Patchwork [v2] https: support tls sni (server name indication) for https urls (issue3090)

login
register
mail settings
Submitter Alex Orange
Date Jan. 14, 2015, 4:53 p.m.
Message ID <bc8f3b18a16a09daae88.1421254386@localhost>
Download mbox | patch
Permalink /patch/7450/
State Accepted
Commit 40d582ff434f3fdca4f78655503bb177388dda66
Headers show

Comments

Alex Orange - Jan. 14, 2015, 4:53 p.m.
# HG changeset patch
# User Alex Orange <crazycasta@gmail.com>
# Date 1421110880 25200
#      Mon Jan 12 18:01:20 2015 -0700
# Node ID bc8f3b18a16a09daae8882828c8f149d02377148
# Parent  b2358bc1407c19007b0e7852262f61d5fe7a8f83
https: support tls sni (server name indication) for https urls (issue3090)

SNI is a common way of sharing servers across multiple domains using separate
SSL certificates. As of Python 2.7.9 SSLContext has been backported from
Python 3. This patch changes sslutil's ssl_wrap_socket to use SSLContext and
take a server hostname as and argument. It also changes the url module to make
use of this argument.

The new code for 2.7.9 achieves it's task by attempting to get the SSLContext
object from the ssl module. If this fails the try/except goes back to what was
there before with the exception that the ssl_wrap_socket functions take a
server_hostname argument that doesn't get used. Assuming the SSLContext
exists, the arguments to wrap_socket at the module level are emulated on the
SSLContext. The SSLContext is initialized with the specified ssl_version. If
certfile is not None load_cert_chain is called with certfile and keyfile.
keyfile being None is not a problem, load_cert_chain will simply expect the
private key to be in the certificate file. verify_mode is set to cert_reqs. If
ca_certs is not None load_verify_locations is called with ca_certs as the
cafile. Finally the wrap_socket method of the SSLContext is called with the
socket and server hostname.

Finally, this fails test-check-commit-hg.t because the "new" function
ssl_wrap_socket has underscores in its names and underscores in its arguments.
All the underscore identifiers are taken from the other functions and as such
can't be changed to match naming conventions.
Augie Fackler - Jan. 14, 2015, 8:10 p.m.
On Wed, Jan 14, 2015 at 11:53 AM, Alex Orange <crazycasta@gmail.com> wrote:
> # HG changeset patch
> # User Alex Orange <crazycasta@gmail.com>
> # Date 1421110880 25200
> #      Mon Jan 12 18:01:20 2015 -0700
> # Node ID bc8f3b18a16a09daae8882828c8f149d02377148
> # Parent  b2358bc1407c19007b0e7852262f61d5fe7a8f83
> https: support tls sni (server name indication) for https urls (issue3090)


This patch looks good and I've got it queued. Many thanks!

Patch

diff -r b2358bc1407c -r bc8f3b18a16a mercurial/sslutil.py
--- a/mercurial/sslutil.py	Tue Jan 13 15:08:55 2015 -0500
+++ b/mercurial/sslutil.py	Mon Jan 12 18:01:20 2015 -0700
@@ -15,16 +15,40 @@ 
     import ssl
     CERT_REQUIRED = ssl.CERT_REQUIRED
     PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1
-    def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
-                cert_reqs=ssl.CERT_NONE, ca_certs=None):
-        sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
-                                    cert_reqs=cert_reqs, ca_certs=ca_certs,
-                                    ssl_version=ssl_version)
-        # check if wrap_socket failed silently because socket had been closed
-        # - see http://bugs.python.org/issue13721
-        if not sslsocket.cipher():
-            raise util.Abort(_('ssl connection failed'))
-        return sslsocket
+    try:
+        ssl_context = ssl.SSLContext
+
+        def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
+                            cert_reqs=ssl.CERT_NONE, ca_certs=None,
+                            serverhostname=None):
+            sslcontext = ssl.SSLContext(ssl_version)
+            if certfile is not None:
+                sslcontext.load_cert_chain(certfile, keyfile)
+            sslcontext.verify_mode = cert_reqs
+            if ca_certs is not None:
+                sslcontext.load_verify_locations(cafile=ca_certs)
+
+            sslsocket = sslcontext.wrap_socket(sock,
+                                               server_hostname=serverhostname)
+            # check if wrap_socket failed silently because socket had been
+            # closed
+            # - see http://bugs.python.org/issue13721
+            if not sslsocket.cipher():
+                raise util.Abort(_('ssl connection failed'))
+            return sslsocket
+    except AttributeError:
+        def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
+                            cert_reqs=ssl.CERT_NONE, ca_certs=None,
+                            serverhostname=None):
+            sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
+                                        cert_reqs=cert_reqs, ca_certs=ca_certs,
+                                        ssl_version=ssl_version)
+            # check if wrap_socket failed silently because socket had been
+            # closed
+            # - see http://bugs.python.org/issue13721
+            if not sslsocket.cipher():
+                raise util.Abort(_('ssl connection failed'))
+            return sslsocket
 except ImportError:
     CERT_REQUIRED = 2
 
@@ -33,7 +57,8 @@ 
     import socket, httplib
 
     def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
-                        cert_reqs=CERT_REQUIRED, ca_certs=None):
+                        cert_reqs=CERT_REQUIRED, ca_certs=None,
+                        serverhostname=None):
         if not util.safehasattr(socket, 'ssl'):
             raise util.Abort(_('Python SSL support not found'))
         if ca_certs:
diff -r b2358bc1407c -r bc8f3b18a16a mercurial/url.py
--- a/mercurial/url.py	Tue Jan 13 15:08:55 2015 -0500
+++ b/mercurial/url.py	Mon Jan 12 18:01:20 2015 -0700
@@ -185,7 +185,8 @@ 
             self.sock.connect((self.host, self.port))
             if _generic_proxytunnel(self):
                 # we do not support client X.509 certificates
-                self.sock = sslutil.ssl_wrap_socket(self.sock, None, None)
+                self.sock = sslutil.ssl_wrap_socket(self.sock, None, None,
+                                                    serverhostname=self.host)
         else:
             keepalive.HTTPConnection.connect(self)
 
@@ -341,7 +342,7 @@ 
                 _generic_proxytunnel(self)
                 host = self.realhostport.rsplit(':', 1)[0]
             self.sock = sslutil.ssl_wrap_socket(
-                self.sock, self.key_file, self.cert_file,
+                self.sock, self.key_file, self.cert_file, serverhostname=host,
                 **sslutil.sslkwargs(self.ui, host))
             sslutil.validator(self.ui, host)(self.sock)