changeset 29290:01248c37a68e

sslutil: print SHA-256 fingerprint by default The world is starting to move on from SHA-1. A few commits ago, we gained the ability to define certificate fingerprints using SHA-256 and SHA-512. Let's start printing the SHA-256 fingerprint instead of the SHA-1 fingerprint to encourage people to pin with a more secure hashing algorithm. There is still a bit of work to be done around the fingerprint messaging. This will be addressed in subsequent commits.
author Gregory Szorc <gregory.szorc@gmail.com>
date Mon, 30 May 2016 15:42:39 -0700
parents 3536673a25ae
children 15e533b7909c
files mercurial/sslutil.py tests/test-https.t
diffstat 2 files changed, 12 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Mon May 30 13:15:53 2016 -0700
+++ b/mercurial/sslutil.py	Mon May 30 15:42:39 2016 -0700
@@ -373,8 +373,12 @@
         'sha256': util.sha256(peercert).hexdigest(),
         'sha512': util.sha512(peercert).hexdigest(),
     }
-    nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2]
-        for x in range(0, len(peerfingerprints['sha1']), 2)])
+
+    def fmtfingerprint(s):
+        return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)])
+
+    legacyfingerprint = fmtfingerprint(peerfingerprints['sha1'])
+    nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256'])
 
     if settings['legacyfingerprint']:
         section = 'hostfingerprint'
@@ -389,10 +393,10 @@
                 break
         if not fingerprintmatch:
             raise error.Abort(_('certificate for %s has unexpected '
-                               'fingerprint %s') % (host, nicefingerprint),
-                             hint=_('check %s configuration') % section)
+                               'fingerprint %s') % (host, legacyfingerprint),
+                              hint=_('check %s configuration') % section)
         ui.debug('%s certificate matched fingerprint %s\n' %
-                 (host, nicefingerprint))
+                 (host, legacyfingerprint))
         return
 
     if not sock._hgstate['caloaded']:
--- a/tests/test-https.t	Mon May 30 13:15:53 2016 -0700
+++ b/tests/test-https.t	Mon May 30 15:42:39 2016 -0700
@@ -176,7 +176,7 @@
 clone via pull
 
   $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
-  warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
+  warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting)
   requesting all changes
   adding changesets
   adding manifests
@@ -203,7 +203,7 @@
   $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
   $ hg pull $DISABLECACERTS
   pulling from https://localhost:$HGPORT/
-  warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
+  warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting)
   searching for changes
   adding changesets
   adding manifests
@@ -244,7 +244,7 @@
   $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
   pulling from https://127.0.0.1:$HGPORT/
   abort: 127.0.0.1 certificate error: certificate is for localhost
-  (configure hostsecurity 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
+  (configure hostsecurity sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or use --insecure to connect insecurely)
   [255]
   $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
   pulling from https://127.0.0.1:$HGPORT/