Mercurial Mercurial > mercurial / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: try to find CA certficates in well-known locations
authorGregory Szorc <gregory.szorc@gmail.com>
Wed, 06 Jul 2016 21:16:00 -0700
changeset 29500 4b16a5bd9948
parent 29499 9c5325c79683
child 29501 be68a4445041
sslutil: try to find CA certficates in well-known locations Many Linux distros and other Nixen have CA certificates in well-defined locations. Rather than potentially fail to load any CA certificates at all (which will always result in a certificate verification failure), we scan for paths to known CA certificate files and load one if seen. Because a proper Mercurial install will have the path to the CA certificate file defined at install time, we print a warning that the install isn't proper and provide a URL with instructions to correct things. We only perform path-based fallback on Pythons that don't know how to call into OpenSSL to load the default verify locations. This is because we trust that Python/OpenSSL is properly configured and knows better than Mercurial. So this new code effectively only runs on Python <2.7.9 (technically Pythons without the modern ssl module).
mercurial/sslutil.py file | annotate | diff | comparison | revisions
tests/test-https.t file | annotate | diff | comparison | revisions
tests/test-patchbomb-tls.t file | annotate | diff | comparison | revisions 
--- a/mercurial/sslutil.py	Wed Jul 06 20:46:05 2016 -0700
+++ b/mercurial/sslutil.py	Wed Jul 06 21:16:00 2016 -0700
@@ -430,12 +430,22 @@
     return (exe.startswith('/usr/bin/python') or
             exe.startswith('/system/library/frameworks/python.framework/'))
 
+_systemcacertpaths = [
+    # RHEL, CentOS, and Fedora
+    '/etc/pki/tls/certs/ca-bundle.trust.crt',
+    # Debian, Ubuntu, Gentoo
+    '/etc/ssl/certs/ca-certificates.crt',
+]
+
 def _defaultcacerts(ui):
     """return path to default CA certificates or None.
 
     It is assumed this function is called when the returned certificates
     file will actually be used to validate connections. Therefore this
     function may print warnings or debug messages assuming this usage.
+
+    We don't print a message when the Python is able to load default
+    CA certs because this scenario is detected at socket connect time.
     """
     # The "certifi" Python package provides certificates. If it is installed,
     # assume the user intends it to be used and use it.
@@ -480,6 +490,28 @@
                       'how to configure Mercurial to avoid this message)\n'))
         return None
 
+    # Try to find CA certificates in well-known locations. We print a warning
+    # when using a found file because we don't want too much silent magic
+    # for security settings. The expectation is that proper Mercurial
+    # installs will have the CA certs path defined at install time and the
+    # installer/packager will make an appropriate decision on the user's
+    # behalf. We only get here and perform this setting as a feature of
+    # last resort.
+    if not _canloaddefaultcerts:
+        for path in _systemcacertpaths:
+            if os.path.isfile(path):
+                ui.warn(_('(using CA certificates from %s; if you see this '
+                          'message, your Mercurial install is not properly '
+                          'configured; see '
+                          'https://mercurial-scm.org/wiki/SecureConnections '
+                          'for how to configure Mercurial to avoid this '
+                          'message)\n') % path)
+                return path
+
+        ui.warn(_('(unable to load CA certificates; see '
+                  'https://mercurial-scm.org/wiki/SecureConnections for '
+                  'how to configure Mercurial to avoid this message)\n'))
+
     return None
 
 def validatesocket(sock):
--- a/tests/test-https.t	Wed Jul 06 20:46:05 2016 -0700
+++ b/tests/test-https.t	Wed Jul 06 21:16:00 2016 -0700
@@ -56,6 +56,7 @@
 
 #if no-sslcontext defaultcacerts
   $ hg clone https://localhost:$HGPORT/ copy-pull
+  (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
   abort: error: *certificate verify failed* (glob)
   [255]
 #endif
@@ -77,6 +78,7 @@
 
 #if defaultcacertsloaded
   $ hg clone https://localhost:$HGPORT/ copy-pull
+  (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
   abort: error: *certificate verify failed* (glob)
   [255]
 #endif
--- a/tests/test-patchbomb-tls.t	Wed Jul 06 20:46:05 2016 -0700
+++ b/tests/test-patchbomb-tls.t	Wed Jul 06 21:16:00 2016 -0700
@@ -58,6 +58,7 @@
   this patch series consists of 1 patches.
   
   
+  (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
   (?i)abort: .*?certificate.verify.failed.* (re)
   [255]
 #endif
@@ -67,6 +68,7 @@
   this patch series consists of 1 patches.
   
   
+  (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
   (?i)abort: .*?certificate.verify.failed.* (re)
   [255]
mercurial