[PATCH 2 of 2] url: check server certificates when connecting through proxy (issue2407)

[Thomas Arendsen Hein]

* Mads Kiilerich <mads at kiilerich.com> [20101101 02:16]:
> # HG changeset patch
> # User Mads Kiilerich <mads at kiilerich.com>
> # Date 1288573886 -3600
> # Branch stable
> # Node ID 391543217c1a222deb236d1fcc426e264921cd82
> # Parent  191f4f62a3ae7d9f27b3b16267c4f1400fd2451f
> url: check server certificates when connecting through proxy (issue2407)

Does not help for me:

> diff --git a/mercurial/url.py b/mercurial/url.py
> --- a/mercurial/url.py
> +++ b/mercurial/url.py
> @@ -540,8 +540,25 @@
>                  self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>                  self.sock.connect((self.host, self.port))
>                  if _generic_proxytunnel(self):
> -                    self.sock = _ssl_wrap_socket(self.sock, self.key_file,
> -                            self.cert_file)
> +                    if hasattr(self, 'ui'):
> +                        cacerts = self.ui.config('web', 'cacerts')
> +                    else:
> +                        cacerts = None
> +
> +                    if cacerts:
> +                        self.sock = _ssl_wrap_socket(self.sock, self.key_file,
> +                                self.cert_file, cert_reqs=CERT_REQUIRED,
> +                                ca_certs=cacerts)
> +                        realhost = self.realhostport.rsplit(':', 1)[0]
> +                        msg = _verifycert(self.sock.getpeercert(), realhost)
> +                        if msg:
> +                            raise util.Abort(_('%s certificate error: %s') %
> +                                             (realhost, msg))
> +                        self.ui.debug('%s certificate successfully verified\n' %
> +                                      realhost)
> +                    else:
> +                        self.sock = _ssl_wrap_socket(self.sock, self.key_file,
> +                                self.cert_file)
>              else:
>                  BetterHTTPS.connect(self)

This code path is not executed for me, but httpconnection.connect()
(url.py, line 140), which has no handling of cacerts.

Regards,
Thomas

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner