mercurial-scm/hg: comparison mercurial/sslutil.py

equal deleted inserted replaced

-:57875cf423c9
+:2372284d9457
 r'ca_certs': self._cacerts,
 r'ciphers': self._ciphers,
 }
 return ssl.wrap_socket(socket, **args)
 def _hostsettings(ui, hostname):
 """Obtain security settings for a hostname.
 Returns a dict of settings relevant to that hostname.
 # Allow minimum TLS protocol to be specified in the config.
 def validateprotocol(protocol, key):
 if protocol not in configprotocols:
 raise error.Abort(
-_('unsupported protocol from hostsecurity.%s: %s') %
+_('unsupported protocol from hostsecurity.%s: %s')
-(key, protocol),
+% (key, protocol),
-hint=_('valid protocols: %s') %
+hint=_('valid protocols: %s')
-' '.join(sorted(configprotocols)))
+% ' '.join(sorted(configprotocols)),
+)
 # We default to TLS 1.1+ where we can because TLS 1.0 has known
 # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
 # TLS 1.0+ via config options in case a legacy server is encountered.
 if 'tls1.1' in supportedprotocols:
 # Let people know they are borderline secure.
 # We don't document this config option because we want people to see
 # the bold warnings on the web site.
 # internal config: hostsecurity.disabletls10warning
 if not ui.configbool('hostsecurity', 'disabletls10warning'):
-ui.warn(_('warning: connecting to %s using legacy security '
+ui.warn(
-'technology (TLS 1.0); see '
+_(
-'https://mercurial-scm.org/wiki/SecureConnections for '
+'warning: connecting to %s using legacy security '
-'more info\n') % bhostname)
+'technology (TLS 1.0); see '
+'https://mercurial-scm.org/wiki/SecureConnections for '
+'more info\n'
+)
+% bhostname
+)
 defaultprotocol = 'tls1.0'
 key = 'minimumprotocol'
 protocol = ui.config('hostsecurity', key, defaultprotocol)
 validateprotocol(protocol, key)
 # Look for fingerprints in [hostsecurity] section. Value is a list
 # of <alg>:<fingerprint> strings.
 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % bhostname)
 for fingerprint in fingerprints:
 if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
-raise error.Abort(_('invalid fingerprint for %s: %s') % (
+raise error.Abort(
-bhostname, fingerprint),
+_('invalid fingerprint for %s: %s') % (bhostname, fingerprint),
-hint=_('must begin with "sha1:", "sha256:", '
+hint=_('must begin with "sha1:", "sha256:", ' 'or "sha512:"'),
-'or "sha512:"'))
+)
 alg, fingerprint = fingerprint.split(':', 1)
 fingerprint = fingerprint.replace(':', '').lower()
 s['certfingerprints'].append((alg, fingerprint))
 # If both fingerprints and a per-host ca file are specified, issue a warning
 # because users should not be surprised about what security is or isn't
 # being performed.
 cafile = ui.config('hostsecurity', '%s:verifycertsfile' % bhostname)
 if s['certfingerprints'] and cafile:
-ui.warn(_('(hostsecurity.%s:verifycertsfile ignored when host '
+ui.warn(
-'fingerprints defined; using host fingerprints for '
+_(
-'verification)\n') % bhostname)
+'(hostsecurity.%s:verifycertsfile ignored when host '
+'fingerprints defined; using host fingerprints for '
+'verification)\n'
+)
+% bhostname
+)
 # Try to hook up CA certificate validation unless something above
 # makes it not necessary.
 if s['verifymode'] is None:
 # Look at per-host ca file first.
 if cafile:
 cafile = util.expandpath(cafile)
 if not os.path.exists(cafile):
-raise error.Abort(_('path specified by %s does not exist: %s') %
+raise error.Abort(
-('hostsecurity.%s:verifycertsfile' % (
+_('path specified by %s does not exist: %s')
-bhostname,), cafile))
+% ('hostsecurity.%s:verifycertsfile' % (bhostname,), cafile)
+)
 s['cafile'] = cafile
 else:
 # Find global certificates file in config.
 cafile = ui.config('web', 'cacerts')
 if cafile:
 cafile = util.expandpath(cafile)
 if not os.path.exists(cafile):
-raise error.Abort(_('could not find web.cacerts: %s') %
+raise error.Abort(
-cafile)
+_('could not find web.cacerts: %s') % cafile
+)
 elif s['allowloaddefaultcerts']:
 # CAs not defined in config. Try to find system bundles.
 cafile = _defaultcacerts(ui)
 if cafile:
 ui.debug('using %s for CA file\n' % cafile)
 assert s['protocol'] is not None
 assert s['ctxoptions'] is not None
 assert s['verifymode'] is not None
 return s
 def protocolsettings(protocol):
 """Resolve the protocol for a config value.
 Returns a 3-tuple of (protocol, options, ui value) where the first
 # disable protocols via SSLContext.options and OP_NO_* constants.
 # However, SSLContext.options doesn't work unless we have the
 # full/real SSLContext available to us.
 if supportedprotocols == {'tls1.0'}:
 if protocol != 'tls1.0':
-raise error.Abort(_('current Python does not support protocol '
+raise error.Abort(
-'setting %s') % protocol,
+_('current Python does not support protocol ' 'setting %s')
-hint=_('upgrade Python or disable setting since '
+% protocol,
-'only TLS 1.0 is supported'))
+hint=_(
+'upgrade Python or disable setting since '
+'only TLS 1.0 is supported'
+),
+)
 return ssl.PROTOCOL_TLSv1, 0, 'tls1.0'
 # WARNING: returned options don't work unless the modern ssl module
 # is available. Be careful when adding options here.
 # There is no guarantee this attribute is defined on the module.
 options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
 return ssl.PROTOCOL_SSLv23, options, protocol
 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
 """Add SSL/TLS to a socket.
 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
 choices based on what security options are available.
 raise error.Abort(_('serverhostname argument is required'))
 if b'SSLKEYLOGFILE' in encoding.environ:
 try:
 import sslkeylog
-sslkeylog.set_keylog(pycompat.fsdecode(
-encoding.environ[b'SSLKEYLOGFILE']))
+sslkeylog.set_keylog(
+pycompat.fsdecode(encoding.environ[b'SSLKEYLOGFILE'])
+)
 ui.warn(
-b'sslkeylog enabled by SSLKEYLOGFILE environment variable\n')
+b'sslkeylog enabled by SSLKEYLOGFILE environment variable\n'
+)
 except ImportError:
-ui.warn(b'sslkeylog module missing, '
+ui.warn(
-b'but SSLKEYLOGFILE set in environment\n')
+b'sslkeylog module missing, '
+b'but SSLKEYLOGFILE set in environment\n'
+)
 for f in (keyfile, certfile):
 if f and not os.path.exists(f):
 raise error.Abort(
 _('certificate file (%s) does not exist; cannot connect to %s')
 % (f, pycompat.bytesurl(serverhostname)),
-hint=_('restore missing file or fix references '
+hint=_(
-'in Mercurial config'))
+'restore missing file or fix references '
+'in Mercurial config'
+),
+)
 settings = _hostsettings(ui, serverhostname)
 # We can't use ssl.create_default_context() because it calls
 # load_default_certs() unless CA arguments are passed to it. We want to
 sslcontext.set_ciphers(pycompat.sysstr(settings['ciphers']))
 except ssl.SSLError as e:
 raise error.Abort(
 _('could not set ciphers: %s')
 % stringutil.forcebytestr(e.args[0]),
-hint=_('change cipher string (%s) in config') %
+hint=_('change cipher string (%s) in config')
-settings['ciphers'])
+% settings['ciphers'],
+)
 if certfile is not None:
 def password():
 f = keyfile or certfile
 return ui.getpass(_('passphrase for %s: ') % f, '')
 sslcontext.load_cert_chain(certfile, keyfile, password)
 if settings['cafile'] is not None:
 try:
 sslcontext.load_verify_locations(cafile=settings['cafile'])
 except ssl.SSLError as e:
-if len(e.args) == 1: # pypy has different SSLError args
+if len(e.args) == 1:  # pypy has different SSLError args
 msg = e.args[0]
 else:
 msg = e.args[1]
-raise error.Abort(_('error loading CA file %s: %s') % (
+raise error.Abort(
-settings['cafile'], stringutil.forcebytestr(msg)),
+_('error loading CA file %s: %s')
-hint=_('file is empty or malformed?'))
+% (settings['cafile'], stringutil.forcebytestr(msg)),
+hint=_('file is empty or malformed?'),
+)
 caloaded = True
 elif settings['allowloaddefaultcerts']:
 # This is a no-op on old Python.
 sslcontext.load_default_certs()
 caloaded = True
 # The exception handler is here to handle bugs around cert attributes:
 # https://bugs.python.org/issue20916#msg213479.  (See issues5313.)
 # When the main 20916 bug occurs, 'sslcontext.get_ca_certs()' is a
 # non-empty list, but the following conditional is otherwise True.
 try:
-if (caloaded and settings['verifymode'] == ssl.CERT_REQUIRED and
+if (
-modernssl and not sslcontext.get_ca_certs()):
+caloaded
-ui.warn(_('(an attempt was made to load CA certificates but '
+and settings['verifymode'] == ssl.CERT_REQUIRED
-'none were loaded; see '
+and modernssl
-'https://mercurial-scm.org/wiki/SecureConnections '
+and not sslcontext.get_ca_certs()
-'for how to configure Mercurial to avoid this '
+):
-'error)\n'))
+ui.warn(
+_(
+'(an attempt was made to load CA certificates but '
+'none were loaded; see '
+'https://mercurial-scm.org/wiki/SecureConnections '
+'for how to configure Mercurial to avoid this '
+'error)\n'
+)
+)
 except ssl.SSLError:
 pass
 # Try to print more helpful error messages for known failures.
 if util.safehasattr(e, 'reason'):
 # the likely scenario is either the client or the server
 # is really old. (e.g. server doesn't support TLS 1.0+ or
 # client doesn't support modern TLS versions introduced
 # several years from when this comment was written).
 if supportedprotocols != {'tls1.0'}:
-ui.warn(_(
+ui.warn(
-'(could not communicate with %s using security '
+_(
-'protocols %s; if you are using a modern Mercurial '
+'(could not communicate with %s using security '
-'version, consider contacting the operator of this '
+'protocols %s; if you are using a modern Mercurial '
-'server; see '
+'version, consider contacting the operator of this '
-'https://mercurial-scm.org/wiki/SecureConnections '
+'server; see '
-'for more info)\n') % (
+'https://mercurial-scm.org/wiki/SecureConnections '
+'for more info)\n'
+)
+% (
 pycompat.bytesurl(serverhostname),
-', '.join(sorted(supportedprotocols))))
+', '.join(sorted(supportedprotocols)),
+)
+)
 else:
-ui.warn(_(
+ui.warn(
-'(could not communicate with %s using TLS 1.0; the '
+_(
-'likely cause of this is the server no longer '
+'(could not communicate with %s using TLS 1.0; the '
-'supports TLS 1.0 because it has known security '
+'likely cause of this is the server no longer '
-'vulnerabilities; see '
+'supports TLS 1.0 because it has known security '
-'https://mercurial-scm.org/wiki/SecureConnections '
+'vulnerabilities; see '
-'for more info)\n') %
+'https://mercurial-scm.org/wiki/SecureConnections '
-pycompat.bytesurl(serverhostname))
+'for more info)\n'
+)
+% pycompat.bytesurl(serverhostname)
+)
 else:
 # We attempted TLS 1.1+. We can only get here if the client
 # supports the configured protocol. So the likely reason is
 # the client wants better security than the server can
 # offer.
-ui.warn(_(
+ui.warn(
-'(could not negotiate a common security protocol (%s+) '
+_(
-'with %s; the likely cause is Mercurial is configured '
+'(could not negotiate a common security protocol (%s+) '
-'to be more secure than the server can support)\n') % (
+'with %s; the likely cause is Mercurial is configured '
-settings['protocolui'],
+'to be more secure than the server can support)\n'
-pycompat.bytesurl(serverhostname)))
+)
-ui.warn(_('(consider contacting the operator of this '
+% (
-'server and ask them to support modern TLS '
+settings['protocolui'],
-'protocol versions; or, set '
+pycompat.bytesurl(serverhostname),
-'hostsecurity.%s:minimumprotocol=tls1.0 to allow '
+)
-'use of legacy, less secure protocols when '
+)
-'communicating with this server)\n') %
+ui.warn(
-pycompat.bytesurl(serverhostname))
+_(
-ui.warn(_(
+'(consider contacting the operator of this '
-'(see https://mercurial-scm.org/wiki/SecureConnections '
+'server and ask them to support modern TLS '
-'for more info)\n'))
+'protocol versions; or, set '
+'hostsecurity.%s:minimumprotocol=tls1.0 to allow '
-elif (e.reason == r'CERTIFICATE_VERIFY_FAILED' and
+'use of legacy, less secure protocols when '
-pycompat.iswindows):
+'communicating with this server)\n'
+)
-ui.warn(_('(the full certificate chain may not be available '
+% pycompat.bytesurl(serverhostname)
-'locally; see "hg help debugssl")\n'))
+)
+ui.warn(
+_(
+'(see https://mercurial-scm.org/wiki/SecureConnections '
+'for more info)\n'
+)
+)
+elif (
+e.reason == r'CERTIFICATE_VERIFY_FAILED' and pycompat.iswindows
+):
+ui.warn(
+_(
+'(the full certificate chain may not be available '
+'locally; see "hg help debugssl")\n'
+)
+)
 raise
 # check if wrap_socket failed silently because socket had been
 # closed
 # - see http://bugs.python.org/issue13721
 'ui': ui,
 }
 return sslsocket
-def wrapserversocket(sock, ui, certfile=None, keyfile=None, cafile=None,
-requireclientcert=False):
+def wrapserversocket(
+sock, ui, certfile=None, keyfile=None, cafile=None, requireclientcert=False
+):
 """Wrap a socket for use by servers.
 ``certfile`` and ``keyfile`` specify the files containing the certificate's
 public and private keys, respectively. Both keys can be defined in the same
 file via ``certfile`` (the private key must come first in the file).
 """
 # This function is not used much by core Mercurial, so the error messaging
 # doesn't have to be as detailed as for wrapsocket().
 for f in (certfile, keyfile, cafile):
 if f and not os.path.exists(f):
-raise error.Abort(_('referenced certificate file (%s) does not '
+raise error.Abort(
-'exist') % f)
+_('referenced certificate file (%s) does not ' 'exist') % f
+)
 protocol, options, _protocolui = protocolsettings('tls1.0')
 # This config option is intended for use in tests only. It is a giant
 # footgun to kill security. Don't define it.
 elif exactprotocol == 'tls1.2':
 if 'tls1.2' not in supportedprotocols:
 raise error.Abort(_('TLS 1.2 not supported by this Python'))
 protocol = ssl.PROTOCOL_TLSv1_2
 elif exactprotocol:
-raise error.Abort(_('invalid value for serverexactprotocol: %s') %
+raise error.Abort(
-exactprotocol)
+_('invalid value for serverexactprotocol: %s') % exactprotocol
+)
 if modernssl:
 # We /could/ use create_default_context() here since it doesn't load
 # CAs when configured for client auth. However, it is hard-coded to
 # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
 if cafile:
 sslcontext.load_verify_locations(cafile=cafile)
 return sslcontext.wrap_socket(sock, server_side=True)
 class wildcarderror(Exception):
 """Represents an error parsing wildcards in DNS name."""
 def _dnsnamematch(dn, hostname, maxwildcards=1):
 """Match DNS names according RFC 6125 section 6.4.3.
 This code is effectively copied from CPython's ssl._dnsname_match.
 leftmost = pieces[0]
 remainder = pieces[1:]
 wildcards = leftmost.count('*')
 if wildcards > maxwildcards:
 raise wildcarderror(
-_('too many wildcards in certificate DNS name: %s') % dn)
+_('too many wildcards in certificate DNS name: %s') % dn
+)
 # speed up common case w/o wildcards
 if not wildcards:
 return dn.lower() == hostname.lower()
 pats.append(stringutil.reescape(frag))
 pat = re.compile(br'\A' + br'\.'.join(pats) + br'\Z', re.IGNORECASE)
 return pat.match(hostname) is not None
 def _verifycert(cert, hostname):
 '''Verify that cert (in socket.getpeercert() format) matches hostname.
 CRLs is not handled.
 Returns error message if any problems are found and None on success.
 elif len(dnsnames) == 1:
 return _('certificate is for %s') % dnsnames[0]
 else:
 return _('no commonName or subjectAltName found in certificate')
 def _plainapplepython():
 """return true if this seems to be a pure Apple Python that
 * is unfrozen and presumably has the whole mercurial module in the file
 system
 * presumably is an Apple Python that uses Apple OpenSSL which has patches
 for using system certificate store CAs in addition to the provided
 cacerts file
 """
-if (not pycompat.isdarwin or procutil.mainfrozen() or
+if (
-not pycompat.sysexecutable):
+not pycompat.isdarwin
+or procutil.mainfrozen()
+or not pycompat.sysexecutable
+):
 return False
 exe = os.path.realpath(pycompat.sysexecutable).lower()
-return (exe.startswith('/usr/bin/python') or
+return exe.startswith('/usr/bin/python') or exe.startswith(
-exe.startswith('/system/library/frameworks/python.framework/'))
+'/system/library/frameworks/python.framework/'
+)
 _systemcacertpaths = [
 # RHEL, CentOS, and Fedora
 '/etc/pki/tls/certs/ca-bundle.trust.crt',
 # Debian, Ubuntu, Gentoo
 '/etc/ssl/certs/ca-certificates.crt',
 ]
 def _defaultcacerts(ui):
 """return path to default CA certificates or None.
 It is assumed this function is called when the returned certificates
 """
 # The "certifi" Python package provides certificates. If it is installed
 # and usable, assume the user intends it to be used and use it.
 try:
 import certifi
 certs = certifi.where()
 if os.path.exists(certs):
 ui.debug('using ca certificates from certifi\n')
 return pycompat.fsencode(certs)
 except (ImportError, AttributeError):
 # because we'll get a certificate verification error later and the lack
 # of loaded CA certificates will be the reason why.
 # Assertion: this code is only called if certificates are being verified.
 if pycompat.iswindows:
 if not _canloaddefaultcerts:
-ui.warn(_('(unable to load Windows CA certificates; see '
+ui.warn(
-'https://mercurial-scm.org/wiki/SecureConnections for '
+_(
-'how to configure Mercurial to avoid this message)\n'))
+'(unable to load Windows CA certificates; see '
+'https://mercurial-scm.org/wiki/SecureConnections for '
+'how to configure Mercurial to avoid this message)\n'
+)
+)
 return None
 # Apple's OpenSSL has patches that allow a specially constructed certificate
 # to load the system CA store. If we're running on Apple Python, use this
 # trick.
 if _plainapplepython():
 dummycert = os.path.join(
-os.path.dirname(pycompat.fsencode(__file__)), 'dummycert.pem')
+os.path.dirname(pycompat.fsencode(__file__)), 'dummycert.pem'
+)
 if os.path.exists(dummycert):
 return dummycert
 # The Apple OpenSSL trick isn't available to us. If Python isn't able to
 # load system certs, we're out of luck.
 if pycompat.isdarwin:
 # FUTURE Consider looking for Homebrew or MacPorts installed certs
 # files. Also consider exporting the keychain certs to a file during
 # Mercurial install.
 if not _canloaddefaultcerts:
-ui.warn(_('(unable to load CA certificates; see '
+ui.warn(
-'https://mercurial-scm.org/wiki/SecureConnections for '
+_(
-'how to configure Mercurial to avoid this message)\n'))
+'(unable to load CA certificates; see '
+'https://mercurial-scm.org/wiki/SecureConnections for '
+'how to configure Mercurial to avoid this message)\n'
+)
+)
 return None
 # / is writable on Windows. Out of an abundance of caution make sure
 # we're not on Windows because paths from _systemcacerts could be installed
 # by non-admin users.
 # behalf. We only get here and perform this setting as a feature of
 # last resort.
 if not _canloaddefaultcerts:
 for path in _systemcacertpaths:
 if os.path.isfile(path):
-ui.warn(_('(using CA certificates from %s; if you see this '
+ui.warn(
-'message, your Mercurial install is not properly '
+_(
-'configured; see '
+'(using CA certificates from %s; if you see this '
-'https://mercurial-scm.org/wiki/SecureConnections '
+'message, your Mercurial install is not properly '
-'for how to configure Mercurial to avoid this '
+'configured; see '
-'message)\n') % path)
+'https://mercurial-scm.org/wiki/SecureConnections '
+'for how to configure Mercurial to avoid this '
+'message)\n'
+)
+% path
+)
 return path
-ui.warn(_('(unable to load CA certificates; see '
+ui.warn(
-'https://mercurial-scm.org/wiki/SecureConnections for '
+_(
-'how to configure Mercurial to avoid this message)\n'))
+'(unable to load CA certificates; see '
+'https://mercurial-scm.org/wiki/SecureConnections for '
+'how to configure Mercurial to avoid this message)\n'
+)
+)
 return None
 def validatesocket(sock):
 """Validate a socket meets security requirements.
 The passed socket must have been created with ``wrapsocket()``.
 peercert2 = sock.getpeercert()
 except AttributeError:
 raise error.Abort(_('%s ssl connection error') % host)
 if not peercert:
-raise error.Abort(_('%s certificate error: '
+raise error.Abort(
-'no certificate received') % host)
+_('%s certificate error: ' 'no certificate received') % host
+)
 if settings['disablecertverification']:
 # We don't print the certificate fingerprint because it shouldn't
 # be necessary: if the user requested certificate verification be
 # disabled, they presumably already saw a message about the inability
 # to verify the certificate and this message would have printed the
 # fingerprint. So printing the fingerprint here adds little to no
 # value.
-ui.warn(_('warning: connection security to %s is disabled per current '
+ui.warn(
-'settings; communication is susceptible to eavesdropping '
+_(
-'and tampering\n') % host)
+'warning: connection security to %s is disabled per current '
+'settings; communication is susceptible to eavesdropping '
+'and tampering\n'
+)
+% host
+)
 return
 # If a certificate fingerprint is pinned, use it and only it to
 # validate the remote cert.
 peerfingerprints = {
 'sha256': node.hex(hashlib.sha256(peercert).digest()),
 'sha512': node.hex(hashlib.sha512(peercert).digest()),
 }
 def fmtfingerprint(s):
-return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)])
+return ':'.join([s[x : x + 2] for x in range(0, len(s), 2)])
 nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256'])
 if settings['certfingerprints']:
 for hash, fingerprint in settings['certfingerprints']:
 if peerfingerprints[hash].lower() == fingerprint:
-ui.debug('%s certificate matched fingerprint %s:%s\n' %
+ui.debug(
-(host, hash, fmtfingerprint(fingerprint)))
+'%s certificate matched fingerprint %s:%s\n'
+% (host, hash, fmtfingerprint(fingerprint))
+)
 if settings['legacyfingerprint']:
-ui.warn(_('(SHA-1 fingerprint for %s found in legacy '
+ui.warn(
-'[hostfingerprints] section; '
+_(
-'if you trust this fingerprint, remove the old '
+'(SHA-1 fingerprint for %s found in legacy '
-'SHA-1 fingerprint from [hostfingerprints] and '
+'[hostfingerprints] section; '
-'add the following entry to the new '
+'if you trust this fingerprint, remove the old '
-'[hostsecurity] section: %s:fingerprints=%s)\n') %
+'SHA-1 fingerprint from [hostfingerprints] and '
-(host, host, nicefingerprint))
+'add the following entry to the new '
+'[hostsecurity] section: %s:fingerprints=%s)\n'
+)
+% (host, host, nicefingerprint)
+)
 return
 # Pinned fingerprint didn't match. This is a fatal error.
 if settings['legacyfingerprint']:
 section = 'hostfingerprint'
 nice = fmtfingerprint(peerfingerprints['sha1'])
 else:
 section = 'hostsecurity'
 nice = '%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash]))
-raise error.Abort(_('certificate for %s has unexpected '
+raise error.Abort(
-'fingerprint %s') % (host, nice),
+_('certificate for %s has unexpected ' 'fingerprint %s')
-hint=_('check %s configuration') % section)
+% (host, nice),
+hint=_('check %s configuration') % section,
+)
 # Security is enabled but no CAs are loaded. We can't establish trust
 # for the cert so abort.
 if not sock._hgstate['caloaded']:
 raise error.Abort(
-_('unable to verify security of %s (no loaded CA certificates); '
+_(
-'refusing to connect') % host,
+'unable to verify security of %s (no loaded CA certificates); '
-hint=_('see https://mercurial-scm.org/wiki/SecureConnections for '
+'refusing to connect'
-'how to configure Mercurial to avoid this error or set '
+)
-'hostsecurity.%s:fingerprints=%s to trust this server') %
+% host,
-(host, nicefingerprint))
+hint=_(
+'see https://mercurial-scm.org/wiki/SecureConnections for '
+'how to configure Mercurial to avoid this error or set '
+'hostsecurity.%s:fingerprints=%s to trust this server'
+)
+% (host, nicefingerprint),
+)
 msg = _verifycert(peercert2, shost)
 if msg:
-raise error.Abort(_('%s certificate error: %s') % (host, msg),
+raise error.Abort(
-hint=_('set hostsecurity.%s:certfingerprints=%s '
+_('%s certificate error: %s') % (host, msg),
-'config setting or use --insecure to connect '
+hint=_(
-'insecurely') %
+'set hostsecurity.%s:certfingerprints=%s '
-(host, nicefingerprint))
+'config setting or use --insecure to connect '
+'insecurely'
+)
+% (host, nicefingerprint),
+)

changeset 43076	2372284d9457
parent 42269	c8d55ff80da1
child 43077	687b865b95ad