sslutil: reference appropriate config section in messaging
Error messages reference the config section defining the host
fingerprint. Now that we have multiple sections where this config
setting could live, we need to point the user at the appropriate
one.
We default to the new "hostsecurity" section. But we will still
refer them to the "hostfingerprint" section if a value is defined
there.
There are some corner cases where the messaging might be off. e.g.
they could define a SHA-1 fingerprint in both sections. IMO the
messaging needs a massive overhaul. I plan to do this as part
of future refactoring to security settings.
--- a/mercurial/sslutil.py Sat May 28 12:37:36 2016 -0700
+++ b/mercurial/sslutil.py Sat May 28 12:58:46 2016 -0700
@@ -117,6 +117,8 @@
# Path to file containing concatenated CA certs. Used by
# SSLContext.load_verify_locations().
'cafile': None,
+ # Whether the legacy [hostfingerprints] section has data for this host.
+ 'legacyfingerprint': False,
# ssl.CERT_* constant used by SSLContext.verify_mode.
'verifymode': None,
}
@@ -140,6 +142,7 @@
for fingerprint in ui.configlist('hostfingerprints', hostname, []):
fingerprint = fingerprint.replace(':', '').lower()
s['certfingerprints'].append(('sha1', fingerprint))
+ s['legacyfingerprint'] = True
# If a host cert fingerprint is defined, it is the only thing that
# matters. No need to validate CA certs.
@@ -350,6 +353,11 @@
nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2]
for x in range(0, len(peerfingerprints['sha1']), 2)])
+ if settings['legacyfingerprint']:
+ section = 'hostfingerprint'
+ else:
+ section = 'hostsecurity'
+
if settings['certfingerprints']:
fingerprintmatch = False
for hash, fingerprint in settings['certfingerprints']:
@@ -359,7 +367,7 @@
if not fingerprintmatch:
raise error.Abort(_('certificate for %s has unexpected '
'fingerprint %s') % (host, nicefingerprint),
- hint=_('check hostfingerprint configuration'))
+ hint=_('check %s configuration') % section)
ui.debug('%s certificate matched fingerprint %s\n' %
(host, nicefingerprint))
return
@@ -372,28 +380,28 @@
# the same as below for BC.
if ui.insecureconnections:
ui.warn(_('warning: %s certificate with fingerprint %s not '
- 'verified (check hostfingerprints or web.cacerts '
+ 'verified (check %s or web.cacerts '
'config setting)\n') %
- (host, nicefingerprint))
+ (host, nicefingerprint, section))
return
if not sock._hgstate['caloaded']:
if strict:
raise error.Abort(_('%s certificate with fingerprint %s not '
'verified') % (host, nicefingerprint),
- hint=_('check hostfingerprints or '
- 'web.cacerts config setting'))
+ hint=_('check %s or web.cacerts config '
+ 'setting') % section)
else:
ui.warn(_('warning: %s certificate with fingerprint %s '
- 'not verified (check hostfingerprints or '
- 'web.cacerts config setting)\n') %
- (host, nicefingerprint))
+ 'not verified (check %s or web.cacerts config '
+ 'setting)\n') %
+ (host, nicefingerprint, section))
return
msg = _verifycert(peercert2, host)
if msg:
raise error.Abort(_('%s certificate error: %s') % (host, msg),
- hint=_('configure hostfingerprint %s or use '
+ hint=_('configure %s %s or use '
'--insecure to connect insecurely') %
- nicefingerprint)
+ (section, nicefingerprint))
--- a/tests/test-https.t Sat May 28 12:37:36 2016 -0700
+++ b/tests/test-https.t Sat May 28 12:58:46 2016 -0700
@@ -177,7 +177,7 @@
clone via pull
$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
- warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+ warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
requesting all changes
adding changesets
adding manifests
@@ -204,7 +204,7 @@
$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
$ hg pull $DISABLEOSXDUMMYCERT
pulling from https://localhost:$HGPORT/
- warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+ warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
searching for changes
adding changesets
adding manifests
@@ -236,7 +236,7 @@
no changes found
$ P=`pwd` hg -R copy-pull pull --insecure
pulling from https://localhost:$HGPORT/
- warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+ warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
searching for changes
no changes found
@@ -245,11 +245,11 @@
$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
pulling from https://127.0.0.1:$HGPORT/
abort: 127.0.0.1 certificate error: certificate is for localhost
- (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
+ (configure hostsecurity 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
[255]
$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
pulling from https://127.0.0.1:$HGPORT/
- warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+ warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
searching for changes
no changes found
$ hg -R copy-pull pull --config web.cacerts=pub-other.pem
@@ -258,7 +258,7 @@
[255]
$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
pulling from https://localhost:$HGPORT/
- warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+ warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
searching for changes
no changes found
@@ -316,7 +316,7 @@
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
- (check hostfingerprint configuration)
+ (check hostsecurity configuration)
[255]
- fails when cert doesn't match hostname (port is ignored)
@@ -348,7 +348,7 @@
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
pulling from https://localhost:$HGPORT/
- warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
+ warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
searching for changes
no changes found