[PATCH 2 of 2] sslutil: Only emit debug log messages accessing https repo on python2.4+2.5

Mads Kiilerich mads at kiilerich.com
Tue Jun 14 05:24:00 CDT 2011


Thanks for updating the patches. The first one is fine, and this one is 
so clear that I can say that I don't agree:

On 06/14/2011 05:32 AM, Stephen Thorne wrote:
> # HG changeset patch
> # User Stephen Thorne<stephen at thorne.id.au>
> # Date 1308022297 -36000
> # Node ID 95f9cf24a44654c375cf4a3940ada279b29cb087
> # Parent  6a28d54139bdcc49820978ed0c292d8d8c19123f
> sslutil: Only emit debug log messages accessing https repo on python2.4+2.5
>
> When accessing a https repository, a warning would be mitted telling the user
> there was not hostfingerprint set in the configuration. If a hostfingerprint
> was added to the http configuration then an Abort would happen every time
> because socket.getpeercert() is not available and thus the fingerprint can't be
> verified.
>
> The warning has been downgraded to an info on python2.4+2.5 and no longer
> allows you to cause mercurial to simply Abort when you attempt to configure it
> to verify the certificate.

If Mercurial has been configured to check the fingerprint of the remote 
server but can't do it then it MUST abort - just like it will abort with 
"certificate checking requires Python 2.6" if web.cacerts has been 
configured.

> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
...
> -            else: # python 2.5 ?
> -                if hostfingerprint:
> -                    raise util.Abort(_('no certificate for %s with '
> -                                       'configured hostfingerprint') % host)

A simple solution could be to change this message to something like 
"configured hostfingerprint for %s can't be verified because of missing 
Python SSL capabilities" ... only shorter.

> -                self.ui.warn(_('warning: %s certificate not verified '
> -                               '(check web.cacerts config setting)\n') %
> -                             host)

And this one could be "warning: %s certificate for %s can't be verified 
because of missing Python SSL capabilities'.

Would that solve the problem you see, or can you come up with something 
smarter?

/Mads


More information about the Mercurial-devel mailing list