[PATCH] sslutil: issue warning when [hostfingerprint] is used

Kevin Bullock kbullock+mercurial at ringworld.org
Fri Mar 10 16:48:19 EST 2017 

> On Mar 10, 2017, at 12:15, Kevin Bullock <kbullock+mercurial at ringworld.org> wrote:
> 
>> On Mar 9, 2017, at 20:33, Gregory Szorc <gregory.szorc at gmail.com> wrote:
>> 
>> # HG changeset patch
>> # User Gregory Szorc <gregory.szorc at gmail.com>
>> # Date 1489120409 28800
>> #      Thu Mar 09 20:33:29 2017 -0800
>> # Node ID dc23d3c303052341d5ac6b5856e4a52047b8454e
>> # Parent  cd29673cebdbe2d998009322e4c3657389d6aed0
>> sslutil: issue warning when [hostfingerprint] is used
>> 
>> Mercurial 3.9 added the [hostsecurity] section, which is better
>> than [hostfingerprints] in every way.
>> 
>> One of the ways that [hostsecurity] is better is that it supports
>> SHA-256 and SHA-512 fingerprints, not just SHA-1 fingerprints.
>> 
>> The world is moving away from SHA-1 because it is borderline
>> secure. Mercurial should be part of that movement.
>> 
>> This patch adds a warning when a valid SHA-1 fingerprint from
>> the [hostfingerprints] section is being used. The warning informs
>> users to switch to [hostsecurity]. It even prints the config
>> option they should set. It uses the SHA-256 fingerprint because
>> recommending a SHA-1 fingerprint in 2017 would be ill-advised.
>> 
>> The warning will print itself on every connection to a server until
>> it is fixed. There is no way to suppress the warning. I admit this
>> is annoying. But given the security implications of sticking with
>> SHA-1, I think this is justified. If this patch is accepted,
>> I'll likely send a follow-up to start warning on SHA-1
>> certificates in [hostsecurity] as well. Then sometime down
>> the road, we can drop support for SHA-1 fingerprints.
>> 
>> Credit for this idea comes from timeless in issue 5466.
> 
> I'm in favor of this. Multiple lines of parenthetical messages seems weird to me, and it seems elsewhere we favor long lines over splitting parenthetical hints, so let's bikeshed that in person.

Pushed with parenthetical messages joined into one line per in-person conversation.

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock

More information about the Mercurial-devel mailing list