From e10e504454b4854a60dc5bdb30943d0669c1ddd2 Mon Sep 17 00:00:00 2001 From: Mads Kiilerich Date: Fri, 28 Jan 2011 02:57:59 +0100 Subject: [PATCH] url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Known fingerprints of HTTPS servers can now be configured in the hostfingerprints section. That makes it possible to verify the identify of web servers without configuring and trusting the CA chain. Limitations: * Portnumbers are ignored, just like with ordinary certificates. * Host name matching is case sensitive. --- doc/hgrc.5.txt | 18 ++++++++++++++++++ mercurial/hg.py | 2 +- mercurial/url.py | 32 ++++++++++++++++++++++++++++---- tests/test-https.t | 23 +++++++++++++++++++++-- 4 files changed, 68 insertions(+), 7 deletions(-) diff --git a/doc/hgrc.5.txt b/doc/hgrc.5.txt index 0510c4ac17..2be6e20f1f 100644 --- a/doc/hgrc.5.txt +++ b/doc/hgrc.5.txt @@ -423,6 +423,24 @@ Example for ``~/.hgrc``:: myfeature = ~/.hgext/myfeature.py +``hostfingerprints`` +"""""""""""""""""""" + +Fingerprints of the certificates of known HTTPS servers. +A HTTPS connection to a server with a fingerprint configured here will +only succeed if the servers certificate matches the fingerprint. +This is very similar to how ssh known hosts works. +The fingerprint is the SHA-1 hash value of the DER encoded certificate. +The CA chain and web.cacerts is not used for servers with a fingerprint. + +For example:: + + [hostfingerprints] + hg.intevation.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc + +This feature is only supported when using Python 2.6 or later. + + ``format`` """""""""" diff --git a/mercurial/hg.py b/mercurial/hg.py index b705660855..241c972873 100644 --- a/mercurial/hg.py +++ b/mercurial/hg.py @@ -546,7 +546,7 @@ def remoteui(src, opts): dst.setconfig('bundle', 'mainreporoot', r) # copy selected local settings to the remote ui - for sect in ('auth', 'http_proxy'): + for sect in ('auth', 'hostfingerprints', 'http_proxy'): for key, val in src.configitems(sect): dst.setconfig(sect, key, val) v = src.config('web', 'cacerts') diff --git a/mercurial/url.py b/mercurial/url.py index 980ce7259e..eec2799b9c 100644 --- a/mercurial/url.py +++ b/mercurial/url.py @@ -533,7 +533,8 @@ if has_https: else: cacerts = None - if cacerts: + hostfingerprint = self.ui.config('hostfingerprints', self.host) + if cacerts and not hostfingerprint: sock = _create_connection((self.host, self.port)) self.sock = _ssl_wrap_socket(sock, self.key_file, self.cert_file, cert_reqs=CERT_REQUIRED, @@ -545,10 +546,33 @@ if has_https: self.ui.debug('%s certificate successfully verified\n' % self.host) else: - self.ui.warn(_("warning: %s certificate not verified " - "(check web.cacerts config setting)\n") % - self.host) httplib.HTTPSConnection.connect(self) + if hasattr(self.sock, 'getpeercert'): + peercert = self.sock.getpeercert(True) + peerfingerprint = util.sha1(peercert).hexdigest() + nicefingerprint = ":".join([peerfingerprint[x:x + 2] + for x in xrange(0, len(peerfingerprint), 2)]) + if hostfingerprint: + if peerfingerprint.lower() != \ + hostfingerprint.replace(':', '').lower(): + raise util.Abort(_('invalid certificate for %s ' + 'with fingerprint %s') % + (self.host, nicefingerprint)) + self.ui.debug('%s certificate matched fingerprint %s\n' % + (self.host, nicefingerprint)) + else: + self.ui.warn(_('warning: %s certificate ' + 'with fingerprint %s not verified ' + '(check hostfingerprints or web.cacerts ' + 'config setting)\n') % + (self.host, nicefingerprint)) + else: # python 2.5 ? + if hostfingerprint: + raise util.Abort(_('no certificate for %s ' + 'with fingerprint') % self.host) + self.ui.warn(_('warning: %s certificate not verified ' + '(check web.cacerts config setting)\n') % + self.host) class httpsconnection(BetterHTTPS): response_class = keepalive.HTTPResponse diff --git a/tests/test-https.t b/tests/test-https.t index b60ce3882c..70efcbe012 100644 --- a/tests/test-https.t +++ b/tests/test-https.t @@ -106,7 +106,7 @@ Test server address cannot be reused clone via pull $ hg clone https://localhost:$HGPORT/ copy-pull - warning: localhost certificate not verified (check web.cacerts config setting) + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) requesting all changes adding changesets adding manifests @@ -132,7 +132,7 @@ pull without cacert $ echo '[hooks]' >> .hg/hgrc $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc $ hg pull - warning: localhost certificate not verified (check web.cacerts config setting) + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/ pulling from https://localhost:$HGPORT/ searching for changes @@ -188,3 +188,22 @@ Test server cert which no longer is valid $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/ abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob) [255] + +Fingerprints + + $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc + $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc + $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc + +- works without cacerts + $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts= + 5fed3813f7f5 + +- fails when cert doesn't match hostname (port is ignored) + $ hg -R copy-pull id https://localhost:$HGPORT1/ + abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b + [255] + +- ignores that certificate doesn't match hostname + $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ + 5fed3813f7f5