[PATCH 2 of 2] sslutil: Only emit debug log messages accessing https repo on python2.4+2.5

Matt Mackall mpm at selenic.com
Tue Jun 14 15:07:49 CDT 2011 

On Tue, 2011-06-14 at 12:24 +0200, Mads Kiilerich wrote:
> Thanks for updating the patches. The first one is fine, and this one is 
> so clear that I can say that I don't agree:
> 
> On 06/14/2011 05:32 AM, Stephen Thorne wrote:
> > # HG changeset patch
> > # User Stephen Thorne<stephen at thorne.id.au>
> > # Date 1308022297 -36000
> > # Node ID 95f9cf24a44654c375cf4a3940ada279b29cb087
> > # Parent  6a28d54139bdcc49820978ed0c292d8d8c19123f
> > sslutil: Only emit debug log messages accessing https repo on python2.4+2.5
> >
> > When accessing a https repository, a warning would be mitted telling the user
> > there was not hostfingerprint set in the configuration. If a hostfingerprint
> > was added to the http configuration then an Abort would happen every time
> > because socket.getpeercert() is not available and thus the fingerprint can't be
> > verified.
> >
> > The warning has been downgraded to an info on python2.4+2.5 and no longer
> > allows you to cause mercurial to simply Abort when you attempt to configure it
> > to verify the certificate.
> 
> If Mercurial has been configured to check the fingerprint of the remote 
> server but can't do it then it MUST abort - just like it will abort with 
> "certificate checking requires Python 2.6" if web.cacerts has been 
> configured.

Indeed, if people have configured a security feature, we need to fail
secure.

> > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> > --- a/mercurial/sslutil.py
> > +++ b/mercurial/sslutil.py
> ...
> > -            else: # python 2.5 ?
> > -                if hostfingerprint:
> > -                    raise util.Abort(_('no certificate for %s with '
> > -                                       'configured hostfingerprint') % host)
> 
> A simple solution could be to change this message to something like 
> "configured hostfingerprint for %s can't be verified because of missing 
> Python SSL capabilities" ... only shorter.

"host fingerprint for %s can't be verified (upgrade Python)"?

> 
> > -                self.ui.warn(_('warning: %s certificate not verified '
> > -                               '(check web.cacerts config setting)\n') %
> > -                             host)
> 
> And this one could be "warning: %s certificate for %s can't be verified 
> because of missing Python SSL capabilities'.
> 
> Would that solve the problem you see, or can you come up with something 
> smarter?
> 
> /Mads
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at selenic.com
> http://selenic.com/mailman/listinfo/mercurial-devel


-- 
Mathematics is the supreme nostalgia of our time.

More information about the Mercurial-devel mailing list