
184 cert_reqs, ca_certs = _determinecertoptions(ui, serverhostname)
190 settings = _hostsettings(ui, serverhostname)
191 cert_reqs, ca_certs = _determinecertoptions(ui, settings)
185 192
186 193 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
187 194 # that both ends support, including TLS protocols. On legacy stacks,
@@ -234,7 +241,7 b' def wrapsocket(sock, keyfile, certfile, '
234 241 sslsocket._hgstate = {
235 242 'caloaded': caloaded,
236 243 'hostname': serverhostname,
237 'settings': _hostsettings(ui, serverhostname),
244 'settings': settings,
238 245 'ui': ui,
239 246 }
240 247
General Comments 0
You need to be logged in to leave comments. Login now