Show More
@@ -976,6 +976,8 b' is treated as a failure.' | |||||
976 | ``hostfingerprints`` |
|
976 | ``hostfingerprints`` | |
977 | -------------------- |
|
977 | -------------------- | |
978 |
|
978 | |||
|
979 | (Deprecated. Use ``[hostsecurity]``'s ``fingerprints`` options instead.) | |||
|
980 | ||||
979 | Fingerprints of the certificates of known HTTPS servers. |
|
981 | Fingerprints of the certificates of known HTTPS servers. | |
980 |
|
982 | |||
981 | A HTTPS connection to a server with a fingerprint configured here will |
|
983 | A HTTPS connection to a server with a fingerprint configured here will | |
@@ -995,6 +997,39 b' For example::' | |||||
995 | hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
|
997 | hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 | |
996 | hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
|
998 | hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 | |
997 |
|
999 | |||
|
1000 | ``hostsecurity`` | |||
|
1001 | ---------------- | |||
|
1002 | ||||
|
1003 | Used to specify per-host security settings. | |||
|
1004 | ||||
|
1005 | Options in this section have the form ``hostname``:``setting``. This allows | |||
|
1006 | multiple settings to be defined on a per-host basis. | |||
|
1007 | ||||
|
1008 | The following per-host settings can be defined. | |||
|
1009 | ||||
|
1010 | ``fingerprints`` | |||
|
1011 | A list of hashes of the DER encoded peer/remote certificate. Values have | |||
|
1012 | the form ``algorithm``:``fingerprint``. e.g. | |||
|
1013 | ``sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2``. | |||
|
1014 | ||||
|
1015 | The following algorithms/prefixes are supported: ``sha1``, ``sha256``, | |||
|
1016 | ``sha512``. | |||
|
1017 | ||||
|
1018 | Use of ``sha256`` or ``sha512`` is preferred. | |||
|
1019 | ||||
|
1020 | If a fingerprint is specified, the CA chain is not validated for this | |||
|
1021 | host and Mercurial will require the remote certificate to match one | |||
|
1022 | of the fingerprints specified. This means if the server updates its | |||
|
1023 | certificate, Mercurial will abort until a new fingerprint is defined. | |||
|
1024 | This can provide stronger security than traditional CA-based validation | |||
|
1025 | at the expense of convenience. | |||
|
1026 | ||||
|
1027 | For example:: | |||
|
1028 | ||||
|
1029 | [hostsecurity] | |||
|
1030 | hg.example.com:fingerprints = sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2 | |||
|
1031 | hg2.example.com:fingerprints = sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 | |||
|
1032 | ||||
998 | ``http_proxy`` |
|
1033 | ``http_proxy`` | |
999 | -------------- |
|
1034 | -------------- | |
1000 |
|
1035 |
@@ -121,6 +121,21 b' def _hostsettings(ui, hostname):' | |||||
121 | 'verifymode': None, |
|
121 | 'verifymode': None, | |
122 | } |
|
122 | } | |
123 |
|
123 | |||
|
124 | # Look for fingerprints in [hostsecurity] section. Value is a list | |||
|
125 | # of <alg>:<fingerprint> strings. | |||
|
126 | fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, | |||
|
127 | []) | |||
|
128 | for fingerprint in fingerprints: | |||
|
129 | if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))): | |||
|
130 | raise error.Abort(_('invalid fingerprint for %s: %s') % ( | |||
|
131 | hostname, fingerprint), | |||
|
132 | hint=_('must begin with "sha1:", "sha256:", ' | |||
|
133 | 'or "sha512:"')) | |||
|
134 | ||||
|
135 | alg, fingerprint = fingerprint.split(':', 1) | |||
|
136 | fingerprint = fingerprint.replace(':', '').lower() | |||
|
137 | s['certfingerprints'].append((alg, fingerprint)) | |||
|
138 | ||||
124 | # Fingerprints from [hostfingerprints] are always SHA-1. |
|
139 | # Fingerprints from [hostfingerprints] are always SHA-1. | |
125 | for fingerprint in ui.configlist('hostfingerprints', hostname, []): |
|
140 | for fingerprint in ui.configlist('hostfingerprints', hostname, []): | |
126 | fingerprint = fingerprint.replace(':', '').lower() |
|
141 | fingerprint = fingerprint.replace(':', '').lower() |
@@ -282,18 +282,31 b' Test server cert which no longer is vali' | |||||
282 |
|
282 | |||
283 | Fingerprints |
|
283 | Fingerprints | |
284 |
|
284 | |||
285 | - works without cacerts |
|
285 | - works without cacerts (hostkeyfingerprints) | |
286 | $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
|
286 | $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | |
287 | 5fed3813f7f5 |
|
287 | 5fed3813f7f5 | |
288 |
|
288 | |||
|
289 | - works without cacerts (hostsecurity) | |||
|
290 | $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca | |||
|
291 | 5fed3813f7f5 | |||
|
292 | ||||
|
293 | $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 | |||
|
294 | 5fed3813f7f5 | |||
|
295 | ||||
289 | - multiple fingerprints specified and first matches |
|
296 | - multiple fingerprints specified and first matches | |
290 | $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
297 | $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | |
291 | 5fed3813f7f5 |
|
298 | 5fed3813f7f5 | |
292 |
|
299 | |||
|
300 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | |||
|
301 | 5fed3813f7f5 | |||
|
302 | ||||
293 | - multiple fingerprints specified and last matches |
|
303 | - multiple fingerprints specified and last matches | |
294 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
304 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure | |
295 | 5fed3813f7f5 |
|
305 | 5fed3813f7f5 | |
296 |
|
306 | |||
|
307 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ | |||
|
308 | 5fed3813f7f5 | |||
|
309 | ||||
297 | - multiple fingerprints specified and none match |
|
310 | - multiple fingerprints specified and none match | |
298 |
|
311 | |||
299 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
312 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | |
@@ -301,6 +314,11 b' Fingerprints' | |||||
301 | (check hostfingerprint configuration) |
|
314 | (check hostfingerprint configuration) | |
302 | [255] |
|
315 | [255] | |
303 |
|
316 | |||
|
317 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | |||
|
318 | abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | |||
|
319 | (check hostfingerprint configuration) | |||
|
320 | [255] | |||
|
321 | ||||
304 | - fails when cert doesn't match hostname (port is ignored) |
|
322 | - fails when cert doesn't match hostname (port is ignored) | |
305 | $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca |
|
323 | $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca | |
306 | abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b |
|
324 | abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b |
General Comments 0
You need to be logged in to leave comments.
Login now