Cannot pull/push to https server with self-signed certificate
Gilles Moris
gilles.moris at free.fr
Sat Jan 8 16:14:55 CST 2011
On Saturday 08 January 2011 10:23:09 pm timeless wrote:
> On Sat, Jan 8, 2011 at 8:13 PM, Matt Mackall <mpm at selenic.com> wrote:
> >> Not knowing the implementation details, could we replace the F with a P
> >> for prompt that would detect self-signed certificate and ask to the user
> >> if we should continue. Much like what we have in WEB browsers.
> >
> > Rumor is Python's SSL support is too limited to do this.
>
> Assuming it is possible to give pythonssl a single CARoot to trust for
> a connection, manually ignoring a single bad cert thing shouldn't be
> too hard. -- I was told on #mercurial it is possible.
>
> Rough outline:
> 1. You download the cert details in the initial connection.
> 2. Show it to the user
> 3. If the user says they want to accept that, you add this to .hg/hgrc:
>
> [certs]
> host:port=pem-data
>
> 4. When we make a request to host:port, we use the pem data from
> .hg/hgrc for host:port,
> and pass that instead of our default root.
>
> note: when the host:port no longer matches the value in pem-data, we fail.
>
> We can make an additional <non mutating query> using the default roots
> to determine if the server has been fixed to use a proper CA issued
> cert.
>
> To handle cases where the Server used to be issued by a trusted CA, we
> should also do this:
>
> 5. When connecting to https, if the server chains to a trusted root, add:
>
> [certs]
> host:port=CA-Chained
>
> 6. When connecting to a host:port which has value=CA-Chained, if we
> encounter a cert which is *not* in the CA Roots, we do a fatal fail
> explaining that the server Used to be signed by a valid CA and is no
> longer and that this generally is BAD.
Looking around at Yuya's debug print patch, I think we can achieve at least
1,2&3. We could check if this is self-signed certificate before connecting,
and if the user agrees continue, use this PEM instead of the cacert from the
hgrc. I'll give it a try.
I am not a fan poking around automatically in the hgrc file. I prefer that the
user do that explicitly, even though a syntax with web.host:port=cert.pem
would be highly desirable.
Regards.
Gilles.
More information about the Mercurial-devel
mailing list