Mercurial > hg-stable
changeset 29290:01248c37a68e
sslutil: print SHA-256 fingerprint by default
The world is starting to move on from SHA-1. A few commits ago, we
gained the ability to define certificate fingerprints using SHA-256
and SHA-512.
Let's start printing the SHA-256 fingerprint instead of the SHA-1
fingerprint to encourage people to pin with a more secure hashing
algorithm.
There is still a bit of work to be done around the fingerprint
messaging. This will be addressed in subsequent commits.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Mon, 30 May 2016 15:42:39 -0700 |
parents | 3536673a25ae |
children | 15e533b7909c |
files | mercurial/sslutil.py tests/test-https.t |
diffstat | 2 files changed, 12 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Mon May 30 13:15:53 2016 -0700 +++ b/mercurial/sslutil.py Mon May 30 15:42:39 2016 -0700 @@ -373,8 +373,12 @@ 'sha256': util.sha256(peercert).hexdigest(), 'sha512': util.sha512(peercert).hexdigest(), } - nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2] - for x in range(0, len(peerfingerprints['sha1']), 2)]) + + def fmtfingerprint(s): + return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)]) + + legacyfingerprint = fmtfingerprint(peerfingerprints['sha1']) + nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256']) if settings['legacyfingerprint']: section = 'hostfingerprint' @@ -389,10 +393,10 @@ break if not fingerprintmatch: raise error.Abort(_('certificate for %s has unexpected ' - 'fingerprint %s') % (host, nicefingerprint), - hint=_('check %s configuration') % section) + 'fingerprint %s') % (host, legacyfingerprint), + hint=_('check %s configuration') % section) ui.debug('%s certificate matched fingerprint %s\n' % - (host, nicefingerprint)) + (host, legacyfingerprint)) return if not sock._hgstate['caloaded']:
--- a/tests/test-https.t Mon May 30 13:15:53 2016 -0700 +++ b/tests/test-https.t Mon May 30 15:42:39 2016 -0700 @@ -176,7 +176,7 @@ clone via pull $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) + warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting) requesting all changes adding changesets adding manifests @@ -203,7 +203,7 @@ $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc $ hg pull $DISABLECACERTS pulling from https://localhost:$HGPORT/ - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) + warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting) searching for changes adding changesets adding manifests @@ -244,7 +244,7 @@ $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ pulling from https://127.0.0.1:$HGPORT/ abort: 127.0.0.1 certificate error: certificate is for localhost - (configure hostsecurity 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely) + (configure hostsecurity sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or use --insecure to connect insecurely) [255] $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure pulling from https://127.0.0.1:$HGPORT/