[PATCH 1 of 1 stable RFC] url: add --insecure option to bypass verification of ssl certificates

Mads Kiilerich mads at kiilerich.com
Fri Jan 28 10:35:00 CST 2011


Yuya Nishihara wrote, On 01/28/2011 04:27 PM:
> # HG changeset patch
> # User Yuya Nishihara<yuya at tcha.org>
> # Date 1296228357 -32400
> # Node ID 8b5ed606e7628e895d7125a4a7d92f2ba82f5e1c
> # Parent  0d1dca7d2a041cb1cb6c6bd90608aa87068bde02
> url: add --insecure option to bypass verification of ssl certificates
>
> If --insecure specified, it behaves in the same way as no web.cacerts
> configured.
>
> Also shows hint for --insecure option when verification failed.

I think the biggest question is if this is what Matt and others want, 
and if it should be included in 1.7.4.

> TODO: hint for --insecure on SSLError raised

Yes, that is hard and perhaps not feasible. But it should be a separate 
patch anyway.

> TODO: doc/hgrc.5.txt

> +    To disable SSL verification temporarily, specify ``--insecure`` from
> +    command line.

Yes, I think that would be a nice hint.

> diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
> --- a/mercurial/dispatch.py
> +++ b/mercurial/dispatch.py
> @@ -552,6 +552,9 @@ def _dispatch(ui, args):
>       if options['noninteractive']:
>           ui.setconfig('ui', 'interactive', 'off')
>
> +    if cmdoptions.get('insecure', False):
> +        ui.setconfig('web', 'cacerts', '')
> +
>       if options['help']:
>           return commands.help_(ui, cmd, options['version'])
>       elif options['version']:

Yes, I think this is better. Options that are shared between several 
commands are semi-global anyway.

> --- a/tests/test-https.t
> +++ b/tests/test-https.t
> @@ -167,12 +167,34 @@ variables in the filename
>   cacert mismatch
>
>     $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
> -  abort: 127.0.0.1 certificate error: certificate is for localhost
> +  abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
>     [255]
>     $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
>     abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
>     [255]
>
> +cacert match but pull insecurely
> +
> +  $ P=`pwd` hg -R copy-pull pull --insecure
> +  warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
> +  pulling from https://localhost:$HGPORT/
> +  searching for changes
> +  no changes found
> +
> +cacert mismatch but pull insecurely
> +
> +  $ hg -R copy-pull pull --config web.cacerts=pub.pem --insecure \
> +>  https://127.0.0.1:$HGPORT/
> +  warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
> +  pulling from https://127.0.0.1:$HGPORT/
> +  searching for changes
> +  no changes found
> +  $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
> +  warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
> +  pulling from https://localhost:$HGPORT/
> +  searching for changes
> +  no changes found
> +
>   Test server cert which isn't valid yet
>
>     $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

Ok, that is fine too. My thought was that something like this could be 
easier to spot and maintain:

--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -163,15 +163,30 @@
    pulling from https://localhost:$HGPORT/
    searching for changes
    no changes found
+  $ P=`pwd` hg -R copy-pull pull --insecure
+  warning: localhost certificate with fingerprint 
91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified 
(check hostfingerprints or web.cacerts config setting)
+  pulling from https://localhost:$HGPORT/
+  searching for changes
+  no changes found

  cacert mismatch

    $ hg -R copy-pull pull --config web.cacerts=pub.pem 
https://127.0.0.1:$HGPORT/
-  abort: 127.0.0.1 certificate error: certificate is for localhost
+  abort: 127.0.0.1 certificate error: certificate is for localhost (use 
--insecure to connect insecurely)
    [255]
+  $ hg -R copy-pull pull --config web.cacerts=pub.pem 
https://127.0.0.1:$HGPORT/ --insecure
+  warning: 127.0.0.1 certificate with fingerprint 
91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified 
(check hostfingerprints or web.cacerts config setting)
+  pulling from https://127.0.0.1:$HGPORT/
+  searching for changes
+  no changes found
    $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
    abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
failed (glob)
    [255]
+  $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
+  warning: localhost certificate with fingerprint 
91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified 
(check hostfingerprints or web.cacerts config setting)
+  pulling from https://localhost:$HGPORT/
+  searching for changes
+  no changes found


/Mads


More information about the Mercurial-devel mailing list