mirror of
https://github.com/facebook/sapling.git
synced 2025-01-07 14:10:42 +03:00
url: add --insecure option to bypass verification of ssl certificates
If --insecure specified, it behaves in the same way as no web.cacerts configured. Also shows hint for --insecure option when _verifycert() failed. But currently the hint isn't displayed on SSLError, because it needs a certain level of changes.
This commit is contained in:
parent
bf9e13d063
commit
da93c3bd0b
@ -1030,6 +1030,9 @@ The full set of options is:
|
||||
You can use OpenSSL's CA certificate file if your platform has one.
|
||||
On most Linux systems this will be ``/etc/ssl/certs/ca-certificates.crt``.
|
||||
Otherwise you will have to generate this file manually.
|
||||
|
||||
To disable SSL verification temporarily, specify ``--insecure`` from
|
||||
command line.
|
||||
``contact``
|
||||
Name or email address of the person in charge of the repository.
|
||||
Defaults to ui.username or ``$EMAIL`` or "unknown" if unset or empty.
|
||||
|
@ -3943,6 +3943,8 @@ remoteopts = [
|
||||
_('specify ssh command to use'), _('CMD')),
|
||||
('', 'remotecmd', '',
|
||||
_('specify hg command to run on the remote side'), _('CMD')),
|
||||
('', 'insecure', None,
|
||||
_('do not verify server certificate (ignoring web.cacerts config)')),
|
||||
]
|
||||
|
||||
walkopts = [
|
||||
|
@ -552,6 +552,9 @@ def _dispatch(ui, args):
|
||||
if options['noninteractive']:
|
||||
ui.setconfig('ui', 'interactive', 'off')
|
||||
|
||||
if cmdoptions.get('insecure', False):
|
||||
ui.setconfig('web', 'cacerts', '')
|
||||
|
||||
if options['help']:
|
||||
return commands.help_(ui, cmd, options['version'])
|
||||
elif options['version']:
|
||||
|
@ -541,8 +541,9 @@ if has_https:
|
||||
ca_certs=cacerts)
|
||||
msg = _verifycert(self.sock.getpeercert(), self.host)
|
||||
if msg:
|
||||
raise util.Abort(_('%s certificate error: %s') %
|
||||
(self.host, msg))
|
||||
raise util.Abort(_('%s certificate error: %s '
|
||||
'(use --insecure to connect '
|
||||
'insecurely)') % (self.host, msg))
|
||||
self.ui.debug('%s certificate successfully verified\n' %
|
||||
self.host)
|
||||
else:
|
||||
|
@ -179,16 +179,16 @@ Show all commands + options
|
||||
$ hg debugcommands
|
||||
add: include, exclude, subrepos, dry-run
|
||||
annotate: rev, follow, no-follow, text, user, file, date, number, changeset, line-number, include, exclude
|
||||
clone: noupdate, updaterev, rev, branch, pull, uncompressed, ssh, remotecmd
|
||||
clone: noupdate, updaterev, rev, branch, pull, uncompressed, ssh, remotecmd, insecure
|
||||
commit: addremove, close-branch, include, exclude, message, logfile, date, user
|
||||
diff: rev, change, text, git, nodates, show-function, reverse, ignore-all-space, ignore-space-change, ignore-blank-lines, unified, stat, include, exclude, subrepos
|
||||
export: output, switch-parent, rev, text, git, nodates
|
||||
forget: include, exclude
|
||||
init: ssh, remotecmd
|
||||
init: ssh, remotecmd, insecure
|
||||
log: follow, follow-first, date, copies, keyword, rev, removed, only-merges, user, only-branch, branch, prune, patch, git, limit, no-merges, stat, style, template, include, exclude
|
||||
merge: force, tool, rev, preview
|
||||
pull: update, force, rev, branch, ssh, remotecmd
|
||||
push: force, rev, branch, new-branch, ssh, remotecmd
|
||||
pull: update, force, rev, branch, ssh, remotecmd, insecure
|
||||
push: force, rev, branch, new-branch, ssh, remotecmd, insecure
|
||||
remove: after, force, include, exclude
|
||||
serve: accesslog, daemon, daemon-pipefds, errorlog, port, address, prefix, name, web-conf, webdir-conf, pid-file, stdio, templates, style, ipv6, certificate
|
||||
status: all, modified, added, removed, deleted, clean, unknown, ignored, no-status, copies, print0, rev, change, include, exclude, subrepos
|
||||
@ -200,7 +200,7 @@ Show all commands + options
|
||||
bisect: reset, good, bad, skip, command, noupdate
|
||||
branch: force, clean
|
||||
branches: active, closed
|
||||
bundle: force, rev, branch, base, all, type, ssh, remotecmd
|
||||
bundle: force, rev, branch, base, all, type, ssh, remotecmd, insecure
|
||||
cat: output, rev, decode, include, exclude
|
||||
copy: after, force, include, exclude, dry-run
|
||||
debugancestor:
|
||||
@ -228,10 +228,10 @@ Show all commands + options
|
||||
help:
|
||||
identify: rev, num, id, branch, tags
|
||||
import: strip, base, force, no-commit, exact, import-branch, message, logfile, date, user, similarity
|
||||
incoming: force, newest-first, bundle, rev, branch, patch, git, limit, no-merges, stat, style, template, ssh, remotecmd, subrepos
|
||||
incoming: force, newest-first, bundle, rev, branch, patch, git, limit, no-merges, stat, style, template, ssh, remotecmd, insecure, subrepos
|
||||
locate: rev, print0, fullpath, include, exclude
|
||||
manifest: rev
|
||||
outgoing: force, rev, newest-first, branch, patch, git, limit, no-merges, stat, style, template, ssh, remotecmd, subrepos
|
||||
outgoing: force, rev, newest-first, branch, patch, git, limit, no-merges, stat, style, template, ssh, remotecmd, insecure, subrepos
|
||||
parents: rev, style, template
|
||||
paths:
|
||||
recover:
|
||||
|
@ -163,15 +163,30 @@ variables in the filename
|
||||
pulling from https://localhost:$HGPORT/
|
||||
searching for changes
|
||||
no changes found
|
||||
$ P=`pwd` hg -R copy-pull pull --insecure
|
||||
warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
|
||||
pulling from https://localhost:$HGPORT/
|
||||
searching for changes
|
||||
no changes found
|
||||
|
||||
cacert mismatch
|
||||
|
||||
$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
|
||||
abort: 127.0.0.1 certificate error: certificate is for localhost
|
||||
abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
|
||||
[255]
|
||||
$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
|
||||
warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
|
||||
pulling from https://127.0.0.1:$HGPORT/
|
||||
searching for changes
|
||||
no changes found
|
||||
$ hg -R copy-pull pull --config web.cacerts=pub-other.pem
|
||||
abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
|
||||
[255]
|
||||
$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
|
||||
warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
|
||||
pulling from https://localhost:$HGPORT/
|
||||
searching for changes
|
||||
no changes found
|
||||
|
||||
Test server cert which isn't valid yet
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user