##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: support defining cipher list...
Gregory Szorc -
r29577:9654ef41 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1005,6 +1005,18 other machines.
1005 1005
1006 1006 The following options control default behavior for all hosts.
1007 1007
1008 ``ciphers``
1009 Defines the cryptographic ciphers to use for connections.
1010
1011 Value must be a valid OpenSSL Cipher List Format as documented at
1012 https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-LIST-FORMAT.
1013
1014 This setting is for advanced users only. Setting to incorrect values
1015 can significantly lower connection security or decrease performance.
1016 You have been warned.
1017
1018 This option requires Python 2.7.
1019
1008 1020 ``minimumprotocol``
1009 1021 Defines the minimum channel encryption protocol to use.
1010 1022
@@ -1027,6 +1039,10 per-host basis.
1027 1039
1028 1040 The following per-host settings can be defined.
1029 1041
1042 ``ciphers``
1043 This behaves like ``ciphers`` as described above except it only applies
1044 to the host on which it is defined.
1045
1030 1046 ``fingerprints``
1031 1047 A list of hashes of the DER encoded peer/remote certificate. Values have
1032 1048 the form ``algorithm``:``fingerprint``. e.g.
Show file before | Show file after | Hide comments
@@ -84,7 +84,11 except AttributeError:
84 84
85 85 def set_ciphers(self, ciphers):
86 86 if not self._supportsciphers:
87 raise error.Abort(_('setting ciphers not supported'))
87 raise error.Abort(_('setting ciphers in [hostsecurity] is not '
88 'supported by this version of Python'),
89 hint=_('remove the config option or run '
90 'Mercurial with a modern Python '
91 'version (preferred)'))
88 92
89 93 self._ciphers = ciphers
90 94
@@ -131,6 +135,8 def _hostsettings(ui, hostname):
131 135 'verifymode': None,
132 136 # Defines extra ssl.OP* bitwise options to set.
133 137 'ctxoptions': None,
138 # OpenSSL Cipher List to use (instead of default).
139 'ciphers': None,
134 140 }
135 141
136 142 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
@@ -183,6 +189,10 def _hostsettings(ui, hostname):
183 189
184 190 s['protocol'], s['ctxoptions'] = protocolsettings(protocol)
185 191
192 ciphers = ui.config('hostsecurity', 'ciphers')
193 ciphers = ui.config('hostsecurity', '%s:ciphers' % hostname, ciphers)
194 s['ciphers'] = ciphers
195
186 196 # Look for fingerprints in [hostsecurity] section. Value is a list
187 197 # of <alg>:<fingerprint> strings.
188 198 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
@@ -347,6 +357,14 def wrapsocket(sock, keyfile, certfile,
347 357 # This still works on our fake SSLContext.
348 358 sslcontext.verify_mode = settings['verifymode']
349 359
360 if settings['ciphers']:
361 try:
362 sslcontext.set_ciphers(settings['ciphers'])
363 except ssl.SSLError as e:
364 raise error.Abort(_('could not set ciphers: %s') % e.args[0],
365 hint=_('change cipher string (%s) in config') %
366 settings['ciphers'])
367
350 368 if certfile is not None:
351 369 def password():
352 370 f = keyfile or certfile
Show file before | Show file after | Hide comments
@@ -326,6 +326,48 Disabling the TLS 1.0 warning works
326 326 > --config hostsecurity.disabletls10warning=true
327 327 5fed3813f7f5
328 328
329 #if no-sslcontext no-py27+
330 Setting ciphers doesn't work in Python 2.6
331 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
332 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
333 abort: setting ciphers in [hostsecurity] is not supported by this version of Python
334 (remove the config option or run Mercurial with a modern Python version (preferred))
335 [255]
336 #endif
337
338 Setting ciphers works in Python 2.7+ but the error message is different on
339 legacy ssl. We test legacy once and do more feature checking on modern
340 configs.
341
342 #if py27+ no-sslcontext
343 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
344 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
345 abort: *No cipher can be selected. (glob)
346 [255]
347
348 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
349 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
350 5fed3813f7f5
351 #endif
352
353 #if sslcontext
354 Setting ciphers to an invalid value aborts
355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
356 abort: could not set ciphers: No cipher can be selected.
357 (change cipher string (invalid) in config)
358 [255]
359
360 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
361 abort: could not set ciphers: No cipher can be selected.
362 (change cipher string (invalid) in config)
363 [255]
364
365 Changing the cipher string works
366
367 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
368 5fed3813f7f5
369 #endif
370
329 371 Fingerprints
330 372
331 373 - works without cacerts (hostkeyfingerprints)
General Comments 0
You need to be logged in to leave comments. Login now