Tue, 31 May 2016 19:21:08 -0700 sslutil: make cert fingerprints messages more actionable
Gregory Szorc <gregory.szorc@gmail.com> [Tue, 31 May 2016 19:21:08 -0700] rev 29292
sslutil: make cert fingerprints messages more actionable The previous warning and abort messages were difficult to understand. This patch makes them slightly better. I think there is still room to tweak the messaging. And as we adopt new security defaults, these messages will certainly change again. But at least this takes us a step in the right direction. References to "section" have been removed because if no fingerprint is defined, "section" can never be "hostfingerprints." So just print "hostsecurity" every time.
Mon, 30 May 2016 15:43:03 -0700 sslutil: refactor code for fingerprint matching
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 May 2016 15:43:03 -0700] rev 29291
sslutil: refactor code for fingerprint matching We didn't need to use a temporary variable to indicate success because we just return anyway. This refactor makes the code simpler. While we're here, we also call into formatfingerprint() to ensure the fingerprint from the proper hashing algorithm is logged.
Mon, 30 May 2016 15:42:39 -0700 sslutil: print SHA-256 fingerprint by default
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 May 2016 15:42:39 -0700] rev 29290
sslutil: print SHA-256 fingerprint by default The world is starting to move on from SHA-1. A few commits ago, we gained the ability to define certificate fingerprints using SHA-256 and SHA-512. Let's start printing the SHA-256 fingerprint instead of the SHA-1 fingerprint to encourage people to pin with a more secure hashing algorithm. There is still a bit of work to be done around the fingerprint messaging. This will be addressed in subsequent commits.
Mon, 30 May 2016 13:15:53 -0700 sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 May 2016 13:15:53 -0700] rev 29289
sslutil: move and change warning when cert verification is disabled A short time ago, validatesocket() didn't know the reasons why cert verification was disabled. Multiple code paths could lead to cert verification being disabled. e.g. --insecure and lack of loaded CAs. With the recent refactorings to sslutil.py, we now know the reasons behind security settings. This means we can recognize when the user requested security be disabled (as opposed to being unable to provide certificate verification due to lack of CAs). This patch moves the check for certificate verification being disabled and changes the wording to distinguish it from other states. The warning message is purposefully more dangerous sounding in order to help discourage people from disabling security outright. We may want to add a URL or hint to this message. I'm going to wait until additional changes to security defaults before committing to something.
Wed, 01 Jun 2016 19:57:20 -0700 sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 01 Jun 2016 19:57:20 -0700] rev 29288
sslutil: add devel.disableloaddefaultcerts to disable CA loading There are various tests for behavior when CA certs aren't loaded. Previously, we would pass --insecure to disable loading of CA certs. This has worked up to this point because the error message for --insecure and no CAs loaded is the same. Upcoming commits will change the error message for --insecure and will change behavior when CAs aren't loaded. This commit introduces the ability to disable loading of CA certs by setting devel.disableloaddefaultcerts. This allows a testing backdoor to disable loading of CA certs even if system/default CA certs are available. The flag is purposefully not exposed to end-users because there should not be a need for this in the wild: certificate pinning and --insecure provide workarounds to disable cert loading/validation. Tests have been updated to use the new method. The variable used to disable CA certs has been renamed because the method is not OS X specific.
Mon, 30 May 2016 11:20:31 -0700 sslutil: store flag for whether cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 May 2016 11:20:31 -0700] rev 29287
sslutil: store flag for whether cert verification is disabled This patch effectively moves the ui.insecureconnections check to _hostsettings(). After this patch, validatesocket() no longer uses the ui instance for anything except writing messages. This patch also enables us to introduce a per-host config option for disabling certificate verification.
Mon, 30 May 2016 11:19:43 -0700 sslutil: remove "strict" argument from validatesocket()
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 May 2016 11:19:43 -0700] rev 29286
sslutil: remove "strict" argument from validatesocket() It was only used by mail.py as part of processing smtp.verifycert, which was just removed.
Sat, 04 Jun 2016 11:13:28 -0700 mail: unsupport smtp.verifycert (BC)
Gregory Szorc <gregory.szorc@gmail.com> [Sat, 04 Jun 2016 11:13:28 -0700] rev 29285
mail: unsupport smtp.verifycert (BC) smtp.verifycert was accidentally broken by cca59ef27e60. And, I believe the "loose" value has been broken for longer than that. The current code refuses to talk to a remote server unless the CA is trusted or the fingerprint is validated. In other words, we lost the ability for smtp.verifycert to lower/disable security. There are special considerations for smtp.verifycert in sslutil.validatesocket() (the "strict" argument). This violates the direction sslutil is evolving towards, which has all security options determined at wrapsocket() time and a unified code path and configs for determining security options. Since smtp.verifycert is broken and since we'll soon have new security defaults and new mechanisms for controlling host security, this patch formally deprecates smtp.verifycert. With this patch, the socket security code in mail.py now effectively mirrors code in url.py and other places we're doing socket security. For the record, removing smtp.verifycert because it was accidentally broken is a poor excuse to remove it. However, I would have done this anyway because smtp.verifycert is a one-off likely used by few people (users of the patchbomb extension) and I don't think the existence of this seldom-used one-off in security code can be justified, especially when you consider that better mechanisms are right around the corner.
Tue, 05 Apr 2016 07:30:01 +0200 update: fix bare --clean to work on new branch (issue5003) (BC)
liscju <piotr.listkiewicz@gmail.com> [Tue, 05 Apr 2016 07:30:01 +0200] rev 29284
update: fix bare --clean to work on new branch (issue5003) (BC) Before this commit bare update --clean on newly created branch updates to the parent commit, even if there are later commits on the parent commit's branch. Update to the latest head on the parent commit's branch instead. This seems reasonable as clean should discard uncommited changes, branch is one of them.
Fri, 03 Jun 2016 15:55:07 +0200 revert: use "discard"/"revert" verb when reverting interactively (issue5143)
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 03 Jun 2016 15:55:07 +0200] rev 29283
revert: use "discard"/"revert" verb when reverting interactively (issue5143) Instead of "record this change to 'FILE'?" now prompt with: * "discard this change to 'FILE'?" when reverting to the parent of working directory, and, * "revert this change to 'FILE'?" otherwise.
Tue, 05 Apr 2016 01:35:58 +0000 run-tests: add support for RTUNICODEPEDANTRY environment variable
timeless <timeless@mozdev.org> [Tue, 05 Apr 2016 01:35:58 +0000] rev 29282
run-tests: add support for RTUNICODEPEDANTRY environment variable based on 73e4a02e6d23
Fri, 27 May 2016 05:24:45 +0000 obsolete: fix grammar
timeless <timeless@mozdev.org> [Fri, 27 May 2016 05:24:45 +0000] rev 29281
obsolete: fix grammar
(0) -10000 -3000 -1000 -300 -100 -12 +12 +100 +300 +1000 +3000 +10000 tip