File mercurial-2.8-ssl.diff of Package mercurial.4928
diff -uprN mercurial-2.8.orig/mercurial/sslutil.py mercurial-2.8/mercurial/sslutil.py
--- mercurial-2.8.orig/mercurial/sslutil.py 2013-11-24 11:43:21.326826414 +0100
+++ mercurial-2.8/mercurial/sslutil.py 2013-11-24 11:45:24.960654510 +0100
@@ -89,7 +89,6 @@ def _verifycert(cert, hostname):
# busted on those versions.
def sslkwargs(ui, host):
- cacerts = ui.config('web', 'cacerts')
forcetls = ui.configbool('ui', 'tls', default=True)
if forcetls:
ssl_version = PROTOCOL_TLSv1
@@ -98,10 +97,14 @@ def sslkwargs(ui, host):
hostfingerprint = ui.config('hostfingerprints', host)
kws = {'ssl_version': ssl_version,
}
- if cacerts and not hostfingerprint:
- cacerts = util.expandpath(cacerts)
- if not os.path.exists(cacerts):
- raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
+ if not hostfingerprint:
+ cacerts = ui.config('web', 'cacerts')
+ # cacerts explicitly set to empty string means to disable
+ # checking. See insecure option in dispatch.py
+ if cacerts is not None and cacerts != '':
+ cacerts = util.expandpath(cacerts)
+ if not os.path.exists(cacerts):
+ raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
kws.update({'ca_certs': cacerts,
'cert_reqs': CERT_REQUIRED,
})
@@ -150,7 +153,7 @@ class validator(object):
hint=_('check hostfingerprint configuration'))
self.ui.debug('%s certificate matched fingerprint %s\n' %
(host, nicefingerprint))
- elif cacerts:
+ elif cacerts is None or cacerts != '':
msg = _verifycert(peercert2, host)
if msg:
raise util.Abort(_('%s certificate error: %s') % (host, msg),