Closed
Bug 460052
Opened 16 years ago
Closed 11 years ago
[MozillaBuild] Fix hg (or Python or ssl lib) to check SSL cert
Categories
(Firefox Build System :: MozillaBuild, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: BenB, Unassigned)
References
Details
Philor claims in Bug 450645 comment 23 that Python 2.5 and earlier do not verify certificates when making https connections, which makes SSL vulnerable to MITM attacks, which we should prevent when fetching from the source repository. See bug 450645.
So, please, *either*:
- verify that this claim was wrong and Python 2.4 is not actually that stupid and does not entirely miss the point of SSL/HTTPS
- include a different SSL library (philor mentions py25-socket-ssl and possibly others) in MozillaBuild, which does it securely
- upgrade MozillaBuild to Python 2.6
Updated•16 years ago
|
Component: Build Config → MozillaBuild
Product: Core → mozilla.org
QA Contact: build-config → mozillabuild
Version: Trunk → other
Comment 1•16 years ago
|
||
I'm not likely to do the verification, so feel free to list results here.
Updated•16 years ago
|
OS: Linux → Windows XP
Reporter | ||
Comment 2•16 years ago
|
||
------- Comment #31 From Gavin Sharp 2008-10-15 10:59:50 PDT (-) [reply] ------- Private
https://www.g4v.org/hg/ serves an empty hg repository with a mismatched cert,
in case that's useful for testing (cert only matches the non-"www." version).
|hg clone https://www.g4v.org/hg/| succeeds using mercurial 1.0.
------- Comment #32 From Phil Ringnalda (:philor) 2008-10-16 08:36:43 PDT (-) [reply] ------- Private
http://www.heikkitoivonen.net/blog/2008/10/14/ssl-in-python-26/ - see the
"Clients" section, where Heikki talks about how Python 2.6's ssl module leaves
hostname checking to the client application. So you need a dependency on a new
version of Mercurial which either only runs on 2.6+ and does hostname checking
itself, or bundles a third-party alternative, and in either case doesn't
provide any fallback to insecure "Secure"SL, which is likely to be a hard sell.
------- Comment #33 From Dirkjan Ochtman (:djc) 2008-10-16 08:56:22 PDT (-) [reply] ------- Private
See also http://www.selenic.com/mercurial/bts/issue1174 ...
Reporter | ||
Comment 3•16 years ago
|
||
Most interesting comment from <http://www.selenic.com/mercurial/bts/issue1174>:
It may be possible to make a quick hack around the problem by opening a pipe to
'openssl s_client -connect server:port' and using that for communications. This
is pretty analogous to what we do for ssh, actually.
Comment 4•16 years ago
|
||
I'm not installing bleeding edge versions of Python or Hg into MozillaBuild just to get this. Sorry. We can revisit when they get their ducks in a row. Just pull over ssh if you're concerned about security currently.
Reporter | ||
Comment 5•16 years ago
|
||
Ted, that's not what I propose. See comment 3. It sounds that this would be a fairly small modification of hg. And openssl should be commonly available.
Comment 6•16 years ago
|
||
That's fine. Let me know when Mercurial releases a stable version with that patch in it.
Reporter | ||
Comment 7•16 years ago
|
||
I am proposing that we fix it and ship a modified hg version.
Summary: [MozillaBuild] Upgrade to Python 2.6 or "py25-socket-ssl" → [MozillaBuild] Fix hg (or Python or ssl lib) to check SSL cert
Comment 8•16 years ago
|
||
We're not doing that.
Comment 9•16 years ago
|
||
As I said, I'm not going to modify software to pick this up. If you can get a patch upstreamed, we can certainly get a newer version of Python or Hg to support this, but we don't ship modified versions of software in MozillaBuild.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
Comment 10•14 years ago
|
||
http://mercurial.selenic.com/bts/issue1174 has been marked as resolved.
Reopen?
Reporter | ||
Comment 11•14 years ago
|
||
> As I said, I'm not going to modify software to pick this up.
> we don't ship modified versions of software in MozillaBuild.
That was the reason for the closure, which is now moot.
> If you can get a patch upstreamed, we can certainly get a newer
> version of Python or Hg to support this
That is now true.
- hg client was fixed last February (no idea which release this change went in).
- We'd need Python 2.6, but that's possible (compare bug 550959)
- We'd need to ship the CA cert list, and pass that to hg.
Either use an existing one, or a copy of the Mozilla CA list verbatim,
or better yet a CA list which has only the one CA from which
hg.mozilla.org gets its cert (that would be more secure).
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Reporter | ||
Updated•14 years ago
|
Status: REOPENED → NEW
Comment 12•14 years ago
|
||
MozillaBuild ships a CA cert list (built from the Mozilla CA list) for wget to use, we could probably use that.
MozillaBuild is already shipping Python 2.6 (but the Mercurial it ships is built as a standalone binary, so I don't think that matters).
So presumably we'd just need to wait until that patch ships in a stable Mercurial release, and then add some configuration for hg to use the CA cert list.
Comment 13•14 years ago
|
||
It's in Mercurial 1.5+.
Comment 14•14 years ago
|
||
Oh, cool. Since we're shipping 1.5.4, then, presumably it's just a matter of adding some settings to Mercurial.ini to point it at the CA certs bundle. Currently the certs are in mozilla-build/wget/ca-bundle.crt:
http://hg.mozilla.org/mozilla-build/file/77a891cb3991/ca-bundle.crt
And we stick the install location into wget.ini at install time:
http://hg.mozilla.org/mozilla-build/file/77a891cb3991/installit.nsi#l22
If Hg can use the certs in that same format, then it's probably just a matter of adding another block in the installer to add the cert path to Mercurial.ini. If not, then we'll have to add certs in the right format.
![]() |
||
Comment 15•12 years ago
|
||
We now ship Python 2.7.2 and Mercurial 1.9.1 in MozillaBuild 1.6.1.
Comment 16•12 years ago
|
||
Yeah, so this is probably just a matter of fixing what I said in comment 14.
Comment 17•11 years ago
|
||
This is different than http://hg.mozilla.org/mozilla-build/file/efb71fed5c28/installit.nsi#l39 ?
Comment 18•11 years ago
|
||
Probably fixed by bug 679808.
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago → 11 years ago
Resolution: --- → FIXED
Updated•2 years ago
|
Product: mozilla.org → Firefox Build System
You need to log in
before you can comment on or make changes to this bug.
Description
•