Re: [PATCH 4 of 4] sslutil: inform the user about how to fix an incomplete certificate chain

2017-07-14 Thread Augie Fackler 
On Thu, Jul 13, 2017 at 06:40:08PM -0400, Matt Harbison wrote:
> # HG changeset patch
> # User Matt Harbison 
> # Date 1499899033 14400
> #  Wed Jul 12 18:37:13 2017 -0400
> # Node ID 2000c901f306bc051b3d4fe5f89176f164933f6d
> # Parent  f931e230e7265b024e823c32b50a3167dd9e43a4
> sslutil: inform the user about how to fix an incomplete certificate chain

queued, thanks


(ugh, what a mess)
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

[PATCH 4 of 4] sslutil: inform the user about how to fix an incomplete certificate chain

2017-07-13 Thread Matt Harbison 
# HG changeset patch
# User Matt Harbison 
# Date 1499899033 14400
#  Wed Jul 12 18:37:13 2017 -0400
# Node ID 2000c901f306bc051b3d4fe5f89176f164933f6d
# Parent  f931e230e7265b024e823c32b50a3167dd9e43a4
sslutil: inform the user about how to fix an incomplete certificate chain

This is a Windows only thing.  Unfortunately, the socket is closed at this point
(so the certificate is unavailable to check the chain).  That means it's printed
out when verification fails as a guess, on the assumption that 1) most of the
time verification won't fail, and 2) sites using expired or certs that are too
new will be rare.  Maybe this is an argument for adding more functionality to
debugssl, to test for problems and print certificate info.  Or maybe it's an
argument for bundling certificates with the Windows builds.  That idea was set
aside when the enhanced SSL code went in last summer, and it looks like there
were issues with using certifi on Windows anyway[1].

This was tested by deleting the certificate out of certmgr.msc > "Third-Party
Root Certification Authorities" > "Certificates", seeing `hg pull` fail (with
the new message), trying this command, and then successfully performing the pull
command.

[1] 
https://www.mercurial-scm.org/pipermail/mercurial-devel/2016-October/089573.html

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -475,6 +475,12 @@ def wrapsocket(sock, keyfile, certfile, 
 ui.warn(_(
 '(see https://mercurial-scm.org/wiki/SecureConnections 
'
 'for more info)\n'))
+
+elif (e.reason == 'CERTIFICATE_VERIFY_FAILED' and
+pycompat.osname == 'nt'):
+
+ui.warn(_('(the full certificate chain may not be available '
+  'locally; see "hg help debugssl")\n'))
 raise
 
 # check if wrap_socket failed silently because socket had been
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -84,6 +84,7 @@ we are able to load CA certs.
   $ hg clone https://localhost:$HGPORT/ copy-pull
   warning: connecting to localhost using legacy security technology (TLS 1.0); 
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
   (using CA certificates from *; if you see this message, your Mercurial 
install is not properly configured; see 
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial 
to avoid this message) (glob) (?)
+  (the full certificate chain may not be available locally; see "hg help 
debugssl") (windows !)
   abort: error: *certificate verify failed* (glob)
   [255]
 #endif
@@ -128,6 +129,7 @@ A per-host certificate mismatching the s
   $ hg --config 
hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone 
https://localhost:$HGPORT/
   warning: connecting to localhost using legacy security technology (TLS 1.0); 
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
   (an attempt was made to load CA certificates but none were loaded; see 
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial 
to avoid this error)
+  (the full certificate chain may not be available locally; see "hg help 
debugssl") (windows !)
   abort: error: *certificate verify failed* (glob)
   [255]
 #else
@@ -295,6 +297,7 @@ cacert mismatch
   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
   pulling from https://localhost:$HGPORT/
   warning: connecting to localhost using legacy security technology (TLS 1.0); 
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
+  (the full certificate chain may not be available locally; see "hg help 
debugssl") (windows !)
   abort: error: *certificate verify failed* (glob)
   [255]
   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
@@ -313,6 +316,7 @@ Test server cert which isn't valid yet
   > https://localhost:$HGPORT1/
   pulling from https://localhost:$HGPORT1/
   warning: connecting to localhost using legacy security technology (TLS 1.0); 
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
+  (the full certificate chain may not be available locally; see "hg help 
debugssl") (windows !)
   abort: error: *certificate verify failed* (glob)
   [255]
 
@@ -324,6 +328,7 @@ Test server cert which no longer is vali
   > https://localhost:$HGPORT2/
   pulling from https://localhost:$HGPORT2/
   warning: connecting to localhost using legacy security technology (TLS 1.0); 
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
+  (the full certificate chain may not be available locally; see "hg help 
debugssl") (windows !)
   abort: error: *certificate verify failed* (glob)
   [255]
 
@@ -578,12 +583,14 @@ Test https with cert problems through pr
   > --config web.cacerts="$CERTSDIR/pub-other.pem"
   pulling from https://localhost:$HGPORT/