# HG changeset patch # User Gregory Szorc # Date 1464648159 25200 # Node ID 01248c37a68e8b99655f8bcaacc6966fbc413960 # Parent 3536673a25ae06f0cecf5a910f267b25b2d9a210 sslutil: print SHA-256 fingerprint by default The world is starting to move on from SHA-1. A few commits ago, we gained the ability to define certificate fingerprints using SHA-256 and SHA-512. Let's start printing the SHA-256 fingerprint instead of the SHA-1 fingerprint to encourage people to pin with a more secure hashing algorithm. There is still a bit of work to be done around the fingerprint messaging. This will be addressed in subsequent commits. diff -r 3536673a25ae -r 01248c37a68e mercurial/sslutil.py --- a/mercurial/sslutil.py Mon May 30 13:15:53 2016 -0700 +++ b/mercurial/sslutil.py Mon May 30 15:42:39 2016 -0700 @@ -373,8 +373,12 @@ 'sha256': util.sha256(peercert).hexdigest(), 'sha512': util.sha512(peercert).hexdigest(), } - nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2] - for x in range(0, len(peerfingerprints['sha1']), 2)]) + + def fmtfingerprint(s): + return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)]) + + legacyfingerprint = fmtfingerprint(peerfingerprints['sha1']) + nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256']) if settings['legacyfingerprint']: section = 'hostfingerprint' @@ -389,10 +393,10 @@ break if not fingerprintmatch: raise error.Abort(_('certificate for %s has unexpected ' - 'fingerprint %s') % (host, nicefingerprint), - hint=_('check %s configuration') % section) + 'fingerprint %s') % (host, legacyfingerprint), + hint=_('check %s configuration') % section) ui.debug('%s certificate matched fingerprint %s\n' % - (host, nicefingerprint)) + (host, legacyfingerprint)) return if not sock._hgstate['caloaded']: diff -r 3536673a25ae -r 01248c37a68e tests/test-https.t --- a/tests/test-https.t Mon May 30 13:15:53 2016 -0700 +++ b/tests/test-https.t Mon May 30 15:42:39 2016 -0700 @@ -176,7 +176,7 @@ clone via pull $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) + warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting) requesting all changes adding changesets adding manifests @@ -203,7 +203,7 @@ $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc $ hg pull $DISABLECACERTS pulling from https://localhost:$HGPORT/ - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) + warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting) searching for changes adding changesets adding manifests @@ -244,7 +244,7 @@ $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ pulling from https://127.0.0.1:$HGPORT/ abort: 127.0.0.1 certificate error: certificate is for localhost - (configure hostsecurity 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely) + (configure hostsecurity sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or use --insecure to connect insecurely) [255] $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure pulling from https://127.0.0.1:$HGPORT/