[MozillaBuild] Fix hg (or Python or ssl lib) to check SSL cert

RESOLVED FIXED

Status

RESOLVED FIXED
10 years ago
4 years ago

People

(Reporter: BenB, Unassigned)

Tracking

Details

(Reporter)

Description

10 years ago
Philor claims in Bug 450645 comment 23 that Python 2.5 and earlier do not verify certificates when making https connections, which makes SSL vulnerable to MITM attacks, which we should prevent when fetching from the source repository. See bug 450645.

So, please, *either*:
- verify that this claim was wrong and Python 2.4 is not actually that stupid and does not entirely miss the point of SSL/HTTPS
- include a different SSL library (philor mentions py25-socket-ssl and possibly others) in MozillaBuild, which does it securely
- upgrade MozillaBuild to Python 2.6
Component: Build Config → MozillaBuild
Product: Core → mozilla.org
QA Contact: build-config → mozillabuild
Version: Trunk → other
I'm not likely to do the verification, so feel free to list results here.
OS: Linux → Windows XP
(Reporter)

Comment 2

10 years ago
  -------  Comment #31 From  Gavin Sharp   2008-10-15 10:59:50 PDT   (-) [reply] -------      Private

https://www.g4v.org/hg/ serves an empty hg repository with a mismatched cert,
in case that's useful for testing (cert only matches the non-"www." version).

|hg clone https://www.g4v.org/hg/| succeeds using mercurial 1.0.

------- Comment #32 From Phil Ringnalda (:philor) 2008-10-16 08:36:43 PDT (-) [reply] ------- Private

http://www.heikkitoivonen.net/blog/2008/10/14/ssl-in-python-26/ - see the
"Clients" section, where Heikki talks about how Python 2.6's ssl module leaves
hostname checking to the client application. So you need a dependency on a new
version of Mercurial which either only runs on 2.6+ and does hostname checking
itself, or bundles a third-party alternative, and in either case doesn't
provide any fallback to insecure "Secure"SL, which is likely to be a hard sell.

------- Comment #33 From Dirkjan Ochtman (:djc) 2008-10-16 08:56:22 PDT (-) [reply] ------- Private

See also http://www.selenic.com/mercurial/bts/issue1174 ...
(Reporter)

Updated

10 years ago
Blocks: 450645
(Reporter)

Comment 3

10 years ago
Most interesting comment from <http://www.selenic.com/mercurial/bts/issue1174>:
It may be possible to make a quick hack around the problem by opening a pipe to
'openssl s_client -connect server:port' and using that for communications. This
is pretty analogous to what we do for ssh, actually.
I'm not installing bleeding edge versions of Python or Hg into MozillaBuild just to get this. Sorry. We can revisit when they get their ducks in a row. Just pull over ssh if you're concerned about security currently.
(Reporter)

Comment 5

10 years ago
Ted, that's not what I propose. See comment 3. It sounds that this would be a fairly small modification of hg. And openssl should be commonly available.
That's fine. Let me know when Mercurial releases a stable version with that patch in it.
(Reporter)

Comment 7

10 years ago
I am proposing that we fix it and ship a modified hg version.
Summary: [MozillaBuild] Upgrade to Python 2.6 or "py25-socket-ssl" → [MozillaBuild] Fix hg (or Python or ssl lib) to check SSL cert
We're not doing that.
As I said, I'm not going to modify software to pick this up. If you can get a patch upstreamed, we can certainly get a newer version of Python or Hg to support this, but we don't ship modified versions of software in MozillaBuild.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → WONTFIX

Comment 10

8 years ago
http://mercurial.selenic.com/bts/issue1174 has been marked as resolved.

Reopen?
(Reporter)

Comment 11

8 years ago
> As I said, I'm not going to modify software to pick this up.
> we don't ship modified versions of software in MozillaBuild.

That was the reason for the closure, which is now moot.

> If you can get a patch upstreamed, we can certainly get a newer
> version of Python or Hg to support this

That is now true.
- hg client was fixed last February (no idea which release this change went in).
- We'd need Python 2.6, but that's possible (compare bug 550959)
- We'd need to ship the CA cert list, and pass that to hg.
  Either use an existing one, or a copy of the Mozilla CA list verbatim,
  or better yet a CA list which has only the one CA from which
  hg.mozilla.org gets its cert (that would be more secure).
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
(Reporter)

Updated

8 years ago
Status: REOPENED → NEW
MozillaBuild ships a CA cert list (built from the Mozilla CA list) for wget to use, we could probably use that.

MozillaBuild is already shipping Python 2.6 (but the Mercurial it ships is built as a standalone binary, so I don't think that matters).

So presumably we'd just need to wait until that patch ships in a stable Mercurial release, and then add some configuration for hg to use the CA cert list.
It's in Mercurial 1.5+.
Oh, cool. Since we're shipping 1.5.4, then, presumably it's just a matter of adding some settings to Mercurial.ini to point it at the CA certs bundle. Currently the certs are in mozilla-build/wget/ca-bundle.crt:
http://hg.mozilla.org/mozilla-build/file/77a891cb3991/ca-bundle.crt
And we stick the install location into wget.ini at install time:
http://hg.mozilla.org/mozilla-build/file/77a891cb3991/installit.nsi#l22

If Hg can use the certs in that same format, then it's probably just a matter of adding another block in the installer to add the cert path to Mercurial.ini. If not, then we'll have to add certs in the right format.
We now ship Python 2.7.2 and Mercurial 1.9.1 in MozillaBuild 1.6.1.
Yeah, so this is probably just a matter of fixing what I said in comment 14.
Status: NEW → RESOLVED
Last Resolved: 10 years ago4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.