Cannot pull/push to https server with self-signed certificate
Steve Borho
steve at borho.org
Sat Jan 8 16:27:15 CST 2011
On Sat, Jan 8, 2011 at 4:14 PM, Gilles Moris <gilles.moris at free.fr> wrote:
> On Saturday 08 January 2011 10:23:09 pm timeless wrote:
>> On Sat, Jan 8, 2011 at 8:13 PM, Matt Mackall <mpm at selenic.com> wrote:
>> >> Not knowing the implementation details, could we replace the F with a P
>> >> for prompt that would detect self-signed certificate and ask to the user
>> >> if we should continue. Much like what we have in WEB browsers.
>> >
>> > Rumor is Python's SSL support is too limited to do this.
>>
>> Assuming it is possible to give pythonssl a single CARoot to trust for
>> a connection, manually ignoring a single bad cert thing shouldn't be
>> too hard. -- I was told on #mercurial it is possible.
>>
>> Rough outline:
>> 1. You download the cert details in the initial connection.
>> 2. Show it to the user
>> 3. If the user says they want to accept that, you add this to .hg/hgrc:
>>
>> [certs]
>> host:port=pem-data
>>
>> 4. When we make a request to host:port, we use the pem data from
>> .hg/hgrc for host:port,
>> and pass that instead of our default root.
>>
>> note: when the host:port no longer matches the value in pem-data, we fail.
>>
>> We can make an additional <non mutating query> using the default roots
>> to determine if the server has been fixed to use a proper CA issued
>> cert.
>>
>> To handle cases where the Server used to be issued by a trusted CA, we
>> should also do this:
>>
>> 5. When connecting to https, if the server chains to a trusted root, add:
>>
>> [certs]
>> host:port=CA-Chained
>>
>> 6. When connecting to a host:port which has value=CA-Chained, if we
>> encounter a cert which is *not* in the CA Roots, we do a fatal fail
>> explaining that the server Used to be signed by a valid CA and is no
>> longer and that this generally is BAD.
>
> Looking around at Yuya's debug print patch, I think we can achieve at least
> 1,2&3. We could check if this is self-signed certificate before connecting,
> and if the user agrees continue, use this PEM instead of the cacert from the
> hgrc. I'll give it a try.
>
> I am not a fan poking around automatically in the hgrc file. I prefer that the
> user do that explicitly, even though a syntax with web.host:port=cert.pem
> would be highly desirable.
I would prefer we use the existing [auth] section that already deals
with authentication *to* the server and simply add a new item for
verifying the server to us.
[auth]
alias.cacerts = <file or blank>
--
Steve Borho
More information about the Mercurial-devel
mailing list