Imported from /srv/lorry/lorry-area/mercurial-tarball/mercurial-1.9.3.tar.gz.HEADmercurial-1.9.3master

1 files changed, 30 insertions, 45 deletions

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
index c6fe18b..be3882c 100644
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -13,16 +13,8 @@ from mercurial.i18n import _
 try:
     # avoid using deprecated/broken FakeSocket in python 2.6
     import ssl
+    ssl_wrap_socket = ssl.wrap_socket
     CERT_REQUIRED = ssl.CERT_REQUIRED
-    def ssl_wrap_socket(sock, keyfile, certfile,
-                cert_reqs=ssl.CERT_NONE, ca_certs=None):
-        sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
-                cert_reqs=cert_reqs, ca_certs=ca_certs)
-        # check if wrap_socket failed silently because socket had been closed
-        # - see http://bugs.python.org/issue13721
-        if not sslsocket.cipher():
-            raise util.Abort(_('ssl connection failed'))
-        return sslsocket
 except ImportError:
     CERT_REQUIRED = 2
 
@@ -30,8 +22,6 @@ except ImportError:
 
     def ssl_wrap_socket(sock, key_file, cert_file,
                         cert_reqs=CERT_REQUIRED, ca_certs=None):
-        if not util.safehasattr(socket, 'ssl'):
-            raise util.Abort(_('Python SSL support not found'))
         if ca_certs:
             raise util.Abort(_(
                 'certificate checking requires Python 2.6'))
@@ -103,41 +93,36 @@ class validator(object):
         host = self.host
         cacerts = self.ui.config('web', 'cacerts')
         hostfingerprint = self.ui.config('hostfingerprints', host)
-        if not getattr(sock, 'getpeercert', False): # python 2.5 ?
-            if hostfingerprint:
-                raise util.Abort(_("host fingerprint for %s can't be "
-                                   "verified (Python too old)") % host)
-            if self.ui.configbool('ui', 'reportoldssl', True):
-                self.ui.warn(_("warning: certificate for %s can't be verified "
-                               "(Python too old)\n") % host)
-            return
-        if not sock.cipher(): # work around http://bugs.python.org/issue13721
-            raise util.Abort(_('%s ssl connection error') % host)
-        peercert = sock.getpeercert(True)
-        if not peercert:
-            raise util.Abort(_('%s certificate error: '
-                               'no certificate received') % host)
-        peerfingerprint = util.sha1(peercert).hexdigest()
-        nicefingerprint = ":".join([peerfingerprint[x:x + 2]
-            for x in xrange(0, len(peerfingerprint), 2)])
-        if hostfingerprint:
-            if peerfingerprint.lower() != \
-                    hostfingerprint.replace(':', '').lower():
-                raise util.Abort(_('certificate for %s has unexpected '
-                                   'fingerprint %s') % (host, nicefingerprint),
-                                 hint=_('check hostfingerprint configuration'))
-            self.ui.debug('%s certificate matched fingerprint %s\n' %
-                          (host, nicefingerprint))
-        elif cacerts:
+        if cacerts and not hostfingerprint:
             msg = _verifycert(sock.getpeercert(), host)
             if msg:
-                raise util.Abort(_('%s certificate error: %s') % (host, msg),
-                                 hint=_('configure hostfingerprint %s or use '
-                                        '--insecure to connect insecurely') %
-                                      nicefingerprint)
+                raise util.Abort(_('%s certificate error: %s '
+                                   '(use --insecure to connect '
+                                   'insecurely)') % (host, msg))
             self.ui.debug('%s certificate successfully verified\n' % host)
         else:
-            self.ui.warn(_('warning: %s certificate with fingerprint %s not '
-                           'verified (check hostfingerprints or web.cacerts '
-                           'config setting)\n') %
-                         (host, nicefingerprint))
+            if getattr(sock, 'getpeercert', False):
+                peercert = sock.getpeercert(True)
+                peerfingerprint = util.sha1(peercert).hexdigest()
+                nicefingerprint = ":".join([peerfingerprint[x:x + 2]
+                    for x in xrange(0, len(peerfingerprint), 2)])
+                if hostfingerprint:
+                    if peerfingerprint.lower() != \
+                            hostfingerprint.replace(':', '').lower():
+                        raise util.Abort(_('invalid certificate for %s '
+                                           'with fingerprint %s') %
+                                         (host, nicefingerprint))
+                    self.ui.debug('%s certificate matched fingerprint %s\n' %
+                                  (host, nicefingerprint))
+                else:
+                    self.ui.warn(_('warning: %s certificate '
+                                   'with fingerprint %s not verified '
+                                   '(check hostfingerprints or web.cacerts '
+                                   'config setting)\n') %
+                                 (host, nicefingerprint))
+            else: # python 2.5 ?
+                if hostfingerprint:
+                    raise util.Abort(_("host fingerprint for %s can't be "
+                                       "verified (Python too old)") % host)
+                self.ui.warn(_("warning: certificate for %s can't be "
+                               "verified (Python too old)\n") % host)