##// END OF EJS Templates
sslutil: allow fingerprints to be specified in [hostsecurity]...
Gregory Szorc -
r29267:f0ccb6cd default
parent child Browse files
Show More
@@ -976,6 +976,8 b' is treated as a failure.'
976 976 ``hostfingerprints``
977 977 --------------------
978 978
979 (Deprecated. Use ``[hostsecurity]``'s ``fingerprints`` options instead.)
980
979 981 Fingerprints of the certificates of known HTTPS servers.
980 982
981 983 A HTTPS connection to a server with a fingerprint configured here will
@@ -995,6 +997,39 b' For example::'
995 997 hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
996 998 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
997 999
1000 ``hostsecurity``
1001 ----------------
1002
1003 Used to specify per-host security settings.
1004
1005 Options in this section have the form ``hostname``:``setting``. This allows
1006 multiple settings to be defined on a per-host basis.
1007
1008 The following per-host settings can be defined.
1009
1010 ``fingerprints``
1011 A list of hashes of the DER encoded peer/remote certificate. Values have
1012 the form ``algorithm``:``fingerprint``. e.g.
1013 ``sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2``.
1014
1015 The following algorithms/prefixes are supported: ``sha1``, ``sha256``,
1016 ``sha512``.
1017
1018 Use of ``sha256`` or ``sha512`` is preferred.
1019
1020 If a fingerprint is specified, the CA chain is not validated for this
1021 host and Mercurial will require the remote certificate to match one
1022 of the fingerprints specified. This means if the server updates its
1023 certificate, Mercurial will abort until a new fingerprint is defined.
1024 This can provide stronger security than traditional CA-based validation
1025 at the expense of convenience.
1026
1027 For example::
1028
1029 [hostsecurity]
1030 hg.example.com:fingerprints = sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2
1031 hg2.example.com:fingerprints = sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
1032
998 1033 ``http_proxy``
999 1034 --------------
1000 1035
@@ -121,6 +121,21 b' def _hostsettings(ui, hostname):'
121 121 'verifymode': None,
122 122 }
123 123
124 # Look for fingerprints in [hostsecurity] section. Value is a list
125 # of <alg>:<fingerprint> strings.
126 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
127 [])
128 for fingerprint in fingerprints:
129 if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
130 raise error.Abort(_('invalid fingerprint for %s: %s') % (
131 hostname, fingerprint),
132 hint=_('must begin with "sha1:", "sha256:", '
133 'or "sha512:"'))
134
135 alg, fingerprint = fingerprint.split(':', 1)
136 fingerprint = fingerprint.replace(':', '').lower()
137 s['certfingerprints'].append((alg, fingerprint))
138
124 139 # Fingerprints from [hostfingerprints] are always SHA-1.
125 140 for fingerprint in ui.configlist('hostfingerprints', hostname, []):
126 141 fingerprint = fingerprint.replace(':', '').lower()
@@ -282,18 +282,31 b' Test server cert which no longer is vali'
282 282
283 283 Fingerprints
284 284
285 - works without cacerts
285 - works without cacerts (hostkeyfingerprints)
286 286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
287 287 5fed3813f7f5
288 288
289 - works without cacerts (hostsecurity)
290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
291 5fed3813f7f5
292
293 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
294 5fed3813f7f5
295
289 296 - multiple fingerprints specified and first matches
290 297 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
291 298 5fed3813f7f5
292 299
300 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
301 5fed3813f7f5
302
293 303 - multiple fingerprints specified and last matches
294 304 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
295 305 5fed3813f7f5
296 306
307 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
308 5fed3813f7f5
309
297 310 - multiple fingerprints specified and none match
298 311
299 312 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
@@ -301,6 +314,11 b' Fingerprints'
301 314 (check hostfingerprint configuration)
302 315 [255]
303 316
317 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
318 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
319 (check hostfingerprint configuration)
320 [255]
321
304 322 - fails when cert doesn't match hostname (port is ignored)
305 323 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
306 324 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
General Comments 0
You need to be logged in to leave comments. Login now