[PATCH 2 of 2] url: check server certificates when connecting through proxy (issue2407)
Thomas Arendsen Hein
thomas at intevation.de
Mon Nov 1 05:12:40 CDT 2010
* Mads Kiilerich <mads at kiilerich.com> [20101101 02:16]:
> # HG changeset patch
> # User Mads Kiilerich <mads at kiilerich.com>
> # Date 1288573886 -3600
> # Branch stable
> # Node ID 391543217c1a222deb236d1fcc426e264921cd82
> # Parent 191f4f62a3ae7d9f27b3b16267c4f1400fd2451f
> url: check server certificates when connecting through proxy (issue2407)
Does not help for me:
> diff --git a/mercurial/url.py b/mercurial/url.py
> --- a/mercurial/url.py
> +++ b/mercurial/url.py
> @@ -540,8 +540,25 @@
> self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
> self.sock.connect((self.host, self.port))
> if _generic_proxytunnel(self):
> - self.sock = _ssl_wrap_socket(self.sock, self.key_file,
> - self.cert_file)
> + if hasattr(self, 'ui'):
> + cacerts = self.ui.config('web', 'cacerts')
> + else:
> + cacerts = None
> +
> + if cacerts:
> + self.sock = _ssl_wrap_socket(self.sock, self.key_file,
> + self.cert_file, cert_reqs=CERT_REQUIRED,
> + ca_certs=cacerts)
> + realhost = self.realhostport.rsplit(':', 1)[0]
> + msg = _verifycert(self.sock.getpeercert(), realhost)
> + if msg:
> + raise util.Abort(_('%s certificate error: %s') %
> + (realhost, msg))
> + self.ui.debug('%s certificate successfully verified\n' %
> + realhost)
> + else:
> + self.sock = _ssl_wrap_socket(self.sock, self.key_file,
> + self.cert_file)
> else:
> BetterHTTPS.connect(self)
This code path is not executed for me, but httpconnection.connect()
(url.py, line 140), which has no handling of cacerts.
Regards,
Thomas
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the Mercurial-devel
mailing list