mercurial: Changelog

smtp: verify the certificate of the SMTP server for STARTTLS/SMTPS Before this patch, the certificate of the SMTP server for STARTTLS or SMTPS isn't verified. This may cause man-in-the-middle security problem (stealing authentication information), even though SMTP channel itself is encrypted by SSL. When "[smtp] tls" is configured as "smtps" or "starttls", this patch: - uses classes introduced by preceding patches instead of "SMTP" or "SMTP_SSL" of smtplib, and - verifies the certificate of the SMTP server, if "[smtp] verifycert" is configured as other than False "[smtp] verifycert" can be configured in 3 levels: - "strict": This verifies peer certificate, and aborts if: - peer certification is not valid, or - no configuration in "[hostfingerprints]" and "[web] cacerts" This is default value of "[smtp] verifycert" for security. - "loose": This verifies peer certificate, and aborts if peer certification is not valid. This just shows warning message ("certificate not verified"), if there is no configuration in "[hostfingerprints]" and "[web] cacerts". This is as same as verification for HTTPS connection. - False(no verification): Peer certificate is not verified. This is as same as the behavior before this patch series. "hg email --insecure" uses "loose" level, and ignores "[web] cacerts" as same as push/pull/etc... with --insecure. Ignoring "[web] cacerts" configuration for "hg email --insecure" is already done in "dispatch._dispatch()" by looking "insecure" up in the table of command options.

sslutil: abort if peer certificate is not verified for secure use Before this patch, "sslutil.validator" may returns successfully, even if peer certificate is not verified because there is no information in "[hostfingerprints]" and "[web] cacerts". To prevent from sending authentication credential to untrustable SMTP server, validation should be aborted if peer certificate is not verified. This patch introduces "strict" optional argument, and "sslutil.validator" will abort if it is True and peer certificate is not verified.

smtp: add the class to verify the certificate of the SMTP server for SMTPS Original "smtplib.SMTP_SSL" has no route to pass "ca_certs" and "cert_reqs" arguments to underlying SSL socket creation. This causes that "getpeercert()" on SSL socket returns empty dict, so the peer certificate for SMTPS can't be verified. This patch introduces the "SMTPS" class derived from "smtplib.SMTP" to pass "ca_certs" and "cert_reqs" arguments to underlying SSL socket creation. "SMTPS" class is derived directly from "smtplib.SMTP", because amount of "smtplib.SMTP_SSL" definition derived from "smtplib.SMTP" is as same as one needed to override it. This patch defines "SMTPS" class, only when "smtplib.SMTP" class has "_get_socket()" method, because this makes using SSL socket instead of normal socket easy. "smtplib.SMTP" class of Python 2.5.x or earlier doesn't have this method. Omitting SMTPS support for them is reasonable, because "smtplib.SMTP_SSL" is already unavailable for them before this patch. Almost all code of "SMTPS" class is imported from "smtplib.SMTP_SSL" of Python 2.7.3, but it differs from original code in point below: - "ssl.wrap_socket()" is replaced by "sslutil.ssl_wrap_socket()" for compatibility between Python versions

smtp: add the class to verify the certificate of the SMTP server for STARTTLS Original "smtplib.SMTP" has no route to pass "ca_certs" and "cert_reqs" arguments to underlying SSL socket creation. This causes that "getpeercert()" on SSL socket returns empty dict, so the peer certificate for STARTTLS can't be verified. This patch introduces the "STARTTLS" class derived from "smtplib.SMTP" to pass "ca_certs" and "cert_reqs" arguments to underlying SSL socket creation. Almost all code of "starttls()" in this class is imported from "smtplib.SMTP" of Python 2.7.3, but it differs from original code in points below: - "self.ehlo_or_helo_if_needed()" invocation is omitted, because: - "ehlo_or_helo_if_needed()" is available with Python 2.6 or later, and - "ehlo()" is explicitly invoked in "mercurial.mail._smtp()" - "if not _have_ssl:" check is omitted, because: - "_have_ssl" is available with Python 2.6 or later, and - same checking is done in "mercurial.sslutil.ssl_wrap_socket()" - "ssl.wrap_socket()" is replaced by "sslutil.ssl_wrap_socket()" for compatibility between Python versions - use "sock.recv()" also as "sock.read()", if "sock" doesn't have "read()" method with Python 2.5.x or earlier, "sslutil.ssl_wrap_socket()" returns "httplib.FakeSocket"-ed object, and it doesn't have "read()" method, which is invoked via "smtplib.SSLFakeFile".