# HG changeset patch # User Gregory Szorc # Date 1457903038 25200 # Node ID dfb21c34e07dfeeccb9be6197ad15733ee53a48e # Parent ce1160ae21507d7a8c444c41b19689dea5809587 sslutil: allow multiple fingerprints per host Certificate pinning via [hostfingerprints] is a useful security feature. Currently, we only support one fingerprint per hostname. This is simple but it fails in the real world: * Switching certificates breaks clients until they change the pinned certificate fingerprint. This incurs client downtime and can require massive amounts of coordination to perform certificate changes. * Some servers operate with multiple certificates on the same hostname. This patch adds support for defining multiple certificate fingerprints per host. This overcomes the deficiencies listed above. I anticipate the primary use case of this feature will be to define both the old and new certificate so a certificate transition can occur with minimal interruption, so this scenario has been called out in the help documentation. diff -r ce1160ae2150 -r dfb21c34e07d mercurial/help/config.txt --- a/mercurial/help/config.txt Sun Mar 13 13:51:01 2016 -0700 +++ b/mercurial/help/config.txt Sun Mar 13 14:03:58 2016 -0700 @@ -974,6 +974,9 @@ This is very similar to how ssh known hosts works. The fingerprint is the SHA-1 hash value of the DER encoded certificate. +Multiple values can be specified (separated by spaces or commas). This can +be used to define both old and new fingerprints while a host transitions +to a new certificate. The CA chain and web.cacerts is not used for servers with a fingerprint. diff -r ce1160ae2150 -r dfb21c34e07d mercurial/sslutil.py --- a/mercurial/sslutil.py Sun Mar 13 13:51:01 2016 -0700 +++ b/mercurial/sslutil.py Sun Mar 13 14:03:58 2016 -0700 @@ -162,7 +162,7 @@ def __call__(self, sock, strict=False): host = self.host cacerts = self.ui.config('web', 'cacerts') - hostfingerprint = self.ui.config('hostfingerprints', host) + hostfingerprints = self.ui.configlist('hostfingerprints', host) if not sock.cipher(): # work around http://bugs.python.org/issue13721 raise error.Abort(_('%s ssl connection error') % host) @@ -178,9 +178,14 @@ peerfingerprint = util.sha1(peercert).hexdigest() nicefingerprint = ":".join([peerfingerprint[x:x + 2] for x in xrange(0, len(peerfingerprint), 2)]) - if hostfingerprint: - if peerfingerprint.lower() != \ - hostfingerprint.replace(':', '').lower(): + if hostfingerprints: + fingerprintmatch = False + for hostfingerprint in hostfingerprints: + if peerfingerprint.lower() == \ + hostfingerprint.replace(':', '').lower(): + fingerprintmatch = True + break + if not fingerprintmatch: raise error.Abort(_('certificate for %s has unexpected ' 'fingerprint %s') % (host, nicefingerprint), hint=_('check hostfingerprint configuration')) diff -r ce1160ae2150 -r dfb21c34e07d tests/test-https.t --- a/tests/test-https.t Sun Mar 13 13:51:01 2016 -0700 +++ b/tests/test-https.t Sun Mar 13 14:03:58 2016 -0700 @@ -290,6 +290,21 @@ $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=! 5fed3813f7f5 +- multiple fingerprints specified and first matches + $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=! + 5fed3813f7f5 + +- multiple fingerprints specified and last matches + $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=! + 5fed3813f7f5 + +- multiple fingerprints specified and none match + + $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=! + abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca + (check hostfingerprint configuration) + [255] + - fails when cert doesn't match hostname (port is ignored) $ hg -R copy-pull id https://localhost:$HGPORT1/ abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b