Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 15813:3ae04eb5e38a
sslutil: handle setups without .getpeercert() early in the validator
This simplifies the code and makes the flow more obvious and reduces the
indentation level.
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Mon, 09 Jan 2012 14:43:23 +0100 |
| parents | 0cc4ad757c77 |
| children | c3e958b50a22 |
comparison
equal
deleted
inserted
replaced
| 15812:0cc4ad757c77 | 15813:3ae04eb5e38a |
|---|---|
| 101 | 101 |
| 102 def __call__(self, sock): | 102 def __call__(self, sock): |
| 103 host = self.host | 103 host = self.host |
| 104 cacerts = self.ui.config('web', 'cacerts') | 104 cacerts = self.ui.config('web', 'cacerts') |
| 105 hostfingerprint = self.ui.config('hostfingerprints', host) | 105 hostfingerprint = self.ui.config('hostfingerprints', host) |
| 106 if not getattr(sock, 'getpeercert', False): # python 2.5 ? | |
| 107 if hostfingerprint: | |
| 108 raise util.Abort(_("host fingerprint for %s can't be " | |
| 109 "verified (Python too old)") % host) | |
| 110 self.ui.warn(_("warning: certificate for %s can't be verified " | |
| 111 "(Python too old)\n") % host) | |
| 112 return | |
| 106 if cacerts and not hostfingerprint: | 113 if cacerts and not hostfingerprint: |
| 107 msg = _verifycert(sock.getpeercert(), host) | 114 msg = _verifycert(sock.getpeercert(), host) |
| 108 if msg: | 115 if msg: |
| 109 raise util.Abort(_('%s certificate error: %s ' | 116 raise util.Abort(_('%s certificate error: %s ' |
| 110 '(use --insecure to connect ' | 117 '(use --insecure to connect ' |
| 111 'insecurely)') % (host, msg)) | 118 'insecurely)') % (host, msg)) |
| 112 self.ui.debug('%s certificate successfully verified\n' % host) | 119 self.ui.debug('%s certificate successfully verified\n' % host) |
| 113 else: | 120 else: |
| 114 if getattr(sock, 'getpeercert', False): | 121 peercert = sock.getpeercert(True) |
| 115 peercert = sock.getpeercert(True) | 122 peerfingerprint = util.sha1(peercert).hexdigest() |
| 116 peerfingerprint = util.sha1(peercert).hexdigest() | 123 nicefingerprint = ":".join([peerfingerprint[x:x + 2] |
| 117 nicefingerprint = ":".join([peerfingerprint[x:x + 2] | 124 for x in xrange(0, len(peerfingerprint), 2)]) |
| 118 for x in xrange(0, len(peerfingerprint), 2)]) | 125 if hostfingerprint: |
| 119 if hostfingerprint: | 126 if peerfingerprint.lower() != \ |
| 120 if peerfingerprint.lower() != \ | 127 hostfingerprint.replace(':', '').lower(): |
| 121 hostfingerprint.replace(':', '').lower(): | 128 raise util.Abort(_('invalid certificate for %s ' |
| 122 raise util.Abort(_('invalid certificate for %s ' | 129 'with fingerprint %s') % |
| 123 'with fingerprint %s') % | 130 (host, nicefingerprint)) |
| 124 (host, nicefingerprint)) | 131 self.ui.debug('%s certificate matched fingerprint %s\n' % |
| 125 self.ui.debug('%s certificate matched fingerprint %s\n' % | 132 (host, nicefingerprint)) |
| 126 (host, nicefingerprint)) | 133 else: |
| 127 else: | 134 self.ui.warn(_('warning: %s certificate ' |
| 128 self.ui.warn(_('warning: %s certificate ' | 135 'with fingerprint %s not verified ' |
| 129 'with fingerprint %s not verified ' | 136 '(check hostfingerprints or web.cacerts ' |
| 130 '(check hostfingerprints or web.cacerts ' | 137 'config setting)\n') % |
| 131 'config setting)\n') % | 138 (host, nicefingerprint)) |
| 132 (host, nicefingerprint)) | |
| 133 else: # python 2.5 ? | |
| 134 if hostfingerprint: | |
| 135 raise util.Abort(_("host fingerprint for %s can't be " | |
| 136 "verified (Python too old)") % host) | |
| 137 self.ui.warn(_("warning: certificate for %s can't be " | |
| 138 "verified (Python too old)\n") % host) |