# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1462433848 25200
# Node ID 5edc5acecc83aa0155119f16333aded1180215e3
# Parent  843df550b46593bca3ff8200feaef609e0058e0d
sslutil: handle ui.insecureconnections in validator

Right now, web.cacerts=! means one of two things:

1) Use of --insecure
2) No CAs could be found and were loaded (see sslkwargs)

This isn't very obvious and makes changing behavior of these
different scenarios independent of the other impossible.

This patch changes the validator code to explicit handle the
case of --insecure being used.

As the inline comment indicates, there is room to possibly change
messaging and logic here. For now, we are backwards compatible.

diff -r 843df550b465 -r 5edc5acecc83 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Thu May 05 00:35:45 2016 -0700
+++ b/mercurial/sslutil.py	Thu May 05 00:37:28 2016 -0700
@@ -329,6 +329,19 @@
                           (host, nicefingerprint))
             return
 
+        # If insecure connections were explicitly requested via --insecure,
+        # print a warning and do no verification.
+        #
+        # It may seem odd that this is checked *after* host fingerprint pinning.
+        # This is for backwards compatibility (for now). The message is also
+        # the same as below for BC.
+        if self.ui.insecureconnections:
+            self.ui.warn(_('warning: %s certificate with fingerprint %s not '
+                           'verified (check hostfingerprints or web.cacerts '
+                           'config setting)\n') %
+                         (host, nicefingerprint))
+            return
+
         # No pinned fingerprint. Establish trust by looking at the CAs.
         cacerts = self.ui.config('web', 'cacerts')
         if cacerts != '!':