[PATCH] sslutil: Only emit debug log messages accessing https repo on python2.4+2.5
Stephen Thorne
stephen at thorne.id.au
Mon Jun 13 23:44:40 CDT 2011
# HG changeset patch
# User Stephen Thorne <stephen at thorne.id.au>
# Date 1308026666 -36000
# Node ID f694972f3f36b2a669275de1cea209246d50e5f3
# Parent 42fb64b70044f3f03df0b87c76931f0e25264f95
sslutil: Only emit debug log messages accessing https repo on python2.4+2.5
When accessing a https repository, a warning would be emitted telling the user
there was not hostfingerprint set in the configuration. If a hostfingerprint
was added to the http configuration then an Abort would happen every time
because socket.getpeercert() is not available and thus the fingerprint can't be
verified.
The warning has been downgraded to an info on python2.4+2.5 and no longer
allows you to cause mercurial to simply Abort when you attempt to configure it
to verify the certificate.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -92,7 +92,10 @@ class validator(object):
host = self.host
cacerts = self.ui.config('web', 'cacerts')
hostfingerprint = self.ui.config('hostfingerprints', host)
- if cacerts and not hostfingerprint:
+ if not getattr(sock, 'getpeercert', False):
+ self.ui.debug(_('%s certificate cannot be verified due to lack of '
+ 'sock.getpeercert()\n') % (host,))
+ elif cacerts and not hostfingerprint:
msg = _verifycert(sock.getpeercert(), host)
if msg:
raise util.Abort(_('%s certificate error: %s '
@@ -100,29 +103,21 @@ class validator(object):
'insecurely)') % (host, msg))
self.ui.debug('%s certificate successfully verified\n' % host)
else:
- if getattr(sock, 'getpeercert', False):
- peercert = sock.getpeercert(True)
- peerfingerprint = util.sha1(peercert).hexdigest()
- nicefingerprint = ":".join([peerfingerprint[x:x + 2]
- for x in xrange(0, len(peerfingerprint), 2)])
- if hostfingerprint:
- if peerfingerprint.lower() != \
- hostfingerprint.replace(':', '').lower():
- raise util.Abort(_('invalid certificate for %s '
- 'with fingerprint %s') %
- (host, nicefingerprint))
- self.ui.debug('%s certificate matched fingerprint %s\n' %
- (host, nicefingerprint))
- else:
- self.ui.warn(_('warning: %s certificate '
- 'with fingerprint %s not verified '
- '(check hostfingerprints or web.cacerts '
- 'config setting)\n') %
- (host, nicefingerprint))
- else: # python 2.5 ?
- if hostfingerprint:
- raise util.Abort(_('no certificate for %s with '
- 'configured hostfingerprint') % host)
- self.ui.warn(_('warning: %s certificate not verified '
- '(check web.cacerts config setting)\n') %
- host)
+ peercert = sock.getpeercert(True)
+ peerfingerprint = util.sha1(peercert).hexdigest()
+ nicefingerprint = ":".join([peerfingerprint[x:x + 2]
+ for x in xrange(0, len(peerfingerprint), 2)])
+ if hostfingerprint:
+ if peerfingerprint.lower() != \
+ hostfingerprint.replace(':', '').lower():
+ raise util.Abort(_('invalid certificate for %s '
+ 'with fingerprint %s') %
+ (host, nicefingerprint))
+ self.ui.debug('%s certificate matched fingerprint %s\n' %
+ (host, nicefingerprint))
+ else:
+ self.ui.warn(_('warning: %s certificate '
+ 'with fingerprint %s not verified '
+ '(check hostfingerprints or web.cacerts '
+ 'config setting)\n') %
+ (host, nicefingerprint))
More information about the Mercurial-devel
mailing list