[PATCH 2 of 2] url: check server certificates when connecting through proxy (issue2407)
Mads Kiilerich
mads at kiilerich.com
Mon Nov 1 06:01:01 CDT 2010
On 11/01/2010 11:12 AM, Thomas Arendsen Hein wrote:
> * Mads Kiilerich<mads at kiilerich.com> [20101101 02:16]:
>> # HG changeset patch
>> # User Mads Kiilerich<mads at kiilerich.com>
>> # Date 1288573886 -3600
>> # Branch stable
>> # Node ID 391543217c1a222deb236d1fcc426e264921cd82
>> # Parent 191f4f62a3ae7d9f27b3b16267c4f1400fd2451f
>> url: check server certificates when connecting through proxy (issue2407)
>
> Does not help for me:
>
>> diff --git a/mercurial/url.py b/mercurial/url.py
>> --- a/mercurial/url.py
>> +++ b/mercurial/url.py
>> @@ -540,8 +540,25 @@
>> self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>> self.sock.connect((self.host, self.port))
>> if _generic_proxytunnel(self):
>> - self.sock = _ssl_wrap_socket(self.sock, self.key_file,
>> - self.cert_file)
>> + if hasattr(self, 'ui'):
>> + cacerts = self.ui.config('web', 'cacerts')
>> + else:
>> + cacerts = None
>> +
>> + if cacerts:
>> + self.sock = _ssl_wrap_socket(self.sock, self.key_file,
>> + self.cert_file, cert_reqs=CERT_REQUIRED,
>> + ca_certs=cacerts)
>> + realhost = self.realhostport.rsplit(':', 1)[0]
>> + msg = _verifycert(self.sock.getpeercert(), realhost)
>> + if msg:
>> + raise util.Abort(_('%s certificate error: %s') %
>> + (realhost, msg))
>> + self.ui.debug('%s certificate successfully verified\n' %
>> + realhost)
>> + else:
>> + self.sock = _ssl_wrap_socket(self.sock, self.key_file,
>> + self.cert_file)
>> else:
>> BetterHTTPS.connect(self)
>
> This code path is not executed for me, but httpconnection.connect()
> (url.py, line 140), which has no handling of cacerts.
Line 338?
Can you give a test case? Are you connecting to a https server through
proxy but using "http://"?
FWIW I don't understand why httpconnection.connect unconditionally wraps
in SSL if SSL is available and we are using proxy and we can CONNECT.
Shouldn't that only be done for https connections - which won't end up
in that code anyway? And what's the story behind the comment that we
don't support client x509 certificates?
/Mads
More information about the Mercurial-devel
mailing list