Patchwork sslutil: reference fingerprints config option properly (issue5559)

login
register
mail settings
Submitter Gregory Szorc
Date May 8, 2017, 4:31 p.m.
Message ID <b0371710232710900977.1494261082@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/20522/
State Accepted
Headers show

Comments

Gregory Szorc - May 8, 2017, 4:31 p.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1494261026 25200
#      Mon May 08 09:30:26 2017 -0700
# Branch stable
# Node ID b0371710232710900977ff5fef1ee44a8dae90f0
# Parent  1b27e1793156fc56850010342dbf07a99fba0307
sslutil: reference fingerprints config option properly (issue5559)

The config option is "host:fingerprints" not "host.fingerprints".

This warning message is bad and misleads users.
Gregory Szorc - May 8, 2017, 4:32 p.m.
Forgot to add STABLE to the email subject.

On Mon, May 8, 2017 at 9:31 AM, Gregory Szorc <gregory.szorc@gmail.com>
wrote:

> # HG changeset patch
> # User Gregory Szorc <gregory.szorc@gmail.com>
> # Date 1494261026 25200
> #      Mon May 08 09:30:26 2017 -0700
> # Branch stable
> # Node ID b0371710232710900977ff5fef1ee44a8dae90f0
> # Parent  1b27e1793156fc56850010342dbf07a99fba0307
> sslutil: reference fingerprints config option properly (issue5559)
>
> The config option is "host:fingerprints" not "host.fingerprints".
>
> This warning message is bad and misleads users.
>
> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
> @@ -825,7 +825,7 @@ def validatesocket(sock):
>                                'remove the old one from [hostfingerprints]
> '
>                                'to upgrade to a more secure SHA-256 '
>                                'fingerprint: '
> -                              '%s.fingerprints=%s)\n') % (
> +                              '%s:fingerprints=%s)\n') % (
>                                    host, host, nicefingerprint))
>                  return
>
> diff --git a/tests/test-https.t b/tests/test-https.t
> --- a/tests/test-https.t
> +++ b/tests/test-https.t
> @@ -383,7 +383,7 @@ Fingerprints
>  - works without cacerts (hostfingerprints)
>    $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config
> hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:
> 1c:9d:8f:5e:16:8e:ef:1c:03
>    warning: connecting to localhost using legacy security technology (TLS
> 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
> (?)
> -  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
> +  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: localhost:fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
>    5fed3813f7f5
>
>  - works without cacerts (hostsecurity)
> @@ -398,7 +398,7 @@ Fingerprints
>  - multiple fingerprints specified and first matches
>    $ hg --config 'hostfingerprints.localhost=
> ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef'
> -R copy-pull id https://localhost:$HGPORT/ --insecure
>    warning: connecting to localhost using legacy security technology (TLS
> 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
> (?)
> -  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
> +  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: localhost:fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
>    5fed3813f7f5
>
>    $ hg --config 'hostsecurity.localhost:fingerprints=sha1:
> ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:
> deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id
> https://localhost:$HGPORT/
> @@ -408,7 +408,7 @@ Fingerprints
>  - multiple fingerprints specified and last matches
>    $ hg --config 'hostfingerprints.localhost=
> deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03'
> -R copy-pull id https://localhost:$HGPORT/ --insecure
>    warning: connecting to localhost using legacy security technology (TLS
> 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
> (?)
> -  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
> +  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: localhost:fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
>    5fed3813f7f5
>
>    $ hg --config 'hostsecurity.localhost:fingerprints=sha1:
> deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:
> ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id
> https://localhost:$HGPORT/
> @@ -440,7 +440,7 @@ Fingerprints
>  - ignores that certificate doesn't match hostname
>    $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config
> hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
>    warning: connecting to $LOCALIP using legacy security technology (TLS
> 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
> (?)
> -  (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
> +  (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: $LOCALIP:fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
>    5fed3813f7f5
>
>  Ports used by next test. Kill servers.
> @@ -579,7 +579,7 @@ Test https with cacert and fingerprint t
>    $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull
> https://localhost:$HGPORT/ --config hostfingerprints.localhost=
> ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
>    pulling from https://*:$HGPORT/ (glob)
>    warning: connecting to localhost using legacy security technology (TLS
> 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
> (?)
> -  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
> +  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints]
> section; if you trust this fingerprint, set the following config value in
> [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to
> a more secure SHA-256 fingerprint: localhost:fingerprints=sha256:
> 20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:
> 9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
>    searching for changes
>    no changes found
>
>
Augie Fackler - May 8, 2017, 6:22 p.m.
On Mon, May 08, 2017 at 09:31:22AM -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc@gmail.com>
> # Date 1494261026 25200
> #      Mon May 08 09:30:26 2017 -0700
> # Branch stable
> # Node ID b0371710232710900977ff5fef1ee44a8dae90f0
> # Parent  1b27e1793156fc56850010342dbf07a99fba0307
> sslutil: reference fingerprints config option properly (issue5559)

queued, thanks

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -825,7 +825,7 @@  def validatesocket(sock):
                               'remove the old one from [hostfingerprints] '
                               'to upgrade to a more secure SHA-256 '
                               'fingerprint: '
-                              '%s.fingerprints=%s)\n') % (
+                              '%s:fingerprints=%s)\n') % (
                                   host, host, nicefingerprint))
                 return
 
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -383,7 +383,7 @@  Fingerprints
 - works without cacerts (hostfingerprints)
   $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
+  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5
 
 - works without cacerts (hostsecurity)
@@ -398,7 +398,7 @@  Fingerprints
 - multiple fingerprints specified and first matches
   $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
+  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5
 
   $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
@@ -408,7 +408,7 @@  Fingerprints
 - multiple fingerprints specified and last matches
   $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
+  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5
 
   $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
@@ -440,7 +440,7 @@  Fingerprints
 - ignores that certificate doesn't match hostname
   $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
   warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
+  (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5
 
 Ports used by next test. Kill servers.
@@ -579,7 +579,7 @@  Test https with cacert and fingerprint t
   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
   pulling from https://*:$HGPORT/ (glob)
   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
+  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   searching for changes
   no changes found