Mercurial > hg
annotate mercurial/sslutil.py @ 28649:7acab42ef184
sslutil: implement SSLContext class
Python <2.7.9 doesn't have a ssl.SSLContext class. In this patch,
we implement the interface to the class so we can have a unified
code path for all supported versions of Python.
This is similar to the approach that urllib3 takes.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sun, 27 Mar 2016 13:50:34 -0700 |
| parents | 7fc787e5d8ec |
| children | 737863b01d9f |
| rev | line source |
|---|---|
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
1 # sslutil.py - SSL handling for mercurial |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
2 # |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com> |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br> |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
6 # |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
7 # This software may be used and distributed according to the terms of the |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
8 # GNU General Public License version 2 or any later version. |
|
25977
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
9 |
|
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
10 from __future__ import absolute_import |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
11 |
|
25977
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
12 import os |
|
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
13 import ssl |
|
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
14 import sys |
|
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
15 |
|
696f6e2be282
sslutil: use absolute_import
Gregory Szorc <gregory.szorc@gmail.com>
parents:
25432
diff
changeset
|
16 from .i18n import _ |
|
28577
7efff6ce9826
sslutil: use preferred formatting for import syntax
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28525
diff
changeset
|
17 from . import ( |
|
7efff6ce9826
sslutil: use preferred formatting for import syntax
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28525
diff
changeset
|
18 error, |
|
7efff6ce9826
sslutil: use preferred formatting for import syntax
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28525
diff
changeset
|
19 util, |
|
7efff6ce9826
sslutil: use preferred formatting for import syntax
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28525
diff
changeset
|
20 ) |
|
24291
760a86865f80
ssl: load CA certificates from system's store by default on Python 2.7.9
Yuya Nishihara <yuya@tcha.org>
parents:
24290
diff
changeset
|
21 |
|
28647
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
22 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
23 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
24 # all exposed via the "ssl" module. |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
25 # |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
26 # Depending on the version of Python being used, SSL/TLS support is either |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
27 # modern/secure or legacy/insecure. Many operations in this module have |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
28 # separate code paths depending on support in Python. |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
29 |
|
26622
9e15286609ae
sslutil: expose attribute indicating whether SNI is supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
30 hassni = getattr(ssl, 'HAS_SNI', False) |
|
9e15286609ae
sslutil: expose attribute indicating whether SNI is supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
26587
diff
changeset
|
31 |
|
28648
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
32 try: |
|
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
33 OP_NO_SSLv2 = ssl.OP_NO_SSLv2 |
|
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
34 OP_NO_SSLv3 = ssl.OP_NO_SSLv3 |
|
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
35 except AttributeError: |
|
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
36 OP_NO_SSLv2 = 0x1000000 |
|
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
37 OP_NO_SSLv3 = 0x2000000 |
|
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
38 |
|
28649
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
39 try: |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
40 # ssl.SSLContext was added in 2.7.9 and presence indicates modern |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
41 # SSL/TLS features are available. |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
42 SSLContext = ssl.SSLContext |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
43 modernssl = True |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
44 except AttributeError: |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
45 modernssl = False |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
46 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
47 # We implement SSLContext using the interface from the standard library. |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
48 class SSLContext(object): |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
49 # ssl.wrap_socket gained the "ciphers" named argument in 2.7. |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
50 _supportsciphers = sys.version_info >= (2, 7) |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
51 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
52 def __init__(self, protocol): |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
53 # From the public interface of SSLContext |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
54 self.protocol = protocol |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
55 self.check_hostname = False |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
56 self.options = 0 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
57 self.verify_mode = ssl.CERT_NONE |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
58 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
59 # Used by our implementation. |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
60 self._certfile = None |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
61 self._keyfile = None |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
62 self._certpassword = None |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
63 self._cacerts = None |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
64 self._ciphers = None |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
65 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
66 def load_cert_chain(self, certfile, keyfile=None, password=None): |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
67 self._certfile = certfile |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
68 self._keyfile = keyfile |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
69 self._certpassword = password |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
70 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
71 def load_default_certs(self, purpose=None): |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
72 pass |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
73 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
74 def load_verify_locations(self, cafile=None, capath=None, cadata=None): |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
75 if capath: |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
76 raise error.Abort('capath not supported') |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
77 if cadata: |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
78 raise error.Abort('cadata not supported') |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
79 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
80 self._cacerts = cafile |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
81 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
82 def set_ciphers(self, ciphers): |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
83 if not self._supportsciphers: |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
84 raise error.Abort('setting ciphers not supported') |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
85 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
86 self._ciphers = ciphers |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
87 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
88 def wrap_socket(self, socket, server_hostname=None, server_side=False): |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
89 # server_hostname is unique to SSLContext.wrap_socket and is used |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
90 # for SNI in that context. So there's nothing for us to do with it |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
91 # in this legacy code since we don't support SNI. |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
92 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
93 args = { |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
94 'keyfile': self._keyfile, |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
95 'certfile': self._certfile, |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
96 'server_side': server_side, |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
97 'cert_reqs': self.verify_mode, |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
98 'ssl_version': self.protocol, |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
99 'ca_certs': self._cacerts, |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
100 } |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
101 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
102 if self._supportsciphers: |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
103 args['ciphers'] = self._ciphers |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
104 |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
105 return ssl.wrap_socket(socket, **args) |
|
7acab42ef184
sslutil: implement SSLContext class
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28648
diff
changeset
|
106 |
|
24291
760a86865f80
ssl: load CA certificates from system's store by default on Python 2.7.9
Yuya Nishihara <yuya@tcha.org>
parents:
24290
diff
changeset
|
107 _canloaddefaultcerts = False |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
108 try: |
|
28647
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
109 # ssl.SSLContext was added in 2.7.9 and presence indicates modern |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
110 # SSL/TLS features are available. |
|
25431
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
111 ssl_context = ssl.SSLContext |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
112 _canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs') |
|
23834
bf07c19b4c82
https: support tls sni (server name indication) for https urls (issue3090)
Alex Orange <crazycasta@gmail.com>
parents:
23069
diff
changeset
|
113 |
|
25431
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
114 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE, |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
115 ca_certs=None, serverhostname=None): |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
116 # Allow any version of SSL starting with TLSv1 and |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
117 # up. Note that specifying TLSv1 here prohibits use of |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
118 # newer standards (like TLSv1_2), so this is the right way |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
119 # to do this. Note that in the future it'd be better to |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
120 # support using ssl.create_default_context(), which sets |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
121 # up a bunch of things in smart ways (strong ciphers, |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
122 # protocol versions, etc) and is upgraded by Python |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
123 # maintainers for us, but that breaks too many things to |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
124 # do it in a hurry. |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
125 sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
|
28648
7fc787e5d8ec
sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28647
diff
changeset
|
126 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3 |
|
25431
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
127 if certfile is not None: |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
128 def password(): |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
129 f = keyfile or certfile |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
130 return ui.getpass(_('passphrase for %s: ') % f, '') |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
131 sslcontext.load_cert_chain(certfile, keyfile, password) |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
132 sslcontext.verify_mode = cert_reqs |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
133 if ca_certs is not None: |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
134 sslcontext.load_verify_locations(cafile=ca_certs) |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
135 elif _canloaddefaultcerts: |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
136 sslcontext.load_default_certs() |
|
23834
bf07c19b4c82
https: support tls sni (server name indication) for https urls (issue3090)
Alex Orange <crazycasta@gmail.com>
parents:
23069
diff
changeset
|
137 |
|
25431
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
138 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname) |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
139 # check if wrap_socket failed silently because socket had been |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
140 # closed |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
141 # - see http://bugs.python.org/issue13721 |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
142 if not sslsocket.cipher(): |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
143 raise error.Abort(_('ssl connection failed')) |
|
25431
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
144 return sslsocket |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
145 except AttributeError: |
|
28647
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
146 # We don't have a modern version of the "ssl" module and are running |
|
834d1c4ba749
sslutil: better document state of security/ssl module
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28577
diff
changeset
|
147 # Python <2.7.9. |
|
25431
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
148 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE, |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
149 ca_certs=None, serverhostname=None): |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
150 sslsocket = ssl.wrap_socket(sock, keyfile, certfile, |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
151 cert_reqs=cert_reqs, ca_certs=ca_certs, |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
152 ssl_version=ssl.PROTOCOL_TLSv1) |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
153 # check if wrap_socket failed silently because socket had been |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
154 # closed |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
155 # - see http://bugs.python.org/issue13721 |
|
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
156 if not sslsocket.cipher(): |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
157 raise error.Abort(_('ssl connection failed')) |
|
25431
96159068c506
ssl: drop try-except clause that was necessary for ancient Python
Yuya Nishihara <yuya@tcha.org>
parents:
25430
diff
changeset
|
158 return sslsocket |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
159 |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
160 def _verifycert(cert, hostname): |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
161 '''Verify that cert (in socket.getpeercert() format) matches hostname. |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
162 CRLs is not handled. |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
163 |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
164 Returns error message if any problems are found and None on success. |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
165 ''' |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
166 if not cert: |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
167 return _('no certificate received') |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
168 dnsname = hostname.lower() |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
169 def matchdnsname(certname): |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
170 return (certname == dnsname or |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
171 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]) |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
172 |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
173 san = cert.get('subjectAltName', []) |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
174 if san: |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
175 certnames = [value.lower() for key, value in san if key == 'DNS'] |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
176 for name in certnames: |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
177 if matchdnsname(name): |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
178 return None |
|
14666
27b080aa880a
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798)
Nicolas Bareil <nico@chdir.org>
parents:
14616
diff
changeset
|
179 if certnames: |
|
27b080aa880a
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798)
Nicolas Bareil <nico@chdir.org>
parents:
14616
diff
changeset
|
180 return _('certificate is for %s') % ', '.join(certnames) |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
181 |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
182 # subject is only checked when subjectAltName is empty |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
183 for s in cert.get('subject', []): |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
184 key, value = s[0] |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
185 if key == 'commonName': |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
186 try: |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
187 # 'subject' entries are unicode |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
188 certname = value.lower().encode('ascii') |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
189 except UnicodeEncodeError: |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
190 return _('IDN in certificate not supported') |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
191 if matchdnsname(certname): |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
192 return None |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
193 return _('certificate is for %s') % certname |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
194 return _('no commonName or subjectAltName found in certificate') |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
195 |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
196 |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
197 # CERT_REQUIRED means fetch the cert from the server all the time AND |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
198 # validate it against the CA store provided in web.cacerts. |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
199 |
|
23042
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
200 def _plainapplepython(): |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
201 """return true if this seems to be a pure Apple Python that |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
202 * is unfrozen and presumably has the whole mercurial module in the file |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
203 system |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
204 * presumably is an Apple Python that uses Apple OpenSSL which has patches |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
205 for using system certificate store CAs in addition to the provided |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
206 cacerts file |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
207 """ |
|
24614
241d98d84aed
ssl: resolve symlink before checking for Apple python executable (issue4588)
Yuya Nishihara <yuya@tcha.org>
parents:
24291
diff
changeset
|
208 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable: |
|
23042
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
209 return False |
|
24614
241d98d84aed
ssl: resolve symlink before checking for Apple python executable (issue4588)
Yuya Nishihara <yuya@tcha.org>
parents:
24291
diff
changeset
|
210 exe = os.path.realpath(sys.executable).lower() |
|
23042
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
211 return (exe.startswith('/usr/bin/python') or |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
212 exe.startswith('/system/library/frameworks/python.framework/')) |
|
2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents:
22575
diff
changeset
|
213 |
|
24288
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
214 def _defaultcacerts(): |
|
24291
760a86865f80
ssl: load CA certificates from system's store by default on Python 2.7.9
Yuya Nishihara <yuya@tcha.org>
parents:
24290
diff
changeset
|
215 """return path to CA certificates; None for system's store; ! to disable""" |
|
24288
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
216 if _plainapplepython(): |
|
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
217 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') |
|
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
218 if os.path.exists(dummycert): |
|
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
219 return dummycert |
|
24291
760a86865f80
ssl: load CA certificates from system's store by default on Python 2.7.9
Yuya Nishihara <yuya@tcha.org>
parents:
24290
diff
changeset
|
220 if _canloaddefaultcerts: |
|
760a86865f80
ssl: load CA certificates from system's store by default on Python 2.7.9
Yuya Nishihara <yuya@tcha.org>
parents:
24290
diff
changeset
|
221 return None |
|
24290
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
222 return '!' |
|
24288
922e087ba158
ssl: extract function that returns dummycert path on Apple python
Yuya Nishihara <yuya@tcha.org>
parents:
23851
diff
changeset
|
223 |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
224 def sslkwargs(ui, host): |
|
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
24614
diff
changeset
|
225 kws = {'ui': ui} |
|
22574
a00a7951b20c
ssl: refactor sslkwargs - move things around a bit, preparing for next change
Mads Kiilerich <madski@unity3d.com>
parents:
19808
diff
changeset
|
226 hostfingerprint = ui.config('hostfingerprints', host) |
|
a00a7951b20c
ssl: refactor sslkwargs - move things around a bit, preparing for next change
Mads Kiilerich <madski@unity3d.com>
parents:
19808
diff
changeset
|
227 if hostfingerprint: |
|
a00a7951b20c
ssl: refactor sslkwargs - move things around a bit, preparing for next change
Mads Kiilerich <madski@unity3d.com>
parents:
19808
diff
changeset
|
228 return kws |
|
a00a7951b20c
ssl: refactor sslkwargs - move things around a bit, preparing for next change
Mads Kiilerich <madski@unity3d.com>
parents:
19808
diff
changeset
|
229 cacerts = ui.config('web', 'cacerts') |
|
24290
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
230 if cacerts == '!': |
|
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
231 pass |
|
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
232 elif cacerts: |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
233 cacerts = util.expandpath(cacerts) |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
234 if not os.path.exists(cacerts): |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
235 raise error.Abort(_('could not find web.cacerts: %s') % cacerts) |
|
24290
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
236 else: |
|
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
237 cacerts = _defaultcacerts() |
|
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
238 if cacerts and cacerts != '!': |
|
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
239 ui.debug('using %s to enable OS X system CA\n' % cacerts) |
|
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
240 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') |
|
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
241 if cacerts != '!': |
|
19806
47ff9d1abfa9
sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038)
Augie Fackler <raf@durin42.com>
parents:
19749
diff
changeset
|
242 kws.update({'ca_certs': cacerts, |
|
25432
bdc15b3c9bdb
ssl: remove CERT_REQUIRED constant that was necessary for compatibility
Yuya Nishihara <yuya@tcha.org>
parents:
25431
diff
changeset
|
243 'cert_reqs': ssl.CERT_REQUIRED, |
|
19806
47ff9d1abfa9
sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038)
Augie Fackler <raf@durin42.com>
parents:
19749
diff
changeset
|
244 }) |
|
47ff9d1abfa9
sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038)
Augie Fackler <raf@durin42.com>
parents:
19749
diff
changeset
|
245 return kws |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
246 |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
247 class validator(object): |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
248 def __init__(self, ui, host): |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
249 self.ui = ui |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
250 self.host = host |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
251 |
|
18887
2d7fac049d3a
sslutil: abort if peer certificate is not verified for secure use
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
18879
diff
changeset
|
252 def __call__(self, sock, strict=False): |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
253 host = self.host |
|
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
254 cacerts = self.ui.config('web', 'cacerts') |
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
255 hostfingerprints = self.ui.configlist('hostfingerprints', host) |
|
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
256 |
|
15816
4bb59919c905
sslutil: work around validator crash getting certificate on failed sockets
Mads Kiilerich <mads@kiilerich.com>
parents:
15815
diff
changeset
|
257 if not sock.cipher(): # work around http://bugs.python.org/issue13721 |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
258 raise error.Abort(_('%s ssl connection error') % host) |
|
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
259 try: |
|
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
260 peercert = sock.getpeercert(True) |
|
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
261 peercert2 = sock.getpeercert() |
|
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
262 except AttributeError: |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
263 raise error.Abort(_('%s ssl connection error') % host) |
|
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
264 |
|
15817
8f377751b510
sslutil: abort properly if no certificate received for https connection
Mads Kiilerich <mads@kiilerich.com>
parents:
15816
diff
changeset
|
265 if not peercert: |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
266 raise error.Abort(_('%s certificate error: ' |
|
15817
8f377751b510
sslutil: abort properly if no certificate received for https connection
Mads Kiilerich <mads@kiilerich.com>
parents:
15816
diff
changeset
|
267 'no certificate received') % host) |
|
15814
c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents:
15813
diff
changeset
|
268 peerfingerprint = util.sha1(peercert).hexdigest() |
|
c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents:
15813
diff
changeset
|
269 nicefingerprint = ":".join([peerfingerprint[x:x + 2] |
|
c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents:
15813
diff
changeset
|
270 for x in xrange(0, len(peerfingerprint), 2)]) |
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
271 if hostfingerprints: |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
272 fingerprintmatch = False |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
273 for hostfingerprint in hostfingerprints: |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
274 if peerfingerprint.lower() == \ |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
275 hostfingerprint.replace(':', '').lower(): |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
276 fingerprintmatch = True |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
277 break |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27688
diff
changeset
|
278 if not fingerprintmatch: |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
279 raise error.Abort(_('certificate for %s has unexpected ' |
|
15997
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15817
diff
changeset
|
280 'fingerprint %s') % (host, nicefingerprint), |
|
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15817
diff
changeset
|
281 hint=_('check hostfingerprint configuration')) |
|
15815
edc3a901a63d
sslutil: reorder validator code to make it more readable
Mads Kiilerich <mads@kiilerich.com>
parents:
15814
diff
changeset
|
282 self.ui.debug('%s certificate matched fingerprint %s\n' % |
|
edc3a901a63d
sslutil: reorder validator code to make it more readable
Mads Kiilerich <mads@kiilerich.com>
parents:
15814
diff
changeset
|
283 (host, nicefingerprint)) |
|
24290
b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents:
24288
diff
changeset
|
284 elif cacerts != '!': |
|
18879
93b03a222c3e
sslutil: try harder to avoid getpeercert problems
Matt Mackall <mpm@selenic.com>
parents:
16391
diff
changeset
|
285 msg = _verifycert(peercert2, host) |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
286 if msg: |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
287 raise error.Abort(_('%s certificate error: %s') % (host, msg), |
|
15814
c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents:
15813
diff
changeset
|
288 hint=_('configure hostfingerprint %s or use ' |
|
c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents:
15813
diff
changeset
|
289 '--insecure to connect insecurely') % |
|
c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents:
15813
diff
changeset
|
290 nicefingerprint) |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
291 self.ui.debug('%s certificate successfully verified\n' % host) |
|
18887
2d7fac049d3a
sslutil: abort if peer certificate is not verified for secure use
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
18879
diff
changeset
|
292 elif strict: |
|
26587
56b2bcea2529
error: get Abort from 'error' instead of 'util'
Pierre-Yves David <pierre-yves.david@fb.com>
parents:
25977
diff
changeset
|
293 raise error.Abort(_('%s certificate with fingerprint %s not ' |
|
18887
2d7fac049d3a
sslutil: abort if peer certificate is not verified for secure use
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
18879
diff
changeset
|
294 'verified') % (host, nicefingerprint), |
|
2d7fac049d3a
sslutil: abort if peer certificate is not verified for secure use
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
18879
diff
changeset
|
295 hint=_('check hostfingerprints or web.cacerts ' |
|
2d7fac049d3a
sslutil: abort if peer certificate is not verified for secure use
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
18879
diff
changeset
|
296 'config setting')) |
|
14204
5fa21960b2f4
sslutil: extracted ssl methods from httpsconnection in url.py
Augie Fackler <durin42@gmail.com>
parents:
diff
changeset
|
297 else: |
|
15815
edc3a901a63d
sslutil: reorder validator code to make it more readable
Mads Kiilerich <mads@kiilerich.com>
parents:
15814
diff
changeset
|
298 self.ui.warn(_('warning: %s certificate with fingerprint %s not ' |
|
edc3a901a63d
sslutil: reorder validator code to make it more readable
Mads Kiilerich <mads@kiilerich.com>
parents:
15814
diff
changeset
|
299 'verified (check hostfingerprints or web.cacerts ' |
|
edc3a901a63d
sslutil: reorder validator code to make it more readable
Mads Kiilerich <mads@kiilerich.com>
parents:
15814
diff
changeset
|
300 'config setting)\n') % |
|
edc3a901a63d
sslutil: reorder validator code to make it more readable
Mads Kiilerich <mads@kiilerich.com>
parents:
15814
diff
changeset
|
301 (host, nicefingerprint)) |