equal
deleted
inserted
replaced
468 |
468 |
469 # check if wrap_socket failed silently because socket had been |
469 # check if wrap_socket failed silently because socket had been |
470 # closed |
470 # closed |
471 # - see http://bugs.python.org/issue13721 |
471 # - see http://bugs.python.org/issue13721 |
472 if not sslsocket.cipher(): |
472 if not sslsocket.cipher(): |
473 raise error.Abort(_(b'ssl connection failed')) |
473 raise error.SecurityError(_(b'ssl connection failed')) |
474 |
474 |
475 sslsocket._hgstate = { |
475 sslsocket._hgstate = { |
476 b'caloaded': caloaded, |
476 b'caloaded': caloaded, |
477 b'hostname': serverhostname, |
477 b'hostname': serverhostname, |
478 b'settings': settings, |
478 b'settings': settings, |
734 |
734 |
735 try: |
735 try: |
736 peercert = sock.getpeercert(True) |
736 peercert = sock.getpeercert(True) |
737 peercert2 = sock.getpeercert() |
737 peercert2 = sock.getpeercert() |
738 except AttributeError: |
738 except AttributeError: |
739 raise error.Abort(_(b'%s ssl connection error') % host) |
739 raise error.SecurityError(_(b'%s ssl connection error') % host) |
740 |
740 |
741 if not peercert: |
741 if not peercert: |
742 raise error.Abort( |
742 raise error.SecurityError( |
743 _(b'%s certificate error: no certificate received') % host |
743 _(b'%s certificate error: no certificate received') % host |
744 ) |
744 ) |
745 |
745 |
746 if settings[b'disablecertverification']: |
746 if settings[b'disablecertverification']: |
747 # We don't print the certificate fingerprint because it shouldn't |
747 # We don't print the certificate fingerprint because it shouldn't |
799 section = b'hostfingerprint' |
799 section = b'hostfingerprint' |
800 nice = fmtfingerprint(peerfingerprints[b'sha1']) |
800 nice = fmtfingerprint(peerfingerprints[b'sha1']) |
801 else: |
801 else: |
802 section = b'hostsecurity' |
802 section = b'hostsecurity' |
803 nice = b'%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash])) |
803 nice = b'%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash])) |
804 raise error.Abort( |
804 raise error.SecurityError( |
805 _(b'certificate for %s has unexpected fingerprint %s') |
805 _(b'certificate for %s has unexpected fingerprint %s') |
806 % (host, nice), |
806 % (host, nice), |
807 hint=_(b'check %s configuration') % section, |
807 hint=_(b'check %s configuration') % section, |
808 ) |
808 ) |
809 |
809 |
810 # Security is enabled but no CAs are loaded. We can't establish trust |
810 # Security is enabled but no CAs are loaded. We can't establish trust |
811 # for the cert so abort. |
811 # for the cert so abort. |
812 if not sock._hgstate[b'caloaded']: |
812 if not sock._hgstate[b'caloaded']: |
813 raise error.Abort( |
813 raise error.SecurityError( |
814 _( |
814 _( |
815 b'unable to verify security of %s (no loaded CA certificates); ' |
815 b'unable to verify security of %s (no loaded CA certificates); ' |
816 b'refusing to connect' |
816 b'refusing to connect' |
817 ) |
817 ) |
818 % host, |
818 % host, |
824 % (host, nicefingerprint), |
824 % (host, nicefingerprint), |
825 ) |
825 ) |
826 |
826 |
827 msg = _verifycert(peercert2, shost) |
827 msg = _verifycert(peercert2, shost) |
828 if msg: |
828 if msg: |
829 raise error.Abort( |
829 raise error.SecurityError( |
830 _(b'%s certificate error: %s') % (host, msg), |
830 _(b'%s certificate error: %s') % (host, msg), |
831 hint=_( |
831 hint=_( |
832 b'set hostsecurity.%s:certfingerprints=%s ' |
832 b'set hostsecurity.%s:certfingerprints=%s ' |
833 b'config setting or use --insecure to connect ' |
833 b'config setting or use --insecure to connect ' |
834 b'insecurely' |
834 b'insecurely' |