Mercurial > hg

changeset 28525:dfb21c34e07d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: allow multiple fingerprints per host Certificate pinning via [hostfingerprints] is a useful security feature. Currently, we only support one fingerprint per hostname. This is simple but it fails in the real world: * Switching certificates breaks clients until they change the pinned certificate fingerprint. This incurs client downtime and can require massive amounts of coordination to perform certificate changes. * Some servers operate with multiple certificates on the same hostname. This patch adds support for defining multiple certificate fingerprints per host. This overcomes the deficiencies listed above. I anticipate the primary use case of this feature will be to define both the old and new certificate so a certificate transition can occur with minimal interruption, so this scenario has been called out in the help documentation.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sun, 13 Mar 2016 14:03:58 -0700
parents ce1160ae2150
children 47b0cee25e88
files mercurial/help/config.txt mercurial/sslutil.py tests/test-https.t
diffstat 3 files changed, 27 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/help/config.txt	Sun Mar 13 13:51:01 2016 -0700
+++ b/mercurial/help/config.txt	Sun Mar 13 14:03:58 2016 -0700
@@ -974,6 +974,9 @@
 This is very similar to how ssh known hosts works.
 
 The fingerprint is the SHA-1 hash value of the DER encoded certificate.
+Multiple values can be specified (separated by spaces or commas). This can
+be used to define both old and new fingerprints while a host transitions
+to a new certificate.
 
 The CA chain and web.cacerts is not used for servers with a fingerprint.
 
--- a/mercurial/sslutil.py	Sun Mar 13 13:51:01 2016 -0700
+++ b/mercurial/sslutil.py	Sun Mar 13 14:03:58 2016 -0700
@@ -162,7 +162,7 @@
     def __call__(self, sock, strict=False):
         host = self.host
         cacerts = self.ui.config('web', 'cacerts')
-        hostfingerprint = self.ui.config('hostfingerprints', host)
+        hostfingerprints = self.ui.configlist('hostfingerprints', host)
 
         if not sock.cipher(): # work around http://bugs.python.org/issue13721
             raise error.Abort(_('%s ssl connection error') % host)
@@ -178,9 +178,14 @@
         peerfingerprint = util.sha1(peercert).hexdigest()
         nicefingerprint = ":".join([peerfingerprint[x:x + 2]
             for x in xrange(0, len(peerfingerprint), 2)])
-        if hostfingerprint:
-            if peerfingerprint.lower() != \
-                    hostfingerprint.replace(':', '').lower():
+        if hostfingerprints:
+            fingerprintmatch = False
+            for hostfingerprint in hostfingerprints:
+                if peerfingerprint.lower() == \
+                        hostfingerprint.replace(':', '').lower():
+                    fingerprintmatch = True
+                    break
+            if not fingerprintmatch:
                 raise error.Abort(_('certificate for %s has unexpected '
                                    'fingerprint %s') % (host, nicefingerprint),
                                  hint=_('check hostfingerprint configuration'))
--- a/tests/test-https.t	Sun Mar 13 13:51:01 2016 -0700
+++ b/tests/test-https.t	Sun Mar 13 14:03:58 2016 -0700
@@ -290,6 +290,21 @@
   $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
   5fed3813f7f5
 
+- multiple fingerprints specified and first matches
+  $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
+  5fed3813f7f5
+
+- multiple fingerprints specified and last matches
+  $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
+  5fed3813f7f5
+
+- multiple fingerprints specified and none match
+
+  $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
+  abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
+  (check hostfingerprint configuration)
+  [255]
+
 - fails when cert doesn't match hostname (port is ignored)
   $ hg -R copy-pull id https://localhost:$HGPORT1/
   abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b