sslutil: allow multiple fingerprints per host
Certificate pinning via [hostfingerprints] is a useful security
feature. Currently, we only support one fingerprint per hostname.
This is simple but it fails in the real world:
* Switching certificates breaks clients until they change the
pinned certificate fingerprint. This incurs client downtime
and can require massive amounts of coordination to perform
certificate changes.
* Some servers operate with multiple certificates on the same
hostname.
This patch adds support for defining multiple certificate
fingerprints per host. This overcomes the deficiencies listed
above. I anticipate the primary use case of this feature will
be to define both the old and new certificate so a certificate
transition can occur with minimal interruption, so this scenario
has been called out in the help documentation.
--- a/mercurial/help/config.txt Sun Mar 13 13:51:01 2016 -0700
+++ b/mercurial/help/config.txt Sun Mar 13 14:03:58 2016 -0700
@@ -974,6 +974,9 @@
This is very similar to how ssh known hosts works.
The fingerprint is the SHA-1 hash value of the DER encoded certificate.
+Multiple values can be specified (separated by spaces or commas). This can
+be used to define both old and new fingerprints while a host transitions
+to a new certificate.
The CA chain and web.cacerts is not used for servers with a fingerprint.
--- a/mercurial/sslutil.py Sun Mar 13 13:51:01 2016 -0700
+++ b/mercurial/sslutil.py Sun Mar 13 14:03:58 2016 -0700
@@ -162,7 +162,7 @@
def __call__(self, sock, strict=False):
host = self.host
cacerts = self.ui.config('web', 'cacerts')
- hostfingerprint = self.ui.config('hostfingerprints', host)
+ hostfingerprints = self.ui.configlist('hostfingerprints', host)
if not sock.cipher(): # work around http://bugs.python.org/issue13721
raise error.Abort(_('%s ssl connection error') % host)
@@ -178,9 +178,14 @@
peerfingerprint = util.sha1(peercert).hexdigest()
nicefingerprint = ":".join([peerfingerprint[x:x + 2]
for x in xrange(0, len(peerfingerprint), 2)])
- if hostfingerprint:
- if peerfingerprint.lower() != \
- hostfingerprint.replace(':', '').lower():
+ if hostfingerprints:
+ fingerprintmatch = False
+ for hostfingerprint in hostfingerprints:
+ if peerfingerprint.lower() == \
+ hostfingerprint.replace(':', '').lower():
+ fingerprintmatch = True
+ break
+ if not fingerprintmatch:
raise error.Abort(_('certificate for %s has unexpected '
'fingerprint %s') % (host, nicefingerprint),
hint=_('check hostfingerprint configuration'))
--- a/tests/test-https.t Sun Mar 13 13:51:01 2016 -0700
+++ b/tests/test-https.t Sun Mar 13 14:03:58 2016 -0700
@@ -290,6 +290,21 @@
$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
5fed3813f7f5
+- multiple fingerprints specified and first matches
+ $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
+ 5fed3813f7f5
+
+- multiple fingerprints specified and last matches
+ $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
+ 5fed3813f7f5
+
+- multiple fingerprints specified and none match
+
+ $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
+ abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
+ (check hostfingerprint configuration)
+ [255]
+
- fails when cert doesn't match hostname (port is ignored)
$ hg -R copy-pull id https://localhost:$HGPORT1/
abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b