[PATCH 1 of 1 stable RFC] url: add --insecure option to bypass verification of ssl certificates
Mads Kiilerich
mads at kiilerich.com
Fri Jan 28 10:35:00 CST 2011
Yuya Nishihara wrote, On 01/28/2011 04:27 PM:
> # HG changeset patch
> # User Yuya Nishihara<yuya at tcha.org>
> # Date 1296228357 -32400
> # Node ID 8b5ed606e7628e895d7125a4a7d92f2ba82f5e1c
> # Parent 0d1dca7d2a041cb1cb6c6bd90608aa87068bde02
> url: add --insecure option to bypass verification of ssl certificates
>
> If --insecure specified, it behaves in the same way as no web.cacerts
> configured.
>
> Also shows hint for --insecure option when verification failed.
I think the biggest question is if this is what Matt and others want,
and if it should be included in 1.7.4.
> TODO: hint for --insecure on SSLError raised
Yes, that is hard and perhaps not feasible. But it should be a separate
patch anyway.
> TODO: doc/hgrc.5.txt
> + To disable SSL verification temporarily, specify ``--insecure`` from
> + command line.
Yes, I think that would be a nice hint.
> diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
> --- a/mercurial/dispatch.py
> +++ b/mercurial/dispatch.py
> @@ -552,6 +552,9 @@ def _dispatch(ui, args):
> if options['noninteractive']:
> ui.setconfig('ui', 'interactive', 'off')
>
> + if cmdoptions.get('insecure', False):
> + ui.setconfig('web', 'cacerts', '')
> +
> if options['help']:
> return commands.help_(ui, cmd, options['version'])
> elif options['version']:
Yes, I think this is better. Options that are shared between several
commands are semi-global anyway.
> --- a/tests/test-https.t
> +++ b/tests/test-https.t
> @@ -167,12 +167,34 @@ variables in the filename
> cacert mismatch
>
> $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
> - abort: 127.0.0.1 certificate error: certificate is for localhost
> + abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
> [255]
> $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
> abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
> [255]
>
> +cacert match but pull insecurely
> +
> + $ P=`pwd` hg -R copy-pull pull --insecure
> + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
> + pulling from https://localhost:$HGPORT/
> + searching for changes
> + no changes found
> +
> +cacert mismatch but pull insecurely
> +
> + $ hg -R copy-pull pull --config web.cacerts=pub.pem --insecure \
> +> https://127.0.0.1:$HGPORT/
> + warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
> + pulling from https://127.0.0.1:$HGPORT/
> + searching for changes
> + no changes found
> + $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
> + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
> + pulling from https://localhost:$HGPORT/
> + searching for changes
> + no changes found
> +
> Test server cert which isn't valid yet
>
> $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Ok, that is fine too. My thought was that something like this could be
easier to spot and maintain:
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -163,15 +163,30 @@
pulling from https://localhost:$HGPORT/
searching for changes
no changes found
+ $ P=`pwd` hg -R copy-pull pull --insecure
+ warning: localhost certificate with fingerprint
91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified
(check hostfingerprints or web.cacerts config setting)
+ pulling from https://localhost:$HGPORT/
+ searching for changes
+ no changes found
cacert mismatch
$ hg -R copy-pull pull --config web.cacerts=pub.pem
https://127.0.0.1:$HGPORT/
- abort: 127.0.0.1 certificate error: certificate is for localhost
+ abort: 127.0.0.1 certificate error: certificate is for localhost (use
--insecure to connect insecurely)
[255]
+ $ hg -R copy-pull pull --config web.cacerts=pub.pem
https://127.0.0.1:$HGPORT/ --insecure
+ warning: 127.0.0.1 certificate with fingerprint
91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified
(check hostfingerprints or web.cacerts config setting)
+ pulling from https://127.0.0.1:$HGPORT/
+ searching for changes
+ no changes found
$ hg -R copy-pull pull --config web.cacerts=pub-other.pem
abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (glob)
[255]
+ $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
+ warning: localhost certificate with fingerprint
91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified
(check hostfingerprints or web.cacerts config setting)
+ pulling from https://localhost:$HGPORT/
+ searching for changes
+ no changes found
/Mads
More information about the Mercurial-devel
mailing list