mercurial-scm/hg: comparison mercurial/sslutil.py

equal deleted inserted replaced

-:222f6834c69a
+:e1778b9c8d53
 if cafile or (_canloaddefaultcerts and s['allowloaddefaultcerts']):
 s['verifymode'] = ssl.CERT_REQUIRED
 else:
 # At this point we don't have a fingerprint, aren't being
 # explicitly insecure, and can't load CA certs. Connecting
-# at this point is insecure. But we do it for BC reasons.
+# is insecure. We allow the connection and abort during
-# TODO abort here to make secure by default.
+# validation (once we have the fingerprint to print to the
+# user).
 s['verifymode'] = ssl.CERT_NONE
 assert s['verifymode'] is not None
 return s
 nice = '%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash]))
 raise error.Abort(_('certificate for %s has unexpected '
 'fingerprint %s') % (host, nice),
 hint=_('check %s configuration') % section)
+# Security is enabled but no CAs are loaded. We can't establish trust
+# for the cert so abort.
 if not sock._hgstate['caloaded']:
-ui.warn(_('warning: certificate for %s not verified '
+raise error.Abort(
-'(set hostsecurity.%s:certfingerprints=%s or web.cacerts '
+_('unable to verify security of %s (no loaded CA certificates); '
-'config settings)\n') % (host, host, nicefingerprint))
+'refusing to connect') % host,
-return
+hint=_('see https://mercurial-scm.org/wiki/SecureConnections for '
+'how to configure Mercurial to avoid this error or set '
+'hostsecurity.%s:fingerprints=%s to trust this server') %
+(host, nicefingerprint))
 msg = _verifycert(peercert2, host)
 if msg:
 raise error.Abort(_('%s certificate error: %s') % (host, msg),
 hint=_('set hostsecurity.%s:certfingerprints=%s '

changeset 29411	e1778b9c8d53
parent 29410	222f6834c69a
child 29446	2f7f1e10f840