Mercurial > hg
changeset 29268:f200b58497f1
sslutil: reference appropriate config section in messaging
Error messages reference the config section defining the host
fingerprint. Now that we have multiple sections where this config
setting could live, we need to point the user at the appropriate
one.
We default to the new "hostsecurity" section. But we will still
refer them to the "hostfingerprint" section if a value is defined
there.
There are some corner cases where the messaging might be off. e.g.
they could define a SHA-1 fingerprint in both sections. IMO the
messaging needs a massive overhaul. I plan to do this as part
of future refactoring to security settings.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sat, 28 May 2016 12:58:46 -0700 |
| parents | f0ccb6cde3e5 |
| children | b6f9934cf10b |
| files | mercurial/sslutil.py tests/test-https.t |
| diffstat | 2 files changed, 26 insertions(+), 18 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Sat May 28 12:37:36 2016 -0700 +++ b/mercurial/sslutil.py Sat May 28 12:58:46 2016 -0700 @@ -117,6 +117,8 @@ # Path to file containing concatenated CA certs. Used by # SSLContext.load_verify_locations(). 'cafile': None, + # Whether the legacy [hostfingerprints] section has data for this host. + 'legacyfingerprint': False, # ssl.CERT_* constant used by SSLContext.verify_mode. 'verifymode': None, } @@ -140,6 +142,7 @@ for fingerprint in ui.configlist('hostfingerprints', hostname, []): fingerprint = fingerprint.replace(':', '').lower() s['certfingerprints'].append(('sha1', fingerprint)) + s['legacyfingerprint'] = True # If a host cert fingerprint is defined, it is the only thing that # matters. No need to validate CA certs. @@ -350,6 +353,11 @@ nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2] for x in range(0, len(peerfingerprints['sha1']), 2)]) + if settings['legacyfingerprint']: + section = 'hostfingerprint' + else: + section = 'hostsecurity' + if settings['certfingerprints']: fingerprintmatch = False for hash, fingerprint in settings['certfingerprints']: @@ -359,7 +367,7 @@ if not fingerprintmatch: raise error.Abort(_('certificate for %s has unexpected ' 'fingerprint %s') % (host, nicefingerprint), - hint=_('check hostfingerprint configuration')) + hint=_('check %s configuration') % section) ui.debug('%s certificate matched fingerprint %s\n' % (host, nicefingerprint)) return @@ -372,28 +380,28 @@ # the same as below for BC. if ui.insecureconnections: ui.warn(_('warning: %s certificate with fingerprint %s not ' - 'verified (check hostfingerprints or web.cacerts ' + 'verified (check %s or web.cacerts ' 'config setting)\n') % - (host, nicefingerprint)) + (host, nicefingerprint, section)) return if not sock._hgstate['caloaded']: if strict: raise error.Abort(_('%s certificate with fingerprint %s not ' 'verified') % (host, nicefingerprint), - hint=_('check hostfingerprints or ' - 'web.cacerts config setting')) + hint=_('check %s or web.cacerts config ' + 'setting') % section) else: ui.warn(_('warning: %s certificate with fingerprint %s ' - 'not verified (check hostfingerprints or ' - 'web.cacerts config setting)\n') % - (host, nicefingerprint)) + 'not verified (check %s or web.cacerts config ' + 'setting)\n') % + (host, nicefingerprint, section)) return msg = _verifycert(peercert2, host) if msg: raise error.Abort(_('%s certificate error: %s') % (host, msg), - hint=_('configure hostfingerprint %s or use ' + hint=_('configure %s %s or use ' '--insecure to connect insecurely') % - nicefingerprint) + (section, nicefingerprint))
--- a/tests/test-https.t Sat May 28 12:37:36 2016 -0700 +++ b/tests/test-https.t Sat May 28 12:58:46 2016 -0700 @@ -177,7 +177,7 @@ clone via pull $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) requesting all changes adding changesets adding manifests @@ -204,7 +204,7 @@ $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc $ hg pull $DISABLEOSXDUMMYCERT pulling from https://localhost:$HGPORT/ - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) searching for changes adding changesets adding manifests @@ -236,7 +236,7 @@ no changes found $ P=`pwd` hg -R copy-pull pull --insecure pulling from https://localhost:$HGPORT/ - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) searching for changes no changes found @@ -245,11 +245,11 @@ $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ pulling from https://127.0.0.1:$HGPORT/ abort: 127.0.0.1 certificate error: certificate is for localhost - (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely) + (configure hostsecurity 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely) [255] $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure pulling from https://127.0.0.1:$HGPORT/ - warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) + warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) searching for changes no changes found $ hg -R copy-pull pull --config web.cacerts=pub-other.pem @@ -258,7 +258,7 @@ [255] $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure pulling from https://localhost:$HGPORT/ - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) searching for changes no changes found @@ -316,7 +316,7 @@ $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca - (check hostfingerprint configuration) + (check hostsecurity configuration) [255] - fails when cert doesn't match hostname (port is ignored) @@ -348,7 +348,7 @@ $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback pulling from https://localhost:$HGPORT/ - warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) + warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) searching for changes no changes found