Philor claims in Bug 450645 comment 23 that Python 2.5 and earlier do not verify certificates when making https connections, which makes SSL vulnerable to MITM attacks, which we should prevent when fetching from the source repository. See bug 450645. So, please, *either*: - verify that this claim was wrong and Python 2.4 is not actually that stupid and does not entirely miss the point of SSL/HTTPS - include a different SSL library (philor mentions py25-socket-ssl and possibly others) in MozillaBuild, which does it securely - upgrade MozillaBuild to Python 2.6
Component: Build Config → MozillaBuild
Product: Core → mozilla.org
QA Contact: build-config → mozillabuild
Version: Trunk → other
I'm not likely to do the verification, so feel free to list results here.
------- Comment #31 From Gavin Sharp 2008-10-15 10:59:50 PDT (-) [reply] ------- Private https://www.g4v.org/hg/ serves an empty hg repository with a mismatched cert, in case that's useful for testing (cert only matches the non-"www." version). |hg clone https://www.g4v.org/hg/| succeeds using mercurial 1.0. ------- Comment #32 From Phil Ringnalda (:philor) 2008-10-16 08:36:43 PDT (-) [reply] ------- Private http://www.heikkitoivonen.net/blog/2008/10/14/ssl-in-python-26/ - see the "Clients" section, where Heikki talks about how Python 2.6's ssl module leaves hostname checking to the client application. So you need a dependency on a new version of Mercurial which either only runs on 2.6+ and does hostname checking itself, or bundles a third-party alternative, and in either case doesn't provide any fallback to insecure "Secure"SL, which is likely to be a hard sell. ------- Comment #33 From Dirkjan Ochtman (:djc) 2008-10-16 08:56:22 PDT (-) [reply] ------- Private See also http://www.selenic.com/mercurial/bts/issue1174 ...
Most interesting comment from <http://www.selenic.com/mercurial/bts/issue1174>: It may be possible to make a quick hack around the problem by opening a pipe to 'openssl s_client -connect server:port' and using that for communications. This is pretty analogous to what we do for ssh, actually.
I'm not installing bleeding edge versions of Python or Hg into MozillaBuild just to get this. Sorry. We can revisit when they get their ducks in a row. Just pull over ssh if you're concerned about security currently.
Ted, that's not what I propose. See comment 3. It sounds that this would be a fairly small modification of hg. And openssl should be commonly available.
That's fine. Let me know when Mercurial releases a stable version with that patch in it.
I am proposing that we fix it and ship a modified hg version.
Summary: [MozillaBuild] Upgrade to Python 2.6 or "py25-socket-ssl" → [MozillaBuild] Fix hg (or Python or ssl lib) to check SSL cert
We're not doing that.
As I said, I'm not going to modify software to pick this up. If you can get a patch upstreamed, we can certainly get a newer version of Python or Hg to support this, but we don't ship modified versions of software in MozillaBuild.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → WONTFIX
http://mercurial.selenic.com/bts/issue1174 has been marked as resolved. Reopen?
> As I said, I'm not going to modify software to pick this up. > we don't ship modified versions of software in MozillaBuild. That was the reason for the closure, which is now moot. > If you can get a patch upstreamed, we can certainly get a newer > version of Python or Hg to support this That is now true. - hg client was fixed last February (no idea which release this change went in). - We'd need Python 2.6, but that's possible (compare bug 550959) - We'd need to ship the CA cert list, and pass that to hg. Either use an existing one, or a copy of the Mozilla CA list verbatim, or better yet a CA list which has only the one CA from which hg.mozilla.org gets its cert (that would be more secure).
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
MozillaBuild ships a CA cert list (built from the Mozilla CA list) for wget to use, we could probably use that. MozillaBuild is already shipping Python 2.6 (but the Mercurial it ships is built as a standalone binary, so I don't think that matters). So presumably we'd just need to wait until that patch ships in a stable Mercurial release, and then add some configuration for hg to use the CA cert list.
It's in Mercurial 1.5+.
Oh, cool. Since we're shipping 1.5.4, then, presumably it's just a matter of adding some settings to Mercurial.ini to point it at the CA certs bundle. Currently the certs are in mozilla-build/wget/ca-bundle.crt: http://hg.mozilla.org/mozilla-build/file/77a891cb3991/ca-bundle.crt And we stick the install location into wget.ini at install time: http://hg.mozilla.org/mozilla-build/file/77a891cb3991/installit.nsi#l22 If Hg can use the certs in that same format, then it's probably just a matter of adding another block in the installer to add the cert path to Mercurial.ini. If not, then we'll have to add certs in the right format.
We now ship Python 2.7.2 and Mercurial 1.9.1 in MozillaBuild 1.6.1.
Yeah, so this is probably just a matter of fixing what I said in comment 14.
This is different than http://hg.mozilla.org/mozilla-build/file/efb71fed5c28/installit.nsi#l39 ?
Probably fixed by bug 679808.
Status: NEW → RESOLVED
Last Resolved: 10 years ago → 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.