This is bad because the https implementation you are using (even wrapped using ssl) is broken as per bug http://bugs.python.org/issue1589 as mercurial seems not to verify the common name. So your application is vulnerable, as long as I have a certificate signed by ca in the ca store, I can MITM it.
the vulnerable code is in mercurial/url.py --> ssl = socket.ssl(sock, key_file, cert_fil for python for python > 2.6 ...
There is a patch from kiilerix on mercurial-devel with comments from me.
Can you link me to the patch? I am not on the mailing list :/
* dave b <bugs@mercurial.selenic.com> [20100930 12:09]: > Can you link me to the patch? > I am not on the mailing list :/ http://www.selenic.com/pipermail/mercurial-devel/2010-September/024854.html http://www.selenic.com/pipermail/mercurial-devel/2010-September/024862.html
The tests look pretty good to me.
Fixed by http://hg.intevation.org/mercurial/crew/rev/f2937d6492c5 Mads Kiilerich <mads@kiilerich.com> url: verify correctness of https server certificates (issue2407)
Fixed by http://hg.intevation.org/mercurial/crew/rev/6ab4a7d3c179 Mads Kiilerich <mads@kiilerich.com> url: validity (notBefore/notAfter) is checked by OpenSSL (issue2407)
Verified to work with python 2.6 and with python 2.5 + ssl 1.15. Though the error message for expired certificates does not explain the reason, but just prints an ssl verification error. One important problem: When http_proxy is set (and used), no host name verification is done!
The nice messages that were removed in 6ab4a7d3c179 would never have been used anyway, as wrap_socket would raise the generic exception in case of any problems. Upstream is aware that it could be nice to have better error messages - see http://bugs.python.org/issue1589#msg118844 . Yes, I missed the proxy case. The fix for that seems to be much simpler than testing it ...
Reclosing. If there are outstanding issues that don't match $TITLE, please open a new issue for clarity.
--- Bug imported by bugzilla@serpentine.com 2012-05-12 09:12 EDT --- This bug was previously known as _bug_ 2407 at http://mercurial.selenic.com/bts/issue2407