facebook/sapling
1
1
Fork 0
mirror of https://github.com/facebook/sapling.git synced 2024-10-09 08:18:15 +03:00
Code Issues Projects Releases Wiki Activity
d2b9482bcd
sapling/mercurial/sslutil.py

232 lines
9.7 KiB
Python
Raw Normal View History

sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
# sslutil.py - SSL handling for mercurial
#
# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs This will give PKI-secure behaviour out of the box, without any configuration. Setting web.cacerts to any value or empty will disable this trick. This dummy cert trick only works on OS X 10.6+, but 10.5 had Python 2.5 which didn't have certificate validation at all.
2014-09-26 04:19:48 +04:00
import os, sys
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
from mercurial import util
from mercurial.i18n import _
ssl: load CA certificates from system's store by default on Python 2.7.9 This will make it easy to manage in-house CA certificates, which are often used in corporate environment and installed into the Windows' certs store. Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9. The default web.cacerts will be set as follows: environment web.cacerts behavior ------------- ----------- ----------------------------------------- Apple Python dummycert fall back to system's store Python 2.7.8 '!' never use CA certs (show warning instead) Python 2.7.9+ None load CA certs from system's store
2015-02-26 16:54:13 +03:00
_canloaddefaultcerts = False
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
try:
# avoid using deprecated/broken FakeSocket in python 2.6
import ssl
CERT_REQUIRED = ssl.CERT_REQUIRED
https: support tls sni (server name indication) for https urls (issue3090) SNI is a common way of sharing servers across multiple domains using separate SSL certificates. As of Python 2.7.9 SSLContext has been backported from Python 3. This patch changes sslutil's ssl_wrap_socket to use SSLContext and take a server hostname as and argument. It also changes the url module to make use of this argument. The new code for 2.7.9 achieves it's task by attempting to get the SSLContext object from the ssl module. If this fails the try/except goes back to what was there before with the exception that the ssl_wrap_socket functions take a server_hostname argument that doesn't get used. Assuming the SSLContext exists, the arguments to wrap_socket at the module level are emulated on the SSLContext. The SSLContext is initialized with the specified ssl_version. If certfile is not None load_cert_chain is called with certfile and keyfile. keyfile being None is not a problem, load_cert_chain will simply expect the private key to be in the certificate file. verify_mode is set to cert_reqs. If ca_certs is not None load_verify_locations is called with ca_certs as the cafile. Finally the wrap_socket method of the SSLContext is called with the socket and server hostname. Finally, this fails test-check-commit-hg.t because the "new" function ssl_wrap_socket has underscores in its names and underscores in its arguments. All the underscore identifiers are taken from the other functions and as such can't be changed to match naming conventions.
2015-01-13 04:01:20 +03:00
try:
ssl_context = ssl.SSLContext
ssl: load CA certificates from system's store by default on Python 2.7.9 This will make it easy to manage in-house CA certificates, which are often used in corporate environment and installed into the Windows' certs store. Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9. The default web.cacerts will be set as follows: environment web.cacerts behavior ------------- ----------- ----------------------------------------- Apple Python dummycert fall back to system's store Python 2.7.8 '!' never use CA certs (show warning instead) Python 2.7.9+ None load CA certs from system's store
2015-02-26 16:54:13 +03:00
_canloaddefaultcerts = util.safehasattr(ssl_context,
'load_default_certs')
https: support tls sni (server name indication) for https urls (issue3090) SNI is a common way of sharing servers across multiple domains using separate SSL certificates. As of Python 2.7.9 SSLContext has been backported from Python 3. This patch changes sslutil's ssl_wrap_socket to use SSLContext and take a server hostname as and argument. It also changes the url module to make use of this argument. The new code for 2.7.9 achieves it's task by attempting to get the SSLContext object from the ssl module. If this fails the try/except goes back to what was there before with the exception that the ssl_wrap_socket functions take a server_hostname argument that doesn't get used. Assuming the SSLContext exists, the arguments to wrap_socket at the module level are emulated on the SSLContext. The SSLContext is initialized with the specified ssl_version. If certfile is not None load_cert_chain is called with certfile and keyfile. keyfile being None is not a problem, load_cert_chain will simply expect the private key to be in the certificate file. verify_mode is set to cert_reqs. If ca_certs is not None load_verify_locations is called with ca_certs as the cafile. Finally the wrap_socket method of the SSLContext is called with the socket and server hostname. Finally, this fails test-check-commit-hg.t because the "new" function ssl_wrap_socket has underscores in its names and underscores in its arguments. All the underscore identifiers are taken from the other functions and as such can't be changed to match naming conventions.
2015-01-13 04:01:20 +03:00
sslutil: drop support for clients of sslutil specifying a TLS version We really just want to support the newest thing possible, so we may as well consolidate that knowledge into this module. Right now this doesn't change any behavior, but a future change will fix the defaults for Python 2.7.9 so we can use slightly better defaults there (which is the only place it's possible at the moment.)
2015-01-14 23:31:16 +03:00
def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
ca_certs=None, serverhostname=None):
sslutil: use saner TLS settings on Python 2.7.9 Asking for TLSv1 locks us out of TLSv1_2 etc. This is at least less bad. Ideally we'd use ssl.create_default_context(), but that causes more mayhem in the testsuite than I really want to deal with right now.
2015-01-14 23:46:00 +03:00
# Allow any version of SSL starting with TLSv1 and
# up. Note that specifying TLSv1 here prohibits use of
# newer standards (like TLSv1_2), so this is the right way
# to do this. Note that in the future it'd be better to
# support using ssl.create_default_context(), which sets
# up a bunch of things in smart ways (strong ciphers,
# protocol versions, etc) and is upgraded by Python
# maintainers for us, but that breaks too many things to
# do it in a hurry.
sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
https: support tls sni (server name indication) for https urls (issue3090) SNI is a common way of sharing servers across multiple domains using separate SSL certificates. As of Python 2.7.9 SSLContext has been backported from Python 3. This patch changes sslutil's ssl_wrap_socket to use SSLContext and take a server hostname as and argument. It also changes the url module to make use of this argument. The new code for 2.7.9 achieves it's task by attempting to get the SSLContext object from the ssl module. If this fails the try/except goes back to what was there before with the exception that the ssl_wrap_socket functions take a server_hostname argument that doesn't get used. Assuming the SSLContext exists, the arguments to wrap_socket at the module level are emulated on the SSLContext. The SSLContext is initialized with the specified ssl_version. If certfile is not None load_cert_chain is called with certfile and keyfile. keyfile being None is not a problem, load_cert_chain will simply expect the private key to be in the certificate file. verify_mode is set to cert_reqs. If ca_certs is not None load_verify_locations is called with ca_certs as the cafile. Finally the wrap_socket method of the SSLContext is called with the socket and server hostname. Finally, this fails test-check-commit-hg.t because the "new" function ssl_wrap_socket has underscores in its names and underscores in its arguments. All the underscore identifiers are taken from the other functions and as such can't be changed to match naming conventions.
2015-01-13 04:01:20 +03:00
if certfile is not None:
sslcontext.load_cert_chain(certfile, keyfile)
sslcontext.verify_mode = cert_reqs
if ca_certs is not None:
sslcontext.load_verify_locations(cafile=ca_certs)
ssl: load CA certificates from system's store by default on Python 2.7.9 This will make it easy to manage in-house CA certificates, which are often used in corporate environment and installed into the Windows' certs store. Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9. The default web.cacerts will be set as follows: environment web.cacerts behavior ------------- ----------- ----------------------------------------- Apple Python dummycert fall back to system's store Python 2.7.8 '!' never use CA certs (show warning instead) Python 2.7.9+ None load CA certs from system's store
2015-02-26 16:54:13 +03:00
elif _canloaddefaultcerts:
sslcontext.load_default_certs()
https: support tls sni (server name indication) for https urls (issue3090) SNI is a common way of sharing servers across multiple domains using separate SSL certificates. As of Python 2.7.9 SSLContext has been backported from Python 3. This patch changes sslutil's ssl_wrap_socket to use SSLContext and take a server hostname as and argument. It also changes the url module to make use of this argument. The new code for 2.7.9 achieves it's task by attempting to get the SSLContext object from the ssl module. If this fails the try/except goes back to what was there before with the exception that the ssl_wrap_socket functions take a server_hostname argument that doesn't get used. Assuming the SSLContext exists, the arguments to wrap_socket at the module level are emulated on the SSLContext. The SSLContext is initialized with the specified ssl_version. If certfile is not None load_cert_chain is called with certfile and keyfile. keyfile being None is not a problem, load_cert_chain will simply expect the private key to be in the certificate file. verify_mode is set to cert_reqs. If ca_certs is not None load_verify_locations is called with ca_certs as the cafile. Finally the wrap_socket method of the SSLContext is called with the socket and server hostname. Finally, this fails test-check-commit-hg.t because the "new" function ssl_wrap_socket has underscores in its names and underscores in its arguments. All the underscore identifiers are taken from the other functions and as such can't be changed to match naming conventions.
2015-01-13 04:01:20 +03:00
sslsocket = sslcontext.wrap_socket(sock,
server_hostname=serverhostname)
# check if wrap_socket failed silently because socket had been
# closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():
raise util.Abort(_('ssl connection failed'))
return sslsocket
except AttributeError:
sslutil: drop support for clients of sslutil specifying a TLS version We really just want to support the newest thing possible, so we may as well consolidate that knowledge into this module. Right now this doesn't change any behavior, but a future change will fix the defaults for Python 2.7.9 so we can use slightly better defaults there (which is the only place it's possible at the moment.)
2015-01-14 23:31:16 +03:00
def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
ca_certs=None, serverhostname=None):
https: support tls sni (server name indication) for https urls (issue3090) SNI is a common way of sharing servers across multiple domains using separate SSL certificates. As of Python 2.7.9 SSLContext has been backported from Python 3. This patch changes sslutil's ssl_wrap_socket to use SSLContext and take a server hostname as and argument. It also changes the url module to make use of this argument. The new code for 2.7.9 achieves it's task by attempting to get the SSLContext object from the ssl module. If this fails the try/except goes back to what was there before with the exception that the ssl_wrap_socket functions take a server_hostname argument that doesn't get used. Assuming the SSLContext exists, the arguments to wrap_socket at the module level are emulated on the SSLContext. The SSLContext is initialized with the specified ssl_version. If certfile is not None load_cert_chain is called with certfile and keyfile. keyfile being None is not a problem, load_cert_chain will simply expect the private key to be in the certificate file. verify_mode is set to cert_reqs. If ca_certs is not None load_verify_locations is called with ca_certs as the cafile. Finally the wrap_socket method of the SSLContext is called with the socket and server hostname. Finally, this fails test-check-commit-hg.t because the "new" function ssl_wrap_socket has underscores in its names and underscores in its arguments. All the underscore identifiers are taken from the other functions and as such can't be changed to match naming conventions.
2015-01-13 04:01:20 +03:00
sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
cert_reqs=cert_reqs, ca_certs=ca_certs,
sslutil: drop defunct ssl version constants Nobody outside sslutil should be using these constants anyway.
2015-01-14 23:46:21 +03:00
ssl_version=ssl.PROTOCOL_TLSv1)
https: support tls sni (server name indication) for https urls (issue3090) SNI is a common way of sharing servers across multiple domains using separate SSL certificates. As of Python 2.7.9 SSLContext has been backported from Python 3. This patch changes sslutil's ssl_wrap_socket to use SSLContext and take a server hostname as and argument. It also changes the url module to make use of this argument. The new code for 2.7.9 achieves it's task by attempting to get the SSLContext object from the ssl module. If this fails the try/except goes back to what was there before with the exception that the ssl_wrap_socket functions take a server_hostname argument that doesn't get used. Assuming the SSLContext exists, the arguments to wrap_socket at the module level are emulated on the SSLContext. The SSLContext is initialized with the specified ssl_version. If certfile is not None load_cert_chain is called with certfile and keyfile. keyfile being None is not a problem, load_cert_chain will simply expect the private key to be in the certificate file. verify_mode is set to cert_reqs. If ca_certs is not None load_verify_locations is called with ca_certs as the cafile. Finally the wrap_socket method of the SSLContext is called with the socket and server hostname. Finally, this fails test-check-commit-hg.t because the "new" function ssl_wrap_socket has underscores in its names and underscores in its arguments. All the underscore identifiers are taken from the other functions and as such can't be changed to match naming conventions.
2015-01-13 04:01:20 +03:00
# check if wrap_socket failed silently because socket had been
# closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():
raise util.Abort(_('ssl connection failed'))
return sslsocket
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
except ImportError:
CERT_REQUIRED = 2
sslutil: Restore missing imports of socket and httplib to sslutil Two imports were omitted in the restructure of the code creating sslutil.py, socket and httplib are required when the 'ssl' module cannot be imported, restoring these imports allows mercurial to run on python2.4+2.5.
2011-06-14 07:31:32 +04:00
import socket, httplib
sslutil: drop support for clients of sslutil specifying a TLS version We really just want to support the newest thing possible, so we may as well consolidate that knowledge into this module. Right now this doesn't change any behavior, but a future change will fix the defaults for Python 2.7.9 so we can use slightly better defaults there (which is the only place it's possible at the moment.)
2015-01-14 23:31:16 +03:00
def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=CERT_REQUIRED,
ca_certs=None, serverhostname=None):
sslutil: abort when ssl module is needed but not found It is apparently possible to compile Python without SSL support or leave it out when installing precompiled binaries. Mercurial on such Pythons would crash if the user tried to use https. Now it will be reported as "abort: Python SSL support not found" instead.
2011-09-27 20:51:10 +04:00
if not util.safehasattr(socket, 'ssl'):
raise util.Abort(_('Python SSL support not found'))
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
if ca_certs:
raise util.Abort(_(
'certificate checking requires Python 2.6'))
sslutil: make keyfile and certfile arguments consistent between 2.6+ and 2.5-
2013-09-20 17:15:43 +04:00
ssl = socket.ssl(sock, keyfile, certfile)
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
return httplib.FakeSocket(sock, ssl)
def _verifycert(cert, hostname):
'''Verify that cert (in socket.getpeercert() format) matches hostname.
CRLs is not handled.
Returns error message if any problems are found and None on success.
'''
if not cert:
return _('no certificate received')
dnsname = hostname.lower()
def matchdnsname(certname):
return (certname == dnsname or
'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
san = cert.get('subjectAltName', [])
if san:
certnames = [value.lower() for key, value in san if key == 'DNS']
for name in certnames:
if matchdnsname(name):
return None
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798) Any entries in subjectAltName would prevent fallback to using commonName, but RFC 2818 says: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. We now only consider dNSNames in subjectAltName. (dNSName is known as 'DNS' in OpenSSL/Python.)
2011-06-18 03:03:03 +04:00
if certnames:
return _('certificate is for %s') % ', '.join(certnames)
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
# subject is only checked when subjectAltName is empty
for s in cert.get('subject', []):
key, value = s[0]
if key == 'commonName':
try:
# 'subject' entries are unicode
certname = value.lower().encode('ascii')
except UnicodeEncodeError:
return _('IDN in certificate not supported')
if matchdnsname(certname):
return None
return _('certificate is for %s') % certname
return _('no commonName or subjectAltName found in certificate')
# CERT_REQUIRED means fetch the cert from the server all the time AND
# validate it against the CA store provided in web.cacerts.
#
# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
# busted on those versions.
ssl: only use the dummy cert hack if using an Apple Python (issue4410) The hack for using certificate store in addition to the provided CAs resides in Apple's OpenSSL. Apple's own Pythons will use it, but other custom built Pythons might use a custom built OpenSSL without that hack and will fail when exposed to the dummy cacert introduced in ee8b7fe5e119. There do not seem to be a simple way to check from Python if we are using a patched OpenSSL or if it is an Apple OpenSSL. Instead, check if the Python executable resides in /usr/bin/python* or in /System/Library/Frameworks/Python.framework/ and assume that all Pythons found there will be native Pythons using the patched OpenSSL. Custom built Pythons will not get the benefit of using the CAs from the certificate store.
2014-10-17 20:56:12 +04:00
def _plainapplepython():
"""return true if this seems to be a pure Apple Python that
* is unfrozen and presumably has the whole mercurial module in the file
system
* presumably is an Apple Python that uses Apple OpenSSL which has patches
for using system certificate store CAs in addition to the provided
cacerts file
"""
ssl: resolve symlink before checking for Apple python executable (issue4588) test-https.t was broken at d133034be253 if /usr/bin/pythonX.Y is used on Mac OS X. If python executable is not named as "python", run-tests.py creates a symlink and hghave uses it. On the other hand, the installed hg executable knows the real path to the system Python. Therefore, there was an inconsistency that hghave said it was not an Apple python but hg knew it was.
2015-04-04 08:56:18 +03:00
if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
ssl: only use the dummy cert hack if using an Apple Python (issue4410) The hack for using certificate store in addition to the provided CAs resides in Apple's OpenSSL. Apple's own Pythons will use it, but other custom built Pythons might use a custom built OpenSSL without that hack and will fail when exposed to the dummy cacert introduced in ee8b7fe5e119. There do not seem to be a simple way to check from Python if we are using a patched OpenSSL or if it is an Apple OpenSSL. Instead, check if the Python executable resides in /usr/bin/python* or in /System/Library/Frameworks/Python.framework/ and assume that all Pythons found there will be native Pythons using the patched OpenSSL. Custom built Pythons will not get the benefit of using the CAs from the certificate store.
2014-10-17 20:56:12 +04:00
return False
ssl: resolve symlink before checking for Apple python executable (issue4588) test-https.t was broken at d133034be253 if /usr/bin/pythonX.Y is used on Mac OS X. If python executable is not named as "python", run-tests.py creates a symlink and hghave uses it. On the other hand, the installed hg executable knows the real path to the system Python. Therefore, there was an inconsistency that hghave said it was not an Apple python but hg knew it was.
2015-04-04 08:56:18 +03:00
exe = os.path.realpath(sys.executable).lower()
ssl: only use the dummy cert hack if using an Apple Python (issue4410) The hack for using certificate store in addition to the provided CAs resides in Apple's OpenSSL. Apple's own Pythons will use it, but other custom built Pythons might use a custom built OpenSSL without that hack and will fail when exposed to the dummy cacert introduced in ee8b7fe5e119. There do not seem to be a simple way to check from Python if we are using a patched OpenSSL or if it is an Apple OpenSSL. Instead, check if the Python executable resides in /usr/bin/python* or in /System/Library/Frameworks/Python.framework/ and assume that all Pythons found there will be native Pythons using the patched OpenSSL. Custom built Pythons will not get the benefit of using the CAs from the certificate store.
2014-10-17 20:56:12 +04:00
return (exe.startswith('/usr/bin/python') or
exe.startswith('/system/library/frameworks/python.framework/'))
ssl: extract function that returns dummycert path on Apple python This function will be the condition to switch DISABLEOSXDUMMYCERT in test-https.t.
2015-03-04 16:27:01 +03:00
def _defaultcacerts():
ssl: load CA certificates from system's store by default on Python 2.7.9 This will make it easy to manage in-house CA certificates, which are often used in corporate environment and installed into the Windows' certs store. Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9. The default web.cacerts will be set as follows: environment web.cacerts behavior ------------- ----------- ----------------------------------------- Apple Python dummycert fall back to system's store Python 2.7.8 '!' never use CA certs (show warning instead) Python 2.7.9+ None load CA certs from system's store
2015-02-26 16:54:13 +03:00
"""return path to CA certificates; None for system's store; ! to disable"""
ssl: extract function that returns dummycert path on Apple python This function will be the condition to switch DISABLEOSXDUMMYCERT in test-https.t.
2015-03-04 16:27:01 +03:00
if _plainapplepython():
dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
if os.path.exists(dummycert):
return dummycert
ssl: load CA certificates from system's store by default on Python 2.7.9 This will make it easy to manage in-house CA certificates, which are often used in corporate environment and installed into the Windows' certs store. Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9. The default web.cacerts will be set as follows: environment web.cacerts behavior ------------- ----------- ----------------------------------------- Apple Python dummycert fall back to system's store Python 2.7.8 '!' never use CA certs (show warning instead) Python 2.7.9+ None load CA certs from system's store
2015-02-26 16:54:13 +03:00
if _canloaddefaultcerts:
return None
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) The next patch will enable verification by using the system's CA store if possible, which means we would have to distinguish None (=use default) from '' (=--insecure). This smells bug-prone and provides no way to override web.cacerts to forcibly use the system's store by --config argument. This patch changes the meaning of web.cacerts as follows: value behavior ------- --------------------------------------- None/'' use default '!' never use CA certs (set by --insecure) <path> verify by the specified CA certificates Values other than <path> are for internal use and therefore undocumented.
2015-03-04 17:27:04 +03:00
return '!'
ssl: extract function that returns dummycert path on Apple python This function will be the condition to switch DISABLEOSXDUMMYCERT in test-https.t.
2015-03-04 16:27:01 +03:00
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
def sslkwargs(ui, host):
sslutil: drop support for clients of sslutil specifying a TLS version We really just want to support the newest thing possible, so we may as well consolidate that knowledge into this module. Right now this doesn't change any behavior, but a future change will fix the defaults for Python 2.7.9 so we can use slightly better defaults there (which is the only place it's possible at the moment.)
2015-01-14 23:31:16 +03:00
kws = {}
ssl: refactor sslkwargs - move things around a bit, preparing for next change
2014-09-26 04:19:47 +04:00
hostfingerprint = ui.config('hostfingerprints', host)
if hostfingerprint:
return kws
cacerts = ui.config('web', 'cacerts')
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) The next patch will enable verification by using the system's CA store if possible, which means we would have to distinguish None (=use default) from '' (=--insecure). This smells bug-prone and provides no way to override web.cacerts to forcibly use the system's store by --config argument. This patch changes the meaning of web.cacerts as follows: value behavior ------- --------------------------------------- None/'' use default '!' never use CA certs (set by --insecure) <path> verify by the specified CA certificates Values other than <path> are for internal use and therefore undocumented.
2015-03-04 17:27:04 +03:00
if cacerts == '!':
pass
elif cacerts:
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
cacerts = util.expandpath(cacerts)
if not os.path.exists(cacerts):
raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) The next patch will enable verification by using the system's CA store if possible, which means we would have to distinguish None (=use default) from '' (=--insecure). This smells bug-prone and provides no way to override web.cacerts to forcibly use the system's store by --config argument. This patch changes the meaning of web.cacerts as follows: value behavior ------- --------------------------------------- None/'' use default '!' never use CA certs (set by --insecure) <path> verify by the specified CA certificates Values other than <path> are for internal use and therefore undocumented.
2015-03-04 17:27:04 +03:00
else:
cacerts = _defaultcacerts()
if cacerts and cacerts != '!':
ui.debug('using %s to enable OS X system CA\n' % cacerts)
ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
if cacerts != '!':
sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Prior to this change, we default to SSLv23, which is insecure because it allows use of SSLv2. Unfortunately, there's no constant for OpenSSL to let us use SSLv3 or TLS - we have to pick one or the other. We expose a knob to revert to pre-TLS SSL for the user that has an ancient server that lacks proper TLS support.
2013-09-20 00:29:00 +04:00
kws.update({'ca_certs': cacerts,
'cert_reqs': CERT_REQUIRED,
})
return kws
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
class validator(object):
def __init__(self, ui, host):
self.ui = ui
self.host = host
sslutil: abort if peer certificate is not verified for secure use Before this patch, "sslutil.validator" may returns successfully, even if peer certificate is not verified because there is no information in "[hostfingerprints]" and "[web] cacerts". To prevent from sending authentication credential to untrustable SMTP server, validation should be aborted if peer certificate is not verified. This patch introduces "strict" optional argument, and "sslutil.validator" will abort if it is True and peer certificate is not verified.
2013-03-25 21:28:10 +04:00
def __call__(self, sock, strict=False):
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
host = self.host
cacerts = self.ui.config('web', 'cacerts')
hostfingerprint = self.ui.config('hostfingerprints', host)
sslutil: handle setups without .getpeercert() early in the validator This simplifies the code and makes the flow more obvious and reduces the indentation level.
2012-01-09 17:43:23 +04:00
if not getattr(sock, 'getpeercert', False): # python 2.5 ?
if hostfingerprint:
raise util.Abort(_("host fingerprint for %s can't be "
"verified (Python too old)") % host)
sslutil: abort if peer certificate is not verified for secure use Before this patch, "sslutil.validator" may returns successfully, even if peer certificate is not verified because there is no information in "[hostfingerprints]" and "[web] cacerts". To prevent from sending authentication credential to untrustable SMTP server, validation should be aborted if peer certificate is not verified. This patch introduces "strict" optional argument, and "sslutil.validator" will abort if it is True and peer certificate is not verified.
2013-03-25 21:28:10 +04:00
if strict:
raise util.Abort(_("certificate for %s can't be verified "
"(Python too old)") % host)
ui: optionally quiesce ssl verification warnings on python 2.5 Some platforms, notably Plan 9 from Bell Labs are stuck on older releases of Python. Due to restrictions in the platform, it is not possible to backport the SSL library to the existing Python port. This patch permits the UI to quiesce SSL verification warnings by adding a configuration entry named reportoldssl to ui.
2012-04-10 01:36:16 +04:00
if self.ui.configbool('ui', 'reportoldssl', True):
self.ui.warn(_("warning: certificate for %s can't be verified "
"(Python too old)\n") % host)
sslutil: handle setups without .getpeercert() early in the validator This simplifies the code and makes the flow more obvious and reduces the indentation level.
2012-01-09 17:43:23 +04:00
return
sslutil: try harder to avoid getpeercert problems We wrap both calls to getpeercert in a try/except to make sure we catch its bogus AttributeError.
2013-04-05 21:20:14 +04:00
sslutil: work around validator crash getting certificate on failed sockets The previous workaround for correct handling of wrapping of failing connections might be enough to prevent this from happening, but the check here makes this function more robust.
2012-01-09 17:43:25 +04:00
if not sock.cipher(): # work around http://bugs.python.org/issue13721
raise util.Abort(_('%s ssl connection error') % host)
sslutil: try harder to avoid getpeercert problems We wrap both calls to getpeercert in a try/except to make sure we catch its bogus AttributeError.
2013-04-05 21:20:14 +04:00
try:
peercert = sock.getpeercert(True)
peercert2 = sock.getpeercert()
except AttributeError:
raise util.Abort(_('%s ssl connection error') % host)
sslutil: abort properly if no certificate received for https connection According to the documentation SSLSocket.getpeercert() can return None.
2012-01-09 17:56:05 +04:00
if not peercert:
raise util.Abort(_('%s certificate error: '
'no certificate received') % host)
sslutil: show fingerprint when cacerts validation fails
2012-01-09 17:43:24 +04:00
peerfingerprint = util.sha1(peercert).hexdigest()
nicefingerprint = ":".join([peerfingerprint[x:x + 2]
for x in xrange(0, len(peerfingerprint), 2)])
sslutil: reorder validator code to make it more readable
2012-01-09 17:43:24 +04:00
if hostfingerprint:
if peerfingerprint.lower() != \
hostfingerprint.replace(':', '').lower():
sslutil: more helpful fingerprint mismatch message This will aid debugging for users of sites that renew certs.
2012-01-26 21:23:15 +04:00
raise util.Abort(_('certificate for %s has unexpected '
'fingerprint %s') % (host, nicefingerprint),
hint=_('check hostfingerprint configuration'))
sslutil: reorder validator code to make it more readable
2012-01-09 17:43:24 +04:00
self.ui.debug('%s certificate matched fingerprint %s\n' %
(host, nicefingerprint))
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC) The next patch will enable verification by using the system's CA store if possible, which means we would have to distinguish None (=use default) from '' (=--insecure). This smells bug-prone and provides no way to override web.cacerts to forcibly use the system's store by --config argument. This patch changes the meaning of web.cacerts as follows: value behavior ------- --------------------------------------- None/'' use default '!' never use CA certs (set by --insecure) <path> verify by the specified CA certificates Values other than <path> are for internal use and therefore undocumented.
2015-03-04 17:27:04 +03:00
elif cacerts != '!':
sslutil: try harder to avoid getpeercert problems We wrap both calls to getpeercert in a try/except to make sure we catch its bogus AttributeError.
2013-04-05 21:20:14 +04:00
msg = _verifycert(peercert2, host)
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
if msg:
sslutil: show fingerprint when cacerts validation fails
2012-01-09 17:43:24 +04:00
raise util.Abort(_('%s certificate error: %s') % (host, msg),
hint=_('configure hostfingerprint %s or use '
'--insecure to connect insecurely') %
nicefingerprint)
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
self.ui.debug('%s certificate successfully verified\n' % host)
sslutil: abort if peer certificate is not verified for secure use Before this patch, "sslutil.validator" may returns successfully, even if peer certificate is not verified because there is no information in "[hostfingerprints]" and "[web] cacerts". To prevent from sending authentication credential to untrustable SMTP server, validation should be aborted if peer certificate is not verified. This patch introduces "strict" optional argument, and "sslutil.validator" will abort if it is True and peer certificate is not verified.
2013-03-25 21:28:10 +04:00
elif strict:
raise util.Abort(_('%s certificate with fingerprint %s not '
'verified') % (host, nicefingerprint),
hint=_('check hostfingerprints or web.cacerts '
'config setting'))
sslutil: extracted ssl methods from httpsconnection in url.py This makes it easier to share ssl cert validation with other http implementations.
2011-05-05 07:08:55 +04:00
else:
sslutil: reorder validator code to make it more readable
2012-01-09 17:43:24 +04:00
self.ui.warn(_('warning: %s certificate with fingerprint %s not '
'verified (check hostfingerprints or web.cacerts '
'config setting)\n') %
(host, nicefingerprint))
Reference in New Issue Copy Permalink