mercurial: comparison mercurial/sslutil.py

equal deleted inserted replaced

-:a05a91a3f120
+:fbccb334efe7
 # List of 2-tuple of (hash algorithm, hash).
 'certfingerprints': [],
 # Path to file containing concatenated CA certs. Used by
 # SSLContext.load_verify_locations().
 'cafile': None,
+# Whether certificate verification should be disabled.
+'disablecertverification': False,
 # Whether the legacy [hostfingerprints] section has data for this host.
 'legacyfingerprint': False,
 # ssl.CERT_* constant used by SSLContext.verify_mode.
 'verifymode': None,
 }
 if s['certfingerprints']:
 s['verifymode'] = ssl.CERT_NONE
 # If --insecure is used, don't take CAs into consideration.
 elif ui.insecureconnections:
+s['disablecertverification'] = True
 s['verifymode'] = ssl.CERT_NONE
 # Try to hook up CA certificate validation unless something above
 # makes it not necessary.
 if s['verifymode'] is None:
 hint=_('check %s configuration') % section)
 ui.debug('%s certificate matched fingerprint %s\n' %
 (host, nicefingerprint))
 return
-# If insecure connections were explicitly requested via --insecure,
+# If insecure connections were explicitly requested, print a warning
-# print a warning and do no verification.
+# and do no verification.
 #
 # It may seem odd that this is checked *after* host fingerprint pinning.
 # This is for backwards compatibility (for now). The message is also
 # the same as below for BC.
-if ui.insecureconnections:
+if settings['disablecertverification']:
 ui.warn(_('warning: %s certificate with fingerprint %s not '
 'verified (check %s or web.cacerts '
 'config setting)\n') %
 (host, nicefingerprint, section))
 return

changeset 29287	fbccb334efe7
parent 29286	a05a91a3f120
child 29288	7dee15dee53c