[PATCH 3 of 9] sslutil: store flag for whether cert verification is disabled

Mon May 30 19:03:05 EDT 2016

# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1464632431 25200
#      Mon May 30 11:20:31 2016 -0700
# Node ID 8730f180323ced5448291e00bd9f996b2b1457ea
# Parent  f605df24d053f88dd506ce75471350a2d7753d4a
sslutil: store flag for whether cert verification is disabled

This patch effectively moves the ui.insecureconnections check to
_hostsettings(). After this patch, validatesocket() no longer uses the
ui instance for anything except writing messages.

This patch also enables us to introduce a per-host config option
for disabling certificate verification.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -112,16 +112,18 @@ def _hostsettings(ui, hostname):
     Returns a dict of settings relevant to that hostname.
     """
     s = {
         # List of 2-tuple of (hash algorithm, hash).
         'certfingerprints': [],
         # Path to file containing concatenated CA certs. Used by
         # SSLContext.load_verify_locations().
         'cafile': None,
+        # Whether certificate verification should be disabled.
+        'disablecertverification': False,
         # Whether the legacy [hostfingerprints] section has data for this host.
         'legacyfingerprint': False,
         # ssl.CERT_* constant used by SSLContext.verify_mode.
         'verifymode': None,
     }
 
     # Look for fingerprints in [hostsecurity] section. Value is a list
     # of <alg>:<fingerprint> strings.
@@ -146,16 +148,17 @@ def _hostsettings(ui, hostname):
 
     # If a host cert fingerprint is defined, it is the only thing that
     # matters. No need to validate CA certs.
     if s['certfingerprints']:
         s['verifymode'] = ssl.CERT_NONE
 
     # If --insecure is used, don't take CAs into consideration.
     elif ui.insecureconnections:
+        s['disablecertverification'] = True
         s['verifymode'] = ssl.CERT_NONE
 
     # Try to hook up CA certificate validation unless something above
     # makes it not necessary.
     if s['verifymode'] is None:
         # Find global certificates file in config.
         cafile = ui.config('web', 'cacerts')
 
@@ -367,23 +370,23 @@ def validatesocket(sock):
         if not fingerprintmatch:
             raise error.Abort(_('certificate for %s has unexpected '
                                'fingerprint %s') % (host, nicefingerprint),
                              hint=_('check %s configuration') % section)
         ui.debug('%s certificate matched fingerprint %s\n' %
                  (host, nicefingerprint))
         return
 
-    # If insecure connections were explicitly requested via --insecure,
-    # print a warning and do no verification.
+    # If insecure connections were explicitly requested, print a warning
+    # and do no verification.
     #
     # It may seem odd that this is checked *after* host fingerprint pinning.
     # This is for backwards compatibility (for now). The message is also
     # the same as below for BC.
-    if ui.insecureconnections:
+    if settings['disablecertverification']:
         ui.warn(_('warning: %s certificate with fingerprint %s not '
                   'verified (check %s or web.cacerts '
                   'config setting)\n') %
                 (host, nicefingerprint, section))
         return
 
     if not sock._hgstate['caloaded']:
         ui.warn(_('warning: %s certificate with fingerprint %s '
