[PATCH 2 of 6] sslutil: move sslkwargs logic into internal function (API)
Yuya Nishihara
yuya at tcha.org
Fri May 27 10:52:48 EDT 2016
On Wed, 25 May 2016 20:03:51 -0700, Gregory Szorc wrote:
> +def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
> """Add SSL/TLS to a socket.
>
> This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
> choices based on what security options are available.
>
> In addition to the arguments supported by ``ssl.wrap_socket``, we allow
> the following additional arguments:
>
> * serverhostname - The expected hostname of the remote server. If the
> server (and client) support SNI, this tells the server which certificate
> to use.
> """
> if not serverhostname:
> raise error.Abort('serverhostname argument is required')
>
> + cert_reqs, ca_certs = _determinecertoptions(ui, serverhostname)
I'm writing tests of mail.py, and found this patch seems to change the
behavior.
hg 3.8.2, with web.cacerts=unknown-ca.pem:
a) --insecure: warning + patch sent
b) smtp.verifycert=False: no warning + patch sent
c) smtp.verifycert=loose: CERTIFICATE_VERIFY_FAILED
d) smtp.verifycert=strict: CERTIFICATE_VERIFY_FAILED
hg 9da137faaa9c, with web.cacerts=unknown-ca.pem:
a) --insecure: warning + patch sent
b) smtp.verifycert=False: CERTIFICATE_VERIFY_FAILED
c) smtp.verifycert=loose: CERTIFICATE_VERIFY_FAILED
d) smtp.verifycert=strict: CERTIFICATE_VERIFY_FAILED
As of 3.8.2, verifycert=loose doesn't appear to agree with the doc if cacerts
is specified or modern Python used. verifycert=False is broken at the current
tip.
Do we still have to support smtp.verifycert in addition to --insecure option?
SSL without verification is utterly insecure.
More information about the Mercurial-devel
mailing list