sslutil: handle setups without .getpeercert() early in the validator
authorMads Kiilerich <mads@kiilerich.com>
Mon, 09 Jan 2012 14:43:23 +0100
changeset 15813 3ae04eb5e38a
parent 15812 0cc4ad757c77
child 15814 c3e958b50a22
sslutil: handle setups without .getpeercert() early in the validator This simplifies the code and makes the flow more obvious and reduces the indentation level.
mercurial/sslutil.py
--- a/mercurial/sslutil.py	Mon Jan 09 14:43:15 2012 +0100
+++ b/mercurial/sslutil.py	Mon Jan 09 14:43:23 2012 +0100
@@ -103,6 +103,13 @@
         host = self.host
         cacerts = self.ui.config('web', 'cacerts')
         hostfingerprint = self.ui.config('hostfingerprints', host)
+        if not getattr(sock, 'getpeercert', False): # python 2.5 ?
+            if hostfingerprint:
+                raise util.Abort(_("host fingerprint for %s can't be "
+                                   "verified (Python too old)") % host)
+            self.ui.warn(_("warning: certificate for %s can't be verified "
+                           "(Python too old)\n") % host)
+            return
         if cacerts and not hostfingerprint:
             msg = _verifycert(sock.getpeercert(), host)
             if msg:
@@ -111,28 +118,21 @@
                                    'insecurely)') % (host, msg))
             self.ui.debug('%s certificate successfully verified\n' % host)
         else:
-            if getattr(sock, 'getpeercert', False):
-                peercert = sock.getpeercert(True)
-                peerfingerprint = util.sha1(peercert).hexdigest()
-                nicefingerprint = ":".join([peerfingerprint[x:x + 2]
-                    for x in xrange(0, len(peerfingerprint), 2)])
-                if hostfingerprint:
-                    if peerfingerprint.lower() != \
-                            hostfingerprint.replace(':', '').lower():
-                        raise util.Abort(_('invalid certificate for %s '
-                                           'with fingerprint %s') %
-                                         (host, nicefingerprint))
-                    self.ui.debug('%s certificate matched fingerprint %s\n' %
-                                  (host, nicefingerprint))
-                else:
-                    self.ui.warn(_('warning: %s certificate '
-                                   'with fingerprint %s not verified '
-                                   '(check hostfingerprints or web.cacerts '
-                                   'config setting)\n') %
-                                 (host, nicefingerprint))
-            else: # python 2.5 ?
-                if hostfingerprint:
-                    raise util.Abort(_("host fingerprint for %s can't be "
-                                       "verified (Python too old)") % host)
-                self.ui.warn(_("warning: certificate for %s can't be "
-                               "verified (Python too old)\n") % host)
+            peercert = sock.getpeercert(True)
+            peerfingerprint = util.sha1(peercert).hexdigest()
+            nicefingerprint = ":".join([peerfingerprint[x:x + 2]
+                for x in xrange(0, len(peerfingerprint), 2)])
+            if hostfingerprint:
+                if peerfingerprint.lower() != \
+                        hostfingerprint.replace(':', '').lower():
+                    raise util.Abort(_('invalid certificate for %s '
+                                       'with fingerprint %s') %
+                                     (host, nicefingerprint))
+                self.ui.debug('%s certificate matched fingerprint %s\n' %
+                              (host, nicefingerprint))
+            else:
+                self.ui.warn(_('warning: %s certificate '
+                               'with fingerprint %s not verified '
+                               '(check hostfingerprints or web.cacerts '
+                               'config setting)\n') %
+                             (host, nicefingerprint))