[PATCH RFC] url: 'ssh known host'-like checking of fingerprints of https certificates
Matt Mackall
mpm at selenic.com
Thu Jan 27 15:51:42 CST 2011
On Sat, 2011-01-22 at 02:49 +0100, Mads Kiilerich wrote:
> # HG changeset patch
> # User Mads Kiilerich <mads at kiilerich.com>
> # Date 1295660937 -3600
> # Branch stable
> # Node ID 69cd37bb48e8ec5b3fa1627048507e156c35dca8
> # Parent 9f943043bd7d1c508ff868e74b4cb41ad87162a4
> url: 'ssh known host'-like checking of fingerprints of https certificates
>
> It seems like Python ssl provides a way to check host identity without going
> all the way to the CA certificate.
Queued for stable.
> TODO:
>
> Do Python/OpenSSL really verify that the remote server has the private key that
> corresponds to the public key in the certificate we take the fingerprint of -
> even when we don't ask for verification of the certificate? Who can confirm
> that? I am not sufficiently familiar with the details of TLS and OpenSSL.
Not sure if that's a meaningful question. The client will encrypt the
session key with the public key of the server, which we verify using the
fingerprint. If the server can't decrypt it because it lied, well, it's
not going to be a very interesting session.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list