mercurial-scm/hg: mercurial/sslutil.py@2cd3fa4412dc (annotated)

14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	1	# sslutil.py - SSL handling for mercurial
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	2	#
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	3	# Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	4	# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	5	# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	6	#
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	7	# This software may be used and distributed according to the terms of the
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	8	# GNU General Public License version 2 or any later version.
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22574 diff changeset	9	import os, sys
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	10
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	11	from mercurial import util
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	12	from mercurial.i18n import _
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	13	try:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	14	# avoid using deprecated/broken FakeSocket in python 2.6
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	15	import ssl
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	16	CERT_REQUIRED = ssl.CERT_REQUIRED
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	17	PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	18	PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	19	def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
15812 0cc4ad757c77 sslutil: verify that wrap_socket really wrapped the socket Mads Kiilerich <mads@kiilerich.com> parents: 15160 diff changeset	20	cert_reqs=ssl.CERT_NONE, ca_certs=None):
0cc4ad757c77 sslutil: verify that wrap_socket really wrapped the socket Mads Kiilerich <mads@kiilerich.com> parents: 15160 diff changeset	21	sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	22	cert_reqs=cert_reqs, ca_certs=ca_certs,
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	23	ssl_version=ssl_version)
15812 0cc4ad757c77 sslutil: verify that wrap_socket really wrapped the socket Mads Kiilerich <mads@kiilerich.com> parents: 15160 diff changeset	24	# check if wrap_socket failed silently because socket had been closed
0cc4ad757c77 sslutil: verify that wrap_socket really wrapped the socket Mads Kiilerich <mads@kiilerich.com> parents: 15160 diff changeset	25	# - see http://bugs.python.org/issue13721
0cc4ad757c77 sslutil: verify that wrap_socket really wrapped the socket Mads Kiilerich <mads@kiilerich.com> parents: 15160 diff changeset	26	if not sslsocket.cipher():
0cc4ad757c77 sslutil: verify that wrap_socket really wrapped the socket Mads Kiilerich <mads@kiilerich.com> parents: 15160 diff changeset	27	raise util.Abort(_('ssl connection failed'))
0cc4ad757c77 sslutil: verify that wrap_socket really wrapped the socket Mads Kiilerich <mads@kiilerich.com> parents: 15160 diff changeset	28	return sslsocket
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	29	except ImportError:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	30	CERT_REQUIRED = 2
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	31
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	32	PROTOCOL_SSLv23 = 2
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	33	PROTOCOL_TLSv1 = 3
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	34
14616 64dfbe576455 sslutil: Restore missing imports of socket and httplib to sslutil Stephen Thorne <stephen@thorne.id.au> parents: 14204 diff changeset	35	import socket, httplib
64dfbe576455 sslutil: Restore missing imports of socket and httplib to sslutil Stephen Thorne <stephen@thorne.id.au> parents: 14204 diff changeset	36
19808 3b82d412e9e8 sslutil: make keyfile and certfile arguments consistent between 2.6+ and 2.5- Augie Fackler <raf@durin42.com> parents: 19806 diff changeset	37	def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	38	cert_reqs=CERT_REQUIRED, ca_certs=None):
15160 b2d4400398f3 sslutil: abort when ssl module is needed but not found Mads Kiilerich <mads@kiilerich.com> parents: 14667 diff changeset	39	if not util.safehasattr(socket, 'ssl'):
b2d4400398f3 sslutil: abort when ssl module is needed but not found Mads Kiilerich <mads@kiilerich.com> parents: 14667 diff changeset	40	raise util.Abort(_('Python SSL support not found'))
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	41	if ca_certs:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	42	raise util.Abort(_(
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	43	'certificate checking requires Python 2.6'))
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	44
19808 3b82d412e9e8 sslutil: make keyfile and certfile arguments consistent between 2.6+ and 2.5- Augie Fackler <raf@durin42.com> parents: 19806 diff changeset	45	ssl = socket.ssl(sock, keyfile, certfile)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	46	return httplib.FakeSocket(sock, ssl)
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	47
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	48	def _verifycert(cert, hostname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	49	'''Verify that cert (in socket.getpeercert() format) matches hostname.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	50	CRLs is not handled.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	51
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	52	Returns error message if any problems are found and None on success.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	53	'''
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	54	if not cert:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	55	return _('no certificate received')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	56	dnsname = hostname.lower()
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	57	def matchdnsname(certname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	58	return (certname == dnsname or
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	59	'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	60
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	61	san = cert.get('subjectAltName', [])
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	62	if san:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	63	certnames = [value.lower() for key, value in san if key == 'DNS']
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	64	for name in certnames:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	65	if matchdnsname(name):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	66	return None
14666 27b080aa880a sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798) Nicolas Bareil <nico@chdir.org> parents: 14616 diff changeset	67	if certnames:
27b080aa880a sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798) Nicolas Bareil <nico@chdir.org> parents: 14616 diff changeset	68	return _('certificate is for %s') % ', '.join(certnames)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	69
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	70	# subject is only checked when subjectAltName is empty
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	71	for s in cert.get('subject', []):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	72	key, value = s[0]
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	73	if key == 'commonName':
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	74	try:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	75	# 'subject' entries are unicode
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	76	certname = value.lower().encode('ascii')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	77	except UnicodeEncodeError:
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	78	return _('IDN in certificate not supported')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	79	if matchdnsname(certname):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	80	return None
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	81	return _('certificate is for %s') % certname
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	82	return _('no commonName or subjectAltName found in certificate')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	83
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	84
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	85	# CERT_REQUIRED means fetch the cert from the server all the time AND
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	86	# validate it against the CA store provided in web.cacerts.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	87	#
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	88	# We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	89	# busted on those versions.
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	90
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	91	def _plainapplepython():
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	92	"""return true if this seems to be a pure Apple Python that
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	93	* is unfrozen and presumably has the whole mercurial module in the file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	94	system
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	95	* presumably is an Apple Python that uses Apple OpenSSL which has patches
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	96	for using system certificate store CAs in addition to the provided
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	97	cacerts file
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	98	"""
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	99	if sys.platform != 'darwin' or util.mainfrozen():
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	100	return False
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	101	exe = (sys.executable or '').lower()
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	102	return (exe.startswith('/usr/bin/python') or
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	103	exe.startswith('/system/library/frameworks/python.framework/'))
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	104
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	105	def sslkwargs(ui, host):
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	106	forcetls = ui.configbool('ui', 'tls', default=True)
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	107	if forcetls:
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	108	ssl_version = PROTOCOL_TLSv1
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	109	else:
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	110	ssl_version = PROTOCOL_SSLv23
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	111	kws = {'ssl_version': ssl_version,
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	112	}
22574 a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	113	hostfingerprint = ui.config('hostfingerprints', host)
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	114	if hostfingerprint:
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	115	return kws
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	116	cacerts = ui.config('web', 'cacerts')
a00a7951b20c ssl: refactor sslkwargs - move things around a bit, preparing for next change Mads Kiilerich <madski@unity3d.com> parents: 19808 diff changeset	117	if cacerts:
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	118	cacerts = util.expandpath(cacerts)
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	119	if not os.path.exists(cacerts):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	120	raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
23042 2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410) Mads Kiilerich <madski@unity3d.com> parents: 22575 diff changeset	121	elif cacerts is None and _plainapplepython():
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22574 diff changeset	122	dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22574 diff changeset	123	if os.path.exists(dummycert):
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22574 diff changeset	124	ui.debug('using %s to enable OS X system CA\n' % dummycert)
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22574 diff changeset	125	ui.setconfig('web', 'cacerts', dummycert, 'dummy')
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22574 diff changeset	126	cacerts = dummycert
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22574 diff changeset	127	if cacerts:
19806 47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	128	kws.update({'ca_certs': cacerts,
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	129	'cert_reqs': CERT_REQUIRED,
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	130	})
47ff9d1abfa9 sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038) Augie Fackler <raf@durin42.com> parents: 19749 diff changeset	131	return kws
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	132
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	133	class validator(object):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	134	def __init__(self, ui, host):
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	135	self.ui = ui
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	136	self.host = host
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	137
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	138	def __call__(self, sock, strict=False):
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	139	host = self.host
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	140	cacerts = self.ui.config('web', 'cacerts')
5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	141	hostfingerprint = self.ui.config('hostfingerprints', host)
15813 3ae04eb5e38a sslutil: handle setups without .getpeercert() early in the validator Mads Kiilerich <mads@kiilerich.com> parents: 15812 diff changeset	142	if not getattr(sock, 'getpeercert', False): # python 2.5 ?
3ae04eb5e38a sslutil: handle setups without .getpeercert() early in the validator Mads Kiilerich <mads@kiilerich.com> parents: 15812 diff changeset	143	if hostfingerprint:
3ae04eb5e38a sslutil: handle setups without .getpeercert() early in the validator Mads Kiilerich <mads@kiilerich.com> parents: 15812 diff changeset	144	raise util.Abort(_("host fingerprint for %s can't be "
3ae04eb5e38a sslutil: handle setups without .getpeercert() early in the validator Mads Kiilerich <mads@kiilerich.com> parents: 15812 diff changeset	145	"verified (Python too old)") % host)
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	146	if strict:
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	147	raise util.Abort(_("certificate for %s can't be verified "
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	148	"(Python too old)") % host)
16391 9cf7c9d529d0 ui: optionally quiesce ssl verification warnings on python 2.5 Steven Stallion <sstallion@gmail.com> parents: 15997 diff changeset	149	if self.ui.configbool('ui', 'reportoldssl', True):
9cf7c9d529d0 ui: optionally quiesce ssl verification warnings on python 2.5 Steven Stallion <sstallion@gmail.com> parents: 15997 diff changeset	150	self.ui.warn(_("warning: certificate for %s can't be verified "
9cf7c9d529d0 ui: optionally quiesce ssl verification warnings on python 2.5 Steven Stallion <sstallion@gmail.com> parents: 15997 diff changeset	151	"(Python too old)\n") % host)
15813 3ae04eb5e38a sslutil: handle setups without .getpeercert() early in the validator Mads Kiilerich <mads@kiilerich.com> parents: 15812 diff changeset	152	return
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	153
15816 4bb59919c905 sslutil: work around validator crash getting certificate on failed sockets Mads Kiilerich <mads@kiilerich.com> parents: 15815 diff changeset	154	if not sock.cipher(): # work around http://bugs.python.org/issue13721
4bb59919c905 sslutil: work around validator crash getting certificate on failed sockets Mads Kiilerich <mads@kiilerich.com> parents: 15815 diff changeset	155	raise util.Abort(_('%s ssl connection error') % host)
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	156	try:
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	157	peercert = sock.getpeercert(True)
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	158	peercert2 = sock.getpeercert()
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	159	except AttributeError:
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	160	raise util.Abort(_('%s ssl connection error') % host)
93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	161
15817 8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	162	if not peercert:
8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	163	raise util.Abort(_('%s certificate error: '
8f377751b510 sslutil: abort properly if no certificate received for https connection Mads Kiilerich <mads@kiilerich.com> parents: 15816 diff changeset	164	'no certificate received') % host)
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	165	peerfingerprint = util.sha1(peercert).hexdigest()
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	166	nicefingerprint = ":".join([peerfingerprint[x:x + 2]
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	167	for x in xrange(0, len(peerfingerprint), 2)])
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	168	if hostfingerprint:
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	169	if peerfingerprint.lower() != \
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	170	hostfingerprint.replace(':', '').lower():
15997 a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	171	raise util.Abort(_('certificate for %s has unexpected '
a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	172	'fingerprint %s') % (host, nicefingerprint),
a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15817 diff changeset	173	hint=_('check hostfingerprint configuration'))
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	174	self.ui.debug('%s certificate matched fingerprint %s\n' %
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	175	(host, nicefingerprint))
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	176	elif cacerts:
18879 93b03a222c3e sslutil: try harder to avoid getpeercert problems Matt Mackall <mpm@selenic.com> parents: 16391 diff changeset	177	msg = _verifycert(peercert2, host)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	178	if msg:
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	179	raise util.Abort(_('%s certificate error: %s') % (host, msg),
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	180	hint=_('configure hostfingerprint %s or use '
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	181	'--insecure to connect insecurely') %
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15813 diff changeset	182	nicefingerprint)
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	183	self.ui.debug('%s certificate successfully verified\n' % host)
18887 2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	184	elif strict:
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	185	raise util.Abort(_('%s certificate with fingerprint %s not '
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	186	'verified') % (host, nicefingerprint),
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	187	hint=_('check hostfingerprints or web.cacerts '
2d7fac049d3a sslutil: abort if peer certificate is not verified for secure use FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 18879 diff changeset	188	'config setting'))
14204 5fa21960b2f4 sslutil: extracted ssl methods from httpsconnection in url.py Augie Fackler <durin42@gmail.com> parents: diff changeset	189	else:
15815 edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	190	self.ui.warn(_('warning: %s certificate with fingerprint %s not '
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	191	'verified (check hostfingerprints or web.cacerts '
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	192	'config setting)\n') %
edc3a901a63d sslutil: reorder validator code to make it more readable Mads Kiilerich <mads@kiilerich.com> parents: 15814 diff changeset	193	(host, nicefingerprint))

author	Mads Kiilerich <madski@unity3d.com>
	Fri, 17 Oct 2014 18:56:12 +0200
changeset 23042	2cd3fa4412dc
parent 22575	d7f7f1860f00
child 23069	22db405536be
permissions	-rw-r--r--