[PATCH 2 of 2] url: check server certificates when connecting through proxy (issue2407)

Thomas Arendsen Hein thomas at intevation.de
Mon Nov 1 14:56:30 CDT 2010 

* Mads Kiilerich <mads at kiilerich.com> [20101101 12:01]:
> On 11/01/2010 11:12 AM, Thomas Arendsen Hein wrote:
>> * Mads Kiilerich<mads at kiilerich.com>  [20101101 02:16]:
>>> # HG changeset patch
>>> # User Mads Kiilerich<mads at kiilerich.com>
>>> # Date 1288573886 -3600
>>> # Branch stable
>>> # Node ID 391543217c1a222deb236d1fcc426e264921cd82
>>> # Parent  191f4f62a3ae7d9f27b3b16267c4f1400fd2451f
>>> url: check server certificates when connecting through proxy (issue2407)
>>
>> Does not help for me:
>>
>>> diff --git a/mercurial/url.py b/mercurial/url.py
>>> --- a/mercurial/url.py
>>> +++ b/mercurial/url.py
>>> @@ -540,8 +540,25 @@
>>>                   self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>>                   self.sock.connect((self.host, self.port))
>>>                   if _generic_proxytunnel(self):
>>> -                    self.sock = _ssl_wrap_socket(self.sock, self.key_file,
>>> -                            self.cert_file)
>>> +                    if hasattr(self, 'ui'):
>>> +                        cacerts = self.ui.config('web', 'cacerts')
>>> +                    else:
>>> +                        cacerts = None
>>> +
>>> +                    if cacerts:
>>> +                        self.sock = _ssl_wrap_socket(self.sock, self.key_file,
>>> +                                self.cert_file, cert_reqs=CERT_REQUIRED,
>>> +                                ca_certs=cacerts)
>>> +                        realhost = self.realhostport.rsplit(':', 1)[0]
>>> +                        msg = _verifycert(self.sock.getpeercert(), realhost)
>>> +                        if msg:
>>> +                            raise util.Abort(_('%s certificate error: %s') %
>>> +                                             (realhost, msg))
>>> +                        self.ui.debug('%s certificate successfully verified\n' %
>>> +                                      realhost)
>>> +                    else:
>>> +                        self.sock = _ssl_wrap_socket(self.sock, self.key_file,
>>> +                                self.cert_file)
>>>               else:
>>>                   BetterHTTPS.connect(self)
>>
>> This code path is not executed for me, but httpconnection.connect()
>> (url.py, line 140), which has no handling of cacerts.
>
> Line 338?

I wanted to write "line 340" for the socket.socket call, but yes,
338 (httpconnection.connect) is correct.

> Can you give a test case? Are you connecting to a https server through  
> proxy but using "http://"?

export http_proxy=http://proxy:8080/
./hg --config web.cacerts=Intevation-Root-CA-2010.crt in https://hg.intevation.de/mercurial/crew/

(CA file from https://ssl.intevation.de/Intevation-Root-CA-2010.crt)

> FWIW I don't understand why httpconnection.connect unconditionally wraps  
> in SSL if SSL is available and we are using proxy and we can CONNECT.  
> Shouldn't that only be done for https connections - which won't end up  
> in that code anyway? And what's the story behind the comment that we  
> don't support client x509 certificates?

What I just found out: Your patch works fine with Python 2.6, but
with Python 2.5 + ssl 1.15 it does not. Even test-https.t fails
in this case:

ERROR: /home/thomas/hg/repos/tah/tests/test-https.t output changed
--- /home/thomas/hg/repos/tah/tests/test-https.t 
+++ /home/thomas/hg/repos/tah/tests/test-https.t.err 
@@ -183,22 +183,20 @@
 Test verification of certificates when connecting with https through proxy
 
   $ http_proxy=http://localhost:$HGPORT1/ hg --config http_proxy.always=True -R copy-pull pull
-  pulling from https://localhost:$HGPORT/
-  searching for changes
-  no changes found
+  abort: error: 
+  [255]
 
 Test using cacert through proxy
 
   $ http_proxy=http://localhost:$HGPORT1/ hg --config http_proxy.always=True -R copy-pull pull --config web.cacerts=pub.pem
-  pulling from https://localhost:$HGPORT/
-  searching for changes
-  no changes found
+  abort: error: 
+  [255]
   $ http_proxy=http://localhost:$HGPORT1/ hg --config http_proxy.always=True -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
-  abort: 127.0.0.1 certificate error: certificate is for localhost
+  abort: error: 
   [255]
   $ http_proxy=http://localhost:$HGPORT1/ hg --config http_proxy.always=True -R copy-pull pull --config web.cacerts=pub-other.pem
-  abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
+  abort: error: 
   [255]
   $ http_proxy=http://localhost:$HGPORT1/ hg --config http_proxy.always=True -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
-  abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
-  [255]
+  abort: error: 
+  [255]
!
Failed test-https.t: output changed
# Ran 1 tests, 0 skipped, 1 failed.


Regards,
Thomas

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

More information about the Mercurial-devel mailing list