sslutil: make cert fingerprints messages more actionable
The previous warning and abort messages were difficult to understand.
This patch makes them slightly better.
I think there is still room to tweak the messaging. And as we adopt
new security defaults, these messages will certainly change again.
But at least this takes us a step in the right direction.
References to "section" have been removed because if no fingerprint
is defined, "section" can never be "hostfingerprints." So just print
"hostsecurity" every time.
--- a/mercurial/sslutil.py Mon May 30 15:43:03 2016 -0700
+++ b/mercurial/sslutil.py Tue May 31 19:21:08 2016 -0700
@@ -397,15 +397,15 @@
hint=_('check %s configuration') % section)
if not sock._hgstate['caloaded']:
- ui.warn(_('warning: %s certificate with fingerprint %s '
- 'not verified (check %s or web.cacerts config '
- 'setting)\n') %
- (host, nicefingerprint, section))
+ ui.warn(_('warning: certificate for %s not verified '
+ '(set hostsecurity.%s:certfingerprints=%s or web.cacerts '
+ 'config settings)\n') % (host, host, nicefingerprint))
return
msg = _verifycert(peercert2, host)
if msg:
raise error.Abort(_('%s certificate error: %s') % (host, msg),
- hint=_('configure %s %s or use '
- '--insecure to connect insecurely') %
- (section, nicefingerprint))
+ hint=_('set hostsecurity.%s:certfingerprints=%s '
+ 'config setting or use --insecure to connect '
+ 'insecurely') %
+ (host, nicefingerprint))
--- a/tests/test-https.t Mon May 30 15:43:03 2016 -0700
+++ b/tests/test-https.t Tue May 31 19:21:08 2016 -0700
@@ -176,7 +176,7 @@
clone via pull
$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
- warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting)
+ warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
requesting all changes
adding changesets
adding manifests
@@ -203,7 +203,7 @@
$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
$ hg pull $DISABLECACERTS
pulling from https://localhost:$HGPORT/
- warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting)
+ warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
searching for changes
adding changesets
adding manifests
@@ -244,7 +244,7 @@
$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
pulling from https://127.0.0.1:$HGPORT/
abort: 127.0.0.1 certificate error: certificate is for localhost
- (configure hostsecurity sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or use --insecure to connect insecurely)
+ (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
[255]
$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
pulling from https://127.0.0.1:$HGPORT/