Patchwork [07,of,11] sslutil: check for ui.insecureconnections in sslkwargs

login
register
mail settings
Submitter Gregory Szorc
Date May 5, 2016, 7:53 a.m.
Message ID <a32c736a9c48137accd7.1462434804@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/14899/
State Accepted
Headers show

Comments

Gregory Szorc - May 5, 2016, 7:53 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1462433745 25200
#      Thu May 05 00:35:45 2016 -0700
# Node ID a32c736a9c48137accd777b343cbed85191409ef
# Parent  a34fbd2d6235b34319d857bbbb313f1cc53d554b
sslutil: check for ui.insecureconnections in sslkwargs

The end result of this function is the same. We now have a more
explicit return branch.

We still keep the old code looking at web.cacerts=! a few lines
below because we're still setting web.cacerts=! and need to react
to the variable. This will be removed in an upcoming patch.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -238,18 +238,23 @@  def sslkwargs(ui, host):
     kws = {'ui': ui}
 
     # If a host key fingerprint is on file, it is the only thing that matters
     # and CA certs don't come into play.
     hostfingerprint = ui.config('hostfingerprints', host)
     if hostfingerprint:
         return kws
 
-    # dispatch sets web.cacerts=! when --insecure is used.
+    # The code below sets up CA verification arguments. If --insecure is
+    # used, we don't take CAs into consideration, so return early.
+    if ui.insecureconnections:
+        return kws
+
     cacerts = ui.config('web', 'cacerts')
+    # TODO remove check when we stop setting this config.
     if cacerts == '!':
         return kws
 
     # If a value is set in the config, validate against a path and load
     # and require those certs.
     if cacerts:
         cacerts = util.expandpath(cacerts)
         if not os.path.exists(cacerts):