[PATCH 4 of 9 V4] sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc
gregory.szorc at gmail.com
Sat Jun 4 14:16:50 EDT 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1464836240 25200
# Wed Jun 01 19:57:20 2016 -0700
# Node ID 720a8dbf9c063111a10911f0301de3534dcfab20
# Parent 889e642a3b04400460dca12b3c05a8a6d222ee62
sslutil: add devel.disableloaddefaultcerts to disable CA loading
There are various tests for behavior when CA certs aren't loaded.
Previously, we would pass --insecure to disable loading of CA
certs. This has worked up to this point because the error message
for --insecure and no CAs loaded is the same. Upcoming commits will
change the error message for --insecure and will change behavior
when CAs aren't loaded.
This commit introduces the ability to disable loading of CA certs
by setting devel.disableloaddefaultcerts. This allows a testing
backdoor to disable loading of CA certs even if system/default
CA certs are available. The flag is purposefully not exposed to
end-users because there should not be a need for this in the wild:
certificate pinning and --insecure provide workarounds to disable
cert loading/validation.
Tests have been updated to use the new method. The variable used
to disable CA certs has been renamed because the method is not
OS X specific.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -107,16 +107,19 @@ except AttributeError:
return ssl.wrap_socket(socket, **args)
def _hostsettings(ui, hostname):
"""Obtain security settings for a hostname.
Returns a dict of settings relevant to that hostname.
"""
s = {
+ # Whether we should attempt to load default/available CA certs
+ # if an explicit ``cafile`` is not defined.
+ 'allowloaddefaultcerts': True,
# List of 2-tuple of (hash algorithm, hash).
'certfingerprints': [],
# Path to file containing concatenated CA certs. Used by
# SSLContext.load_verify_locations().
'cafile': None,
# Whether certificate verification should be disabled.
'disablecertverification': False,
# Whether the legacy [hostfingerprints] section has data for this host.
@@ -151,16 +154,19 @@ def _hostsettings(ui, hostname):
if s['certfingerprints']:
s['verifymode'] = ssl.CERT_NONE
# If --insecure is used, don't take CAs into consideration.
elif ui.insecureconnections:
s['disablecertverification'] = True
s['verifymode'] = ssl.CERT_NONE
+ if ui.configbool('devel', 'disableloaddefaultcerts'):
+ s['allowloaddefaultcerts'] = False
+
# Try to hook up CA certificate validation unless something above
# makes it not necessary.
if s['verifymode'] is None:
# Find global certificates file in config.
cafile = ui.config('web', 'cacerts')
if cafile:
cafile = util.expandpath(cafile)
@@ -171,17 +177,17 @@ def _hostsettings(ui, hostname):
cafile = _defaultcacerts()
if cafile:
ui.debug('using %s to enable OS X system CA\n' % cafile)
s['cafile'] = cafile
# Require certificate validation if CA certs are being loaded and
# verification hasn't been disabled above.
- if cafile or _canloaddefaultcerts:
+ if cafile or (_canloaddefaultcerts and s['allowloaddefaultcerts']):
s['verifymode'] = ssl.CERT_REQUIRED
else:
# At this point we don't have a fingerprint, aren't being
# explicitly insecure, and can't load CA certs. Connecting
# at this point is insecure. But we do it for BC reasons.
# TODO abort here to make secure by default.
s['verifymode'] = ssl.CERT_NONE
@@ -238,20 +244,22 @@ def wrapsocket(sock, keyfile, certfile,
def password():
f = keyfile or certfile
return ui.getpass(_('passphrase for %s: ') % f, '')
sslcontext.load_cert_chain(certfile, keyfile, password)
if settings['cafile'] is not None:
sslcontext.load_verify_locations(cafile=settings['cafile'])
caloaded = True
- else:
+ elif settings['allowloaddefaultcerts']:
# This is a no-op on old Python.
sslcontext.load_default_certs()
- caloaded = _canloaddefaultcerts
+ caloaded = True
+ else:
+ caloaded = False
sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
# check if wrap_socket failed silently because socket had been
# closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():
raise error.Abort(_('ssl connection failed'))
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -157,31 +157,30 @@ Test server address cannot be reused
[255]
#else
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
abort: cannot start server at ':$HGPORT': Address already in use
[255]
#endif
$ cd ..
-OS X has a dummy CA cert that enables use of the system CA store when using
-Apple's OpenSSL. This trick do not work with plain OpenSSL.
+Our test cert is not signed by a trusted CA. It should fail to verify if
+we are able to load CA certs.
- $ DISABLEOSXDUMMYCERT=
#if defaultcacerts
$ hg clone https://localhost:$HGPORT/ copy-pull
abort: error: *certificate verify failed* (glob)
[255]
+#endif
- $ DISABLEOSXDUMMYCERT="--insecure"
-#endif
+ $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
clone via pull
- $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
+ $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
@@ -197,17 +196,17 @@ clone via pull
adding bar
$ cd ..
pull without cacert
$ cd copy-pull
$ echo '[hooks]' >> .hg/hgrc
$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
- $ hg pull $DISABLEOSXDUMMYCERT
+ $ hg pull $DISABLECACERTS
pulling from https://localhost:$HGPORT/
warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting)
searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
More information about the Mercurial-devel
mailing list