[PATCH 1 of 1 RFC] url: debug print ssl certificate info if verify failed
Gilles Moris
gilles.moris at free.fr
Sun Jan 9 11:09:50 CST 2011
On Sunday 09 January 2011 04:12:00 pm Yuya Nishihara wrote:
> +def _debugservercert(ui, addr):
> + if not ui.debugflag:
> + return
> + try:
> + import ssl
> + except ImportError:
> + return
> + try:
> + pem = ssl.get_server_certificate(addr)
> + except SSLError:
> + return
> + cert = _decodecert(pem)
> + if cert:
> + ui.debug(_formatcert(cert))
I would prefer a function getservercert(addr) instead, that just
return _decodecert(pem)
That would be more reusable like below.
This implements a list of trusted SSL self-signed hosts that would
not be validated, as described in the other thread.
--- a/mercurial/url.py Sun Jan 09 23:26:24 2011 +0900
+++ b/mercurial/url.py Sun Jan 09 18:01:16 2011 +0100
@@ -591,13 +591,37 @@
if cert:
ui.debug(_formatcert(cert))
+def _getservercert(addr):
+ try:
+ import ssl
+ except ImportError:
+ return {}
+ try:
+ pem = ssl.get_server_certificate(addr)
+ except SSLError:
+ return {}
+ return _decodecert(pem)
+
+def _selfsignedcert(cert):
+ subject = cert.get('subject', [])
+ issuer = cert.get('issuer', [])
+ return issuer and subject == issuer
+
if has_https:
class BetterHTTPS(httplib.HTTPSConnection):
send = keepalive.safesend
def connect(self):
+ trusted = False
if hasattr(self, 'ui'):
- cacerts = self.ui.config('web', 'cacerts')
+ cert = _getservercert((self.host, self.port))
+ addr = "%s:%d" % (self.host, self.port)
+ if _selfsignedcert(cert) and \
+ addr in self.ui.configlist('web', 'trustedsslhosts', []):
+ trusted = True
+ cacerts = None
+ else:
+ cacerts = self.ui.config('web', 'cacerts')
if cacerts:
cacerts = util.expandpath(cacerts)
else:
@@ -619,8 +643,9 @@
self.ui.debug('%s certificate successfully verified\n' %
self.host)
else:
- self.ui.warn(_("warning: %s certificate not verified "
- "(check web.cacerts config setting)\n") %
+ if not trusted:
+ self.ui.warn(_("warning: %s certificate not verified "
+ "(check web.cacerts config setting)\n") %
self.host)
httplib.HTTPSConnection.connect(self)
More information about the Mercurial-devel
mailing list