Mercurial > public > mercurial-scm > hg-stable

diff mercurial/sslutil.py @ 31299:f819aa9dbbf9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: issue warning when [hostfingerprint] is used Mercurial 3.9 added the [hostsecurity] section, which is better than [hostfingerprints] in every way. One of the ways that [hostsecurity] is better is that it supports SHA-256 and SHA-512 fingerprints, not just SHA-1 fingerprints. The world is moving away from SHA-1 because it is borderline secure. Mercurial should be part of that movement. This patch adds a warning when a valid SHA-1 fingerprint from the [hostfingerprints] section is being used. The warning informs users to switch to [hostsecurity]. It even prints the config option they should set. It uses the SHA-256 fingerprint because recommending a SHA-1 fingerprint in 2017 would be ill-advised. The warning will print itself on every connection to a server until it is fixed. There is no way to suppress the warning. I admit this is annoying. But given the security implications of sticking with SHA-1, I think this is justified. If this patch is accepted, I'll likely send a follow-up to start warning on SHA-1 certificates in [hostsecurity] as well. Then sometime down the road, we can drop support for SHA-1 fingerprints. Credit for this idea comes from timeless in issue 5466.
author Gregory Szorc <gregory.szorc@gmail.com>
date Thu, 09 Mar 2017 20:33:29 -0800
parents 2912b06905dc
children c777b12cdc9b
line wrap: on
line diff
--- a/mercurial/sslutil.py	Thu Mar 09 19:59:52 2017 -0800
+++ b/mercurial/sslutil.py	Thu Mar 09 20:33:29 2017 -0800
@@ -815,6 +815,16 @@
             if peerfingerprints[hash].lower() == fingerprint:
                 ui.debug('%s certificate matched fingerprint %s:%s\n' %
                          (host, hash, fmtfingerprint(fingerprint)))
+                if settings['legacyfingerprint']:
+                    ui.warn(_('(SHA-1 fingerprint for %s found in legacy '
+                              '[hostfingerprints] section; '
+                              'if you trust this fingerprint, set the '
+                              'following config value in [hostsecurity] and '
+                              'remove the old one from [hostfingerprints] '
+                              'to upgrade to a more secure SHA-256 '
+                              'fingerprint: '
+                              '%s.fingerprints=%s)\n') % (
+                                  host, host, nicefingerprint))
                 return
 
         # Pinned fingerprint didn't match. This is a fatal error.