facebook/sapling
1
1
Fork 0
mirror of https://github.com/facebook/sapling.git synced 2024-10-07 07:17:55 +03:00
Code Issues Projects Releases Wiki Activity

url: 'ssh known host'-like checking of fingerprints of HTTPS certificates

Browse Source 
Known fingerprints of HTTPS servers can now be configured in the
hostfingerprints section. That makes it possible to verify the identify of web
servers without configuring and trusting the CA chain.

Limitations:
* Portnumbers are ignored, just like with ordinary certificates.
* Host name matching is case sensitive.
This commit is contained in:
Mads Kiilerich 2011-01-28 02:57:59 +01:00
parent 15a7acee12
commit e10e504454
4 changed files with 68 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
doc/hgrc.5.txt
View File

@ -423,6 +423,24 @@ Example for ``~/.hgrc``::
myfeature = ~/.hgext/myfeature.py
``hostfingerprints``
""""""""""""""""""""
Fingerprints of the certificates of known HTTPS servers.
A HTTPS connection to a server with a fingerprint configured here will
only succeed if the servers certificate matches the fingerprint.
This is very similar to how ssh known hosts works.
The fingerprint is the SHA-1 hash value of the DER encoded certificate.
The CA chain and web.cacerts is not used for servers with a fingerprint.
For example::
[hostfingerprints]
hg.intevation.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc
This feature is only supported when using Python 2.6 or later.
``format``
""""""""""

2
mercurial/hg.py
View File

@ -546,7 +546,7 @@ def remoteui(src, opts):
dst.setconfig('bundle', 'mainreporoot', r)
# copy selected local settings to the remote ui
for sect in ('auth', 'http_proxy'):
for sect in ('auth', 'hostfingerprints', 'http_proxy'):
for key, val in src.configitems(sect):
dst.setconfig(sect, key, val)
v = src.config('web', 'cacerts')

32
mercurial/url.py
View File

@ -533,7 +533,8 @@ if has_https:
else:
cacerts = None
if cacerts:
hostfingerprint = self.ui.config('hostfingerprints', self.host)
if cacerts and not hostfingerprint:
sock = _create_connection((self.host, self.port))
self.sock = _ssl_wrap_socket(sock, self.key_file,
self.cert_file, cert_reqs=CERT_REQUIRED,
@ -545,10 +546,33 @@ if has_https:
self.ui.debug('%s certificate successfully verified\n' %
self.host)
else:
self.ui.warn(_("warning: %s certificate not verified "
"(check web.cacerts config setting)\n") %
self.host)
httplib.HTTPSConnection.connect(self)
if hasattr(self.sock, 'getpeercert'):
peercert = self.sock.getpeercert(True)
peerfingerprint = util.sha1(peercert).hexdigest()
nicefingerprint = ":".join([peerfingerprint[x:x + 2]
for x in xrange(0, len(peerfingerprint), 2)])
if hostfingerprint:
if peerfingerprint.lower() != \
hostfingerprint.replace(':', '').lower():
raise util.Abort(_('invalid certificate for %s '
'with fingerprint %s') %
(self.host, nicefingerprint))
self.ui.debug('%s certificate matched fingerprint %s\n' %
(self.host, nicefingerprint))
else:
self.ui.warn(_('warning: %s certificate '
'with fingerprint %s not verified '
'(check hostfingerprints or web.cacerts '
'config setting)\n') %
(self.host, nicefingerprint))
else: # python 2.5 ?
if hostfingerprint:
raise util.Abort(_('no certificate for %s '
'with fingerprint') % self.host)
self.ui.warn(_('warning: %s certificate not verified '
'(check web.cacerts config setting)\n') %
self.host)
class httpsconnection(BetterHTTPS):
response_class = keepalive.HTTPResponse

23
tests/test-https.t
View File

@ -106,7 +106,7 @@ Test server address cannot be reused
clone via pull
$ hg clone https://localhost:$HGPORT/ copy-pull
warning: localhost certificate not verified (check web.cacerts config setting)
warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
requesting all changes
adding changesets
adding manifests
@ -132,7 +132,7 @@ pull without cacert
$ echo '[hooks]' >> .hg/hgrc
$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
$ hg pull
warning: localhost certificate not verified (check web.cacerts config setting)
warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
pulling from https://localhost:$HGPORT/
searching for changes
@ -188,3 +188,22 @@ Test server cert which no longer is valid
$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
[255]
Fingerprints
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
- works without cacerts
$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
5fed3813f7f5
- fails when cert doesn't match hostname (port is ignored)
$ hg -R copy-pull id https://localhost:$HGPORT1/
abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
[255]
- ignores that certificate doesn't match hostname
$ hg -R copy-pull id https://127.0.0.1:$HGPORT/
5fed3813f7f5