Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 31290:f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Mercurial 3.9 added the [hostsecurity] section, which is better
than [hostfingerprints] in every way.
One of the ways that [hostsecurity] is better is that it supports
SHA-256 and SHA-512 fingerprints, not just SHA-1 fingerprints.
The world is moving away from SHA-1 because it is borderline
secure. Mercurial should be part of that movement.
This patch adds a warning when a valid SHA-1 fingerprint from
the [hostfingerprints] section is being used. The warning informs
users to switch to [hostsecurity]. It even prints the config
option they should set. It uses the SHA-256 fingerprint because
recommending a SHA-1 fingerprint in 2017 would be ill-advised.
The warning will print itself on every connection to a server until
it is fixed. There is no way to suppress the warning. I admit this
is annoying. But given the security implications of sticking with
SHA-1, I think this is justified. If this patch is accepted,
I'll likely send a follow-up to start warning on SHA-1
certificates in [hostsecurity] as well. Then sometime down
the road, we can drop support for SHA-1 fingerprints.
Credit for this idea comes from timeless in issue 5466.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Thu, 09 Mar 2017 20:33:29 -0800 |
| parents | 2912b06905dc |
| children | c777b12cdc9b |
comparison
equal
deleted
inserted
replaced
| 31289:718a57e95a89 | 31290:f819aa9dbbf9 |
|---|---|
| 813 if settings['certfingerprints']: | 813 if settings['certfingerprints']: |
| 814 for hash, fingerprint in settings['certfingerprints']: | 814 for hash, fingerprint in settings['certfingerprints']: |
| 815 if peerfingerprints[hash].lower() == fingerprint: | 815 if peerfingerprints[hash].lower() == fingerprint: |
| 816 ui.debug('%s certificate matched fingerprint %s:%s\n' % | 816 ui.debug('%s certificate matched fingerprint %s:%s\n' % |
| 817 (host, hash, fmtfingerprint(fingerprint))) | 817 (host, hash, fmtfingerprint(fingerprint))) |
| 818 if settings['legacyfingerprint']: | |
| 819 ui.warn(_('(SHA-1 fingerprint for %s found in legacy ' | |
| 820 '[hostfingerprints] section; ' | |
| 821 'if you trust this fingerprint, set the ' | |
| 822 'following config value in [hostsecurity] and ' | |
| 823 'remove the old one from [hostfingerprints] ' | |
| 824 'to upgrade to a more secure SHA-256 ' | |
| 825 'fingerprint: ' | |
| 826 '%s.fingerprints=%s)\n') % ( | |
| 827 host, host, nicefingerprint)) | |
| 818 return | 828 return |
| 819 | 829 |
| 820 # Pinned fingerprint didn't match. This is a fatal error. | 830 # Pinned fingerprint didn't match. This is a fatal error. |
| 821 if settings['legacyfingerprint']: | 831 if settings['legacyfingerprint']: |
| 822 section = 'hostfingerprint' | 832 section = 'hostfingerprint' |