Show More
@@ -1005,6 +1005,18 b' other machines.' | |||||
1005 |
|
1005 | |||
1006 | The following options control default behavior for all hosts. |
|
1006 | The following options control default behavior for all hosts. | |
1007 |
|
1007 | |||
|
1008 | ``ciphers`` | |||
|
1009 | Defines the cryptographic ciphers to use for connections. | |||
|
1010 | ||||
|
1011 | Value must be a valid OpenSSL Cipher List Format as documented at | |||
|
1012 | https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-LIST-FORMAT. | |||
|
1013 | ||||
|
1014 | This setting is for advanced users only. Setting to incorrect values | |||
|
1015 | can significantly lower connection security or decrease performance. | |||
|
1016 | You have been warned. | |||
|
1017 | ||||
|
1018 | This option requires Python 2.7. | |||
|
1019 | ||||
1008 | ``minimumprotocol`` |
|
1020 | ``minimumprotocol`` | |
1009 | Defines the minimum channel encryption protocol to use. |
|
1021 | Defines the minimum channel encryption protocol to use. | |
1010 |
|
1022 | |||
@@ -1027,6 +1039,10 b' per-host basis.' | |||||
1027 |
|
1039 | |||
1028 | The following per-host settings can be defined. |
|
1040 | The following per-host settings can be defined. | |
1029 |
|
1041 | |||
|
1042 | ``ciphers`` | |||
|
1043 | This behaves like ``ciphers`` as described above except it only applies | |||
|
1044 | to the host on which it is defined. | |||
|
1045 | ||||
1030 | ``fingerprints`` |
|
1046 | ``fingerprints`` | |
1031 | A list of hashes of the DER encoded peer/remote certificate. Values have |
|
1047 | A list of hashes of the DER encoded peer/remote certificate. Values have | |
1032 | the form ``algorithm``:``fingerprint``. e.g. |
|
1048 | the form ``algorithm``:``fingerprint``. e.g. |
@@ -84,7 +84,11 b' except AttributeError:' | |||||
84 |
|
84 | |||
85 | def set_ciphers(self, ciphers): |
|
85 | def set_ciphers(self, ciphers): | |
86 | if not self._supportsciphers: |
|
86 | if not self._supportsciphers: | |
87 |
raise error.Abort(_('setting ciphers |
|
87 | raise error.Abort(_('setting ciphers in [hostsecurity] is not ' | |
|
88 | 'supported by this version of Python'), | |||
|
89 | hint=_('remove the config option or run ' | |||
|
90 | 'Mercurial with a modern Python ' | |||
|
91 | 'version (preferred)')) | |||
88 |
|
92 | |||
89 | self._ciphers = ciphers |
|
93 | self._ciphers = ciphers | |
90 |
|
94 | |||
@@ -131,6 +135,8 b' def _hostsettings(ui, hostname):' | |||||
131 | 'verifymode': None, |
|
135 | 'verifymode': None, | |
132 | # Defines extra ssl.OP* bitwise options to set. |
|
136 | # Defines extra ssl.OP* bitwise options to set. | |
133 | 'ctxoptions': None, |
|
137 | 'ctxoptions': None, | |
|
138 | # OpenSSL Cipher List to use (instead of default). | |||
|
139 | 'ciphers': None, | |||
134 | } |
|
140 | } | |
135 |
|
141 | |||
136 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
|
142 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol | |
@@ -183,6 +189,10 b' def _hostsettings(ui, hostname):' | |||||
183 |
|
189 | |||
184 | s['protocol'], s['ctxoptions'] = protocolsettings(protocol) |
|
190 | s['protocol'], s['ctxoptions'] = protocolsettings(protocol) | |
185 |
|
191 | |||
|
192 | ciphers = ui.config('hostsecurity', 'ciphers') | |||
|
193 | ciphers = ui.config('hostsecurity', '%s:ciphers' % hostname, ciphers) | |||
|
194 | s['ciphers'] = ciphers | |||
|
195 | ||||
186 | # Look for fingerprints in [hostsecurity] section. Value is a list |
|
196 | # Look for fingerprints in [hostsecurity] section. Value is a list | |
187 | # of <alg>:<fingerprint> strings. |
|
197 | # of <alg>:<fingerprint> strings. | |
188 | fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, |
|
198 | fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, | |
@@ -347,6 +357,14 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
347 | # This still works on our fake SSLContext. |
|
357 | # This still works on our fake SSLContext. | |
348 | sslcontext.verify_mode = settings['verifymode'] |
|
358 | sslcontext.verify_mode = settings['verifymode'] | |
349 |
|
359 | |||
|
360 | if settings['ciphers']: | |||
|
361 | try: | |||
|
362 | sslcontext.set_ciphers(settings['ciphers']) | |||
|
363 | except ssl.SSLError as e: | |||
|
364 | raise error.Abort(_('could not set ciphers: %s') % e.args[0], | |||
|
365 | hint=_('change cipher string (%s) in config') % | |||
|
366 | settings['ciphers']) | |||
|
367 | ||||
350 | if certfile is not None: |
|
368 | if certfile is not None: | |
351 | def password(): |
|
369 | def password(): | |
352 | f = keyfile or certfile |
|
370 | f = keyfile or certfile |
@@ -326,6 +326,48 b' Disabling the TLS 1.0 warning works' | |||||
326 | > --config hostsecurity.disabletls10warning=true |
|
326 | > --config hostsecurity.disabletls10warning=true | |
327 | 5fed3813f7f5 |
|
327 | 5fed3813f7f5 | |
328 |
|
328 | |||
|
329 | #if no-sslcontext no-py27+ | |||
|
330 | Setting ciphers doesn't work in Python 2.6 | |||
|
331 | $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ | |||
|
332 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | |||
|
333 | abort: setting ciphers in [hostsecurity] is not supported by this version of Python | |||
|
334 | (remove the config option or run Mercurial with a modern Python version (preferred)) | |||
|
335 | [255] | |||
|
336 | #endif | |||
|
337 | ||||
|
338 | Setting ciphers works in Python 2.7+ but the error message is different on | |||
|
339 | legacy ssl. We test legacy once and do more feature checking on modern | |||
|
340 | configs. | |||
|
341 | ||||
|
342 | #if py27+ no-sslcontext | |||
|
343 | $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ | |||
|
344 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | |||
|
345 | abort: *No cipher can be selected. (glob) | |||
|
346 | [255] | |||
|
347 | ||||
|
348 | $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ | |||
|
349 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | |||
|
350 | 5fed3813f7f5 | |||
|
351 | #endif | |||
|
352 | ||||
|
353 | #if sslcontext | |||
|
354 | Setting ciphers to an invalid value aborts | |||
|
355 | $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ | |||
|
356 | abort: could not set ciphers: No cipher can be selected. | |||
|
357 | (change cipher string (invalid) in config) | |||
|
358 | [255] | |||
|
359 | ||||
|
360 | $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ | |||
|
361 | abort: could not set ciphers: No cipher can be selected. | |||
|
362 | (change cipher string (invalid) in config) | |||
|
363 | [255] | |||
|
364 | ||||
|
365 | Changing the cipher string works | |||
|
366 | ||||
|
367 | $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ | |||
|
368 | 5fed3813f7f5 | |||
|
369 | #endif | |||
|
370 | ||||
329 | Fingerprints |
|
371 | Fingerprints | |
330 |
|
372 | |||
331 | - works without cacerts (hostkeyfingerprints) |
|
373 | - works without cacerts (hostkeyfingerprints) |
General Comments 0
You need to be logged in to leave comments.
Login now