##// END OF EJS Templates
sslutil: allow fingerprints to be specified in [hostsecurity]...
Gregory Szorc -
r29267:f0ccb6cd default
parent child Browse files
Show More
@@ -976,6 +976,8 b' is treated as a failure.'
976 ``hostfingerprints``
976 ``hostfingerprints``
977 --------------------
977 --------------------
978
978
979 (Deprecated. Use ``[hostsecurity]``'s ``fingerprints`` options instead.)
980
979 Fingerprints of the certificates of known HTTPS servers.
981 Fingerprints of the certificates of known HTTPS servers.
980
982
981 A HTTPS connection to a server with a fingerprint configured here will
983 A HTTPS connection to a server with a fingerprint configured here will
@@ -995,6 +997,39 b' For example::'
995 hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
997 hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
996 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
998 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
997
999
1000 ``hostsecurity``
1001 ----------------
1002
1003 Used to specify per-host security settings.
1004
1005 Options in this section have the form ``hostname``:``setting``. This allows
1006 multiple settings to be defined on a per-host basis.
1007
1008 The following per-host settings can be defined.
1009
1010 ``fingerprints``
1011 A list of hashes of the DER encoded peer/remote certificate. Values have
1012 the form ``algorithm``:``fingerprint``. e.g.
1013 ``sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2``.
1014
1015 The following algorithms/prefixes are supported: ``sha1``, ``sha256``,
1016 ``sha512``.
1017
1018 Use of ``sha256`` or ``sha512`` is preferred.
1019
1020 If a fingerprint is specified, the CA chain is not validated for this
1021 host and Mercurial will require the remote certificate to match one
1022 of the fingerprints specified. This means if the server updates its
1023 certificate, Mercurial will abort until a new fingerprint is defined.
1024 This can provide stronger security than traditional CA-based validation
1025 at the expense of convenience.
1026
1027 For example::
1028
1029 [hostsecurity]
1030 hg.example.com:fingerprints = sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2
1031 hg2.example.com:fingerprints = sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
1032
998 ``http_proxy``
1033 ``http_proxy``
999 --------------
1034 --------------
1000
1035
@@ -121,6 +121,21 b' def _hostsettings(ui, hostname):'
121 'verifymode': None,
121 'verifymode': None,
122 }
122 }
123
123
124 # Look for fingerprints in [hostsecurity] section. Value is a list
125 # of <alg>:<fingerprint> strings.
126 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
127 [])
128 for fingerprint in fingerprints:
129 if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
130 raise error.Abort(_('invalid fingerprint for %s: %s') % (
131 hostname, fingerprint),
132 hint=_('must begin with "sha1:", "sha256:", '
133 'or "sha512:"'))
134
135 alg, fingerprint = fingerprint.split(':', 1)
136 fingerprint = fingerprint.replace(':', '').lower()
137 s['certfingerprints'].append((alg, fingerprint))
138
124 # Fingerprints from [hostfingerprints] are always SHA-1.
139 # Fingerprints from [hostfingerprints] are always SHA-1.
125 for fingerprint in ui.configlist('hostfingerprints', hostname, []):
140 for fingerprint in ui.configlist('hostfingerprints', hostname, []):
126 fingerprint = fingerprint.replace(':', '').lower()
141 fingerprint = fingerprint.replace(':', '').lower()
@@ -282,18 +282,31 b' Test server cert which no longer is vali'
282
282
283 Fingerprints
283 Fingerprints
284
284
285 - works without cacerts
285 - works without cacerts (hostkeyfingerprints)
286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
287 5fed3813f7f5
287 5fed3813f7f5
288
288
289 - works without cacerts (hostsecurity)
290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
291 5fed3813f7f5
292
293 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
294 5fed3813f7f5
295
289 - multiple fingerprints specified and first matches
296 - multiple fingerprints specified and first matches
290 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
297 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
291 5fed3813f7f5
298 5fed3813f7f5
292
299
300 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
301 5fed3813f7f5
302
293 - multiple fingerprints specified and last matches
303 - multiple fingerprints specified and last matches
294 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
304 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
295 5fed3813f7f5
305 5fed3813f7f5
296
306
307 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
308 5fed3813f7f5
309
297 - multiple fingerprints specified and none match
310 - multiple fingerprints specified and none match
298
311
299 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
312 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
@@ -301,6 +314,11 b' Fingerprints'
301 (check hostfingerprint configuration)
314 (check hostfingerprint configuration)
302 [255]
315 [255]
303
316
317 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
318 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
319 (check hostfingerprint configuration)
320 [255]
321
304 - fails when cert doesn't match hostname (port is ignored)
322 - fails when cert doesn't match hostname (port is ignored)
305 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
323 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
306 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
324 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
General Comments 0
You need to be logged in to leave comments. Login now