Patchwork [3,of,9,V2] sslutil: store flag for whether cert verification is disabled

mail settings
Submitter Gregory Szorc
Date June 1, 2016, 2:21 a.m.
Message ID <1b9bbb794da9681fd663.1464747719@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/15309/
State Superseded
Headers show


Gregory Szorc - June 1, 2016, 2:21 a.m.
# HG changeset patch
# User Gregory Szorc <>
# Date 1464632431 25200
#      Mon May 30 11:20:31 2016 -0700
# Node ID 1b9bbb794da9681fd6639f321a0156c75ece764f
# Parent  da1760d7493a21ed0c8905f013b545a2ae6169b8
sslutil: store flag for whether cert verification is disabled

This patch effectively moves the ui.insecureconnections check to
_hostsettings(). After this patch, validatesocket() no longer uses the
ui instance for anything except writing messages.

This patch also enables us to introduce a per-host config option
for disabling certificate verification.


diff --git a/mercurial/ b/mercurial/
--- a/mercurial/
+++ b/mercurial/
@@ -112,16 +112,18 @@  def _hostsettings(ui, hostname):
     Returns a dict of settings relevant to that hostname.
     s = {
         # List of 2-tuple of (hash algorithm, hash).
         'certfingerprints': [],
         # Path to file containing concatenated CA certs. Used by
         # SSLContext.load_verify_locations().
         'cafile': None,
+        # Whether certificate verification should be disabled.
+        'disablecertverification': False,
         # Whether the legacy [hostfingerprints] section has data for this host.
         'legacyfingerprint': False,
         # ssl.CERT_* constant used by SSLContext.verify_mode.
         'verifymode': None,
     # Look for fingerprints in [hostsecurity] section. Value is a list
     # of <alg>:<fingerprint> strings.
@@ -146,16 +148,17 @@  def _hostsettings(ui, hostname):
     # If a host cert fingerprint is defined, it is the only thing that
     # matters. No need to validate CA certs.
     if s['certfingerprints']:
         s['verifymode'] = ssl.CERT_NONE
     # If --insecure is used, don't take CAs into consideration.
     elif ui.insecureconnections:
+        s['disablecertverification'] = True
         s['verifymode'] = ssl.CERT_NONE
     # Try to hook up CA certificate validation unless something above
     # makes it not necessary.
     if s['verifymode'] is None:
         # Find global certificates file in config.
         cafile = ui.config('web', 'cacerts')
@@ -367,23 +370,23 @@  def validatesocket(sock):
         if not fingerprintmatch:
             raise error.Abort(_('certificate for %s has unexpected '
                                'fingerprint %s') % (host, nicefingerprint),
                              hint=_('check %s configuration') % section)
         ui.debug('%s certificate matched fingerprint %s\n' %
                  (host, nicefingerprint))
-    # If insecure connections were explicitly requested via --insecure,
-    # print a warning and do no verification.
+    # If insecure connections were explicitly requested, print a warning
+    # and do no verification.
     # It may seem odd that this is checked *after* host fingerprint pinning.
     # This is for backwards compatibility (for now). The message is also
     # the same as below for BC.
-    if ui.insecureconnections:
+    if settings['disablecertverification']:
         ui.warn(_('warning: %s certificate with fingerprint %s not '
                   'verified (check %s or web.cacerts '
                   'config setting)\n') %
                 (host, nicefingerprint, section))
     if not sock._hgstate['caloaded']:
         ui.warn(_('warning: %s certificate with fingerprint %s '