Mercurial > public > mercurial-scm > hg-stable

diff mercurial/sslutil.py @ 28525:dfb21c34e07d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: allow multiple fingerprints per host Certificate pinning via [hostfingerprints] is a useful security feature. Currently, we only support one fingerprint per hostname. This is simple but it fails in the real world: * Switching certificates breaks clients until they change the pinned certificate fingerprint. This incurs client downtime and can require massive amounts of coordination to perform certificate changes. * Some servers operate with multiple certificates on the same hostname. This patch adds support for defining multiple certificate fingerprints per host. This overcomes the deficiencies listed above. I anticipate the primary use case of this feature will be to define both the old and new certificate so a certificate transition can occur with minimal interruption, so this scenario has been called out in the help documentation.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sun, 13 Mar 2016 14:03:58 -0700
parents 6c7d26cef0cd
children 7efff6ce9826
line wrap: on
line diff
--- a/mercurial/sslutil.py	Sun Mar 13 13:51:01 2016 -0700
+++ b/mercurial/sslutil.py	Sun Mar 13 14:03:58 2016 -0700
@@ -162,7 +162,7 @@
     def __call__(self, sock, strict=False):
         host = self.host
         cacerts = self.ui.config('web', 'cacerts')
-        hostfingerprint = self.ui.config('hostfingerprints', host)
+        hostfingerprints = self.ui.configlist('hostfingerprints', host)
 
         if not sock.cipher(): # work around http://bugs.python.org/issue13721
             raise error.Abort(_('%s ssl connection error') % host)
@@ -178,9 +178,14 @@
         peerfingerprint = util.sha1(peercert).hexdigest()
         nicefingerprint = ":".join([peerfingerprint[x:x + 2]
             for x in xrange(0, len(peerfingerprint), 2)])
-        if hostfingerprint:
-            if peerfingerprint.lower() != \
-                    hostfingerprint.replace(':', '').lower():
+        if hostfingerprints:
+            fingerprintmatch = False
+            for hostfingerprint in hostfingerprints:
+                if peerfingerprint.lower() == \
+                        hostfingerprint.replace(':', '').lower():
+                    fingerprintmatch = True
+                    break
+            if not fingerprintmatch:
                 raise error.Abort(_('certificate for %s has unexpected '
                                    'fingerprint %s') % (host, nicefingerprint),
                                  hint=_('check hostfingerprint configuration'))