[PATCH stable rfc] https: warn when server certificate isn't verified
Mads Kiilerich
mads at kiilerich.com
Thu Dec 9 18:35:23 CST 2010
# HG changeset patch
# User Mads Kiilerich <mads at kiilerich.com>
# Date 1291941206 -3600
# Branch stable
# Node ID 166179471a12e3ba16209e996a8b7234dfca9966
# Parent 572db64f26c624e1bf8c6b7517808a418a0ab747
https: warn when server certificate isn't verified
Mercurial will verify HTTPS server certificates if web.cacerts is configured,
but it will by default silently not verify any certificates. We now inform the
user that she won't get the security she might expect from https without
verification:
warning: f.o.o certificate not verified - configure web.cacerts
Self-signed certificates can be accepted silently by configuring web.cacerts to
point to a suitable certificate.
[Please comment if this isn't the warning you would like to see.]
diff --git a/mercurial/url.py b/mercurial/url.py
--- a/mercurial/url.py
+++ b/mercurial/url.py
@@ -527,6 +527,8 @@
self.ui.debug('%s certificate successfully verified\n' %
self.host)
else:
+ self.ui.warn(_("warning: %s certificate not verified "
+ "- configure web.cacerts\n") % self.host)
httplib.HTTPSConnection.connect(self)
class httpsconnection(BetterHTTPS):
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -106,6 +106,7 @@
clone via pull
$ hg clone https://localhost:$HGPORT/ copy-pull
+ warning: localhost certificate not verified - configure web.cacerts
requesting all changes
adding changesets
adding manifests
@@ -131,6 +132,7 @@
$ echo '[hooks]' >> .hg/hgrc
$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
$ hg pull
+ warning: localhost certificate not verified - configure web.cacerts
changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
pulling from https://localhost:$HGPORT/
searching for changes
More information about the Mercurial-devel
mailing list