On Mon, Apr 9, 2012 at 11:43 AM, Matt Mackall <mpm at selenic.com> wrote:
> I'm actually ok with this. It (a) only fires when the socket has no
> "getpeercert" attribute and (b) it requires the user to do some config
> fiddling. It won't "help" the misguided user who has working SSL but no
> certificate data. But given that, I think the description of this option
> is itself misleading:
>
>> > +``report_unverified``
>> > + Warn if an SSL certificate is unable to be verified. True or False.
>> > + Default is True.
>
> If we have a non-broken Python, this won't suppress warnings and our
> clueless users will be even more frustrated. So this really should be
> named something specifically related to our "Python too old" messages.
I believe the patch should also quiesce messages from newer versions
of python where the cert can't be verified:
@@ -135,7 +137,7 @@
'--insecure to connect insecurely') %
nicefingerprint)
self.ui.debug('%s certificate successfully verified\n' % host)
- else:
+ elif reportunverified:
self.ui.warn(_('warning: %s certificate with fingerprint %s not '
'verified (check hostfingerprints or web.cacerts '
'config setting)\n') %
The patch also has the nice side-effect of allowing the command to
still error out if a hostfingerprint is set. Do you still think the
entry should be renamed? Is more documentation needed?
Steve