[PATCH 08 of 11] sslutil: handle ui.insecureconnections in validator

Yuya Nishihara yuya at tcha.org
Fri May 6 01:29:06 EDT 2016 

On Thu, 05 May 2016 00:53:25 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1462433848 25200
> #      Thu May 05 00:37:28 2016 -0700
> # Node ID bd7ebeaf995eaab11afe722a6fba61d9c7c0f3c4
> # Parent  a32c736a9c48137accd777b343cbed85191409ef
> sslutil: handle ui.insecureconnections in validator
> 
> Right now, web.cacerts=! means one of two things:
> 
> 1) Use of --insecure
> 2) No CAs could be found and were loaded (see sslkwargs)
> 
> This isn't very obvious and makes changing behavior of these
> different scenarios independent of the other impossible.
> 
> This patch changes the validator code to explicit handle the
> case of --insecure being used.
> 
> As the inline comment indicates, there is room to possibly change
> messaging and logic here. For now, we are backwards compatible.
> 
> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
> @@ -324,16 +324,29 @@ class validator(object):
>              if not fingerprintmatch:
>                  raise error.Abort(_('certificate for %s has unexpected '
>                                     'fingerprint %s') % (host, nicefingerprint),
>                                   hint=_('check hostfingerprint configuration'))
>              self.ui.debug('%s certificate matched fingerprint %s\n' %
>                            (host, nicefingerprint))
>              return
>  
> +        # If insecure connections were explicitly requested via --insecure,
> +        # print a warning and do no verification.
> +        #
> +        # It may seem odd that this is checked *after* host fingerprint pinning.
> +        # This is for backwards compatibility (for now). The message is also
> +        # the same as below for BC.
> +        if self.ui.insecureconnections:
> +            self.ui.warn(_('warning: %s certificate with fingerprint %s not '
> +                           'verified (check hostfingerprints or web.cacerts '
> +                           'config setting)\n') %
> +                         (host, nicefingerprint))
> +            return
> +
>          # No pinned fingerprint. Establish trust by looking at the CAs.
>          cacerts = self.ui.config('web', 'cacerts')
>          if cacerts != '!':

Confirmed that strict=True isn't set if --insecure is specified, so there
should be no behavior change.

Looks good to me.

More information about the Mercurial-devel mailing list