diff options
Diffstat (limited to 'mercurial/sslutil.py')
| -rw-r--r-- | mercurial/sslutil.py | 75 |
1 files changed, 30 insertions, 45 deletions
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py index c6fe18b..be3882c 100644 --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -13,16 +13,8 @@ from mercurial.i18n import _ try: # avoid using deprecated/broken FakeSocket in python 2.6 import ssl + ssl_wrap_socket = ssl.wrap_socket CERT_REQUIRED = ssl.CERT_REQUIRED - def ssl_wrap_socket(sock, keyfile, certfile, - cert_reqs=ssl.CERT_NONE, ca_certs=None): - sslsocket = ssl.wrap_socket(sock, keyfile, certfile, - cert_reqs=cert_reqs, ca_certs=ca_certs) - # check if wrap_socket failed silently because socket had been closed - # - see http://bugs.python.org/issue13721 - if not sslsocket.cipher(): - raise util.Abort(_('ssl connection failed')) - return sslsocket except ImportError: CERT_REQUIRED = 2 @@ -30,8 +22,6 @@ except ImportError: def ssl_wrap_socket(sock, key_file, cert_file, cert_reqs=CERT_REQUIRED, ca_certs=None): - if not util.safehasattr(socket, 'ssl'): - raise util.Abort(_('Python SSL support not found')) if ca_certs: raise util.Abort(_( 'certificate checking requires Python 2.6')) @@ -103,41 +93,36 @@ class validator(object): host = self.host cacerts = self.ui.config('web', 'cacerts') hostfingerprint = self.ui.config('hostfingerprints', host) - if not getattr(sock, 'getpeercert', False): # python 2.5 ? - if hostfingerprint: - raise util.Abort(_("host fingerprint for %s can't be " - "verified (Python too old)") % host) - if self.ui.configbool('ui', 'reportoldssl', True): - self.ui.warn(_("warning: certificate for %s can't be verified " - "(Python too old)\n") % host) - return - if not sock.cipher(): # work around http://bugs.python.org/issue13721 - raise util.Abort(_('%s ssl connection error') % host) - peercert = sock.getpeercert(True) - if not peercert: - raise util.Abort(_('%s certificate error: ' - 'no certificate received') % host) - peerfingerprint = util.sha1(peercert).hexdigest() - nicefingerprint = ":".join([peerfingerprint[x:x + 2] - for x in xrange(0, len(peerfingerprint), 2)]) - if hostfingerprint: - if peerfingerprint.lower() != \ - hostfingerprint.replace(':', '').lower(): - raise util.Abort(_('certificate for %s has unexpected ' - 'fingerprint %s') % (host, nicefingerprint), - hint=_('check hostfingerprint configuration')) - self.ui.debug('%s certificate matched fingerprint %s\n' % - (host, nicefingerprint)) - elif cacerts: + if cacerts and not hostfingerprint: msg = _verifycert(sock.getpeercert(), host) if msg: - raise util.Abort(_('%s certificate error: %s') % (host, msg), - hint=_('configure hostfingerprint %s or use ' - '--insecure to connect insecurely') % - nicefingerprint) + raise util.Abort(_('%s certificate error: %s ' + '(use --insecure to connect ' + 'insecurely)') % (host, msg)) self.ui.debug('%s certificate successfully verified\n' % host) else: - self.ui.warn(_('warning: %s certificate with fingerprint %s not ' - 'verified (check hostfingerprints or web.cacerts ' - 'config setting)\n') % - (host, nicefingerprint)) + if getattr(sock, 'getpeercert', False): + peercert = sock.getpeercert(True) + peerfingerprint = util.sha1(peercert).hexdigest() + nicefingerprint = ":".join([peerfingerprint[x:x + 2] + for x in xrange(0, len(peerfingerprint), 2)]) + if hostfingerprint: + if peerfingerprint.lower() != \ + hostfingerprint.replace(':', '').lower(): + raise util.Abort(_('invalid certificate for %s ' + 'with fingerprint %s') % + (host, nicefingerprint)) + self.ui.debug('%s certificate matched fingerprint %s\n' % + (host, nicefingerprint)) + else: + self.ui.warn(_('warning: %s certificate ' + 'with fingerprint %s not verified ' + '(check hostfingerprints or web.cacerts ' + 'config setting)\n') % + (host, nicefingerprint)) + else: # python 2.5 ? + if hostfingerprint: + raise util.Abort(_("host fingerprint for %s can't be " + "verified (Python too old)") % host) + self.ui.warn(_("warning: certificate for %s can't be " + "verified (Python too old)\n") % host) |