Bug 2407 - mercurial fails to verify ssl validity in https connections
Summary: mercurial fails to verify ssl validity in https connections
Status: RESOLVED FIXED
Alias: None
Product: Mercurial
Classification: Unclassified
Component: Mercurial (show other bugs)
Version: unspecified
Hardware: All All
: critical bug
Assignee: Bugzilla
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-29 09:03 UTC by dave b
Modified: 2012-05-13 04:56 UTC (History)
8 users (show)

See Also:
Python Version: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description dave b 2010-09-29 09:03 UTC
This is bad because the https implementation you are using (even wrapped
using ssl) is broken as per bug http://bugs.python.org/issue1589
as mercurial seems not to verify the common name.
So your application is vulnerable, as long as I have a certificate signed by
ca in the ca store, I can MITM it.
Comment 1 dave b 2010-09-29 09:04 UTC
the vulnerable code is in mercurial/url.py -->
 ssl = socket.ssl(sock, key_file, cert_fil for python 
for python > 2.6 ...
Comment 2 Thomas Arendsen Hein 2010-09-30 04:06 UTC
There is a patch from kiilerix on mercurial-devel with comments from me.
Comment 3 dave b 2010-09-30 04:09 UTC
Can you link me to the patch? 
I am not on the mailing list :/
Comment 4 Thomas Arendsen Hein 2010-09-30 04:35 UTC
* dave b <bugs@mercurial.selenic.com> [20100930 12:09]:
> Can you link me to the patch? 
> I am not on the mailing list :/

http://www.selenic.com/pipermail/mercurial-devel/2010-September/024854.html
http://www.selenic.com/pipermail/mercurial-devel/2010-September/024862.html
Comment 5 dave b 2010-09-30 04:38 UTC
The tests look pretty good to me.
Comment 6 HG Bot 2010-09-30 18:00 UTC
Fixed by http://hg.intevation.org/mercurial/crew/rev/f2937d6492c5
Mads Kiilerich <mads@kiilerich.com>
url: verify correctness of https server certificates (issue2407)
Comment 7 HG Bot 2010-10-16 21:00 UTC
Fixed by http://hg.intevation.org/mercurial/crew/rev/6ab4a7d3c179
Mads Kiilerich <mads@kiilerich.com>
url: validity (notBefore/notAfter) is checked by OpenSSL (issue2407)
Comment 8 Thomas Arendsen Hein 2010-10-31 16:15 UTC
Verified to work with python 2.6 and with python 2.5 + ssl 1.15.

Though the error message for expired certificates does not explain the
reason, but just prints an ssl verification error.

One important problem:
When http_proxy is set (and used), no host name verification is done!
Comment 9 kiilerix 2010-10-31 16:32 UTC
The nice messages that were removed in 6ab4a7d3c179 would never have been
used anyway, as wrap_socket would raise the generic exception in case of any
problems.

Upstream is aware that it could be nice to have better error messages - see
http://bugs.python.org/issue1589#msg118844 .

Yes, I missed the proxy case. The fix for that seems to be much simpler than
testing it ...
Comment 10 Matt Mackall 2010-11-02 13:33 UTC
Reclosing. If there are outstanding issues that don't match $TITLE, please
open a new issue for clarity.
Comment 11 Bugzilla 2012-05-12 09:12 UTC

--- Bug imported by bugzilla@serpentine.com 2012-05-12 09:12 EDT  ---

This bug was previously known as _bug_ 2407 at http://mercurial.selenic.com/bts/issue2407