Re: [PATCH 1 of 2] sslutil: tweak the legacy [hostfingerprints] warning message

[Gregory Szorc]

On Thu, May 11, 2017 at 6:43 PM, Matt Harbison 
wrote:

> On Thu, 11 May 2017 03:02:42 -0400, Gregory Szorc 
> wrote:
>
> # HG changeset patch
>> # User Gregory Szorc 
>> # Date 1494485377 25200
>> #  Wed May 10 23:49:37 2017 -0700
>> # Node ID fc01a88a85d64a3a440971c5e3b6c8f7db030170
>> # Parent  1ada3d18e7fbc9069910f2c036992d2f2b28e058
>> sslutil: tweak the legacy [hostfingerprints] warning message
>>
>> Lars Rohwedder noted in issue5559 that the previous wording was
>> confusing. I agree.
>>
>> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
>> --- a/mercurial/sslutil.py
>> +++ b/mercurial/sslutil.py
>> @@ -820,13 +820,11 @@ def validatesocket(sock):
>>  if settings['legacyfingerprint']:
>>  ui.warn(_('(SHA-1 fingerprint for %s found in legacy
>> '
>>'[hostfingerprints] section; '
>> -  'if you trust this fingerprint, set the '
>> -  'following config value in [hostsecurity]
>> and '
>> -  'remove the old one from
>> [hostfingerprints] '
>> -  'to upgrade to a more secure SHA-256 '
>> -  'fingerprint: '
>> -  '%s.fingerprints=%s)\n') % (
>> -  host, host, nicefingerprint))
>> +  'if you trust this fingerprint, remove the
>> old '
>> +  'SHA-1 fingerprint from [hostfingerprints]
>> and '
>> +  'add the following entry to the new '
>> +  '[hostsecurity] section:
>> %s.fingerprints=%s)\n') %
>> +(host, host, nicefingerprint))
>>  return
>> # Pinned fingerprint didn't match. This is a fatal error.
>>
>
> I'm guessing it's because stable hasn't been merged since 5559, but
> s/%s.fingerprints/%s:fingerprints/ ?
>

I'll send a v2.
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

Re: [PATCH 1 of 2] sslutil: tweak the legacy [hostfingerprints] warning message

[Matt Harbison]

On Thu, 11 May 2017 03:02:42 -0400, Gregory Szorc  
 wrote:



# HG changeset patch
# User Gregory Szorc 
# Date 1494485377 25200
#  Wed May 10 23:49:37 2017 -0700
# Node ID fc01a88a85d64a3a440971c5e3b6c8f7db030170
# Parent  1ada3d18e7fbc9069910f2c036992d2f2b28e058
sslutil: tweak the legacy [hostfingerprints] warning message

Lars Rohwedder noted in issue5559 that the previous wording was
confusing. I agree.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -820,13 +820,11 @@ def validatesocket(sock):
 if settings['legacyfingerprint']:
 ui.warn(_('(SHA-1 fingerprint for %s found in  
legacy '

   '[hostfingerprints] section; '
-  'if you trust this fingerprint, set the '
-  'following config value in [hostsecurity]  
and '
-  'remove the old one from  
[hostfingerprints] '

-  'to upgrade to a more secure SHA-256 '
-  'fingerprint: '
-  '%s.fingerprints=%s)\n') % (
-  host, host, nicefingerprint))
+  'if you trust this fingerprint, remove  
the old '
+  'SHA-1 fingerprint from  
[hostfingerprints] and '

+  'add the following entry to the new '
+  '[hostsecurity] section:  
%s.fingerprints=%s)\n') %

+(host, host, nicefingerprint))
 return
# Pinned fingerprint didn't match. This is a fatal error.


I'm guessing it's because stable hasn't been merged since 5559, but  
s/%s.fingerprints/%s:fingerprints/ ?

___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

[PATCH 1 of 2] sslutil: tweak the legacy [hostfingerprints] warning message

[Gregory Szorc]

# HG changeset patch
# User Gregory Szorc 
# Date 1494485377 25200
#  Wed May 10 23:49:37 2017 -0700
# Node ID fc01a88a85d64a3a440971c5e3b6c8f7db030170
# Parent  1ada3d18e7fbc9069910f2c036992d2f2b28e058
sslutil: tweak the legacy [hostfingerprints] warning message

Lars Rohwedder noted in issue5559 that the previous wording was
confusing. I agree.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -820,13 +820,11 @@ def validatesocket(sock):
 if settings['legacyfingerprint']:
 ui.warn(_('(SHA-1 fingerprint for %s found in legacy '
   '[hostfingerprints] section; '
-  'if you trust this fingerprint, set the '
-  'following config value in [hostsecurity] and '
-  'remove the old one from [hostfingerprints] '
-  'to upgrade to a more secure SHA-256 '
-  'fingerprint: '
-  '%s.fingerprints=%s)\n') % (
-  host, host, nicefingerprint))
+  'if you trust this fingerprint, remove the old '
+  'SHA-1 fingerprint from [hostfingerprints] and '
+  'add the following entry to the new '
+  '[hostsecurity] section: %s.fingerprints=%s)\n') 
%
+(host, host, nicefingerprint))
 return
 
 # Pinned fingerprint didn't match. This is a fatal error.
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -372,7 +372,7 @@ Fingerprints
 - works without cacerts (hostfingerprints)
   $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config 
hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
   warning: connecting to localhost using legacy security technology (TLS 1.0); 
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; 
if you trust this fingerprint, set the following config value in [hostsecurity] 
and remove the old one from [hostfingerprints] to upgrade to a more secure 
SHA-256 fingerprint: 
localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
+  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; 
if you trust this fingerprint, remove the old SHA-1 fingerprint from 
[hostfingerprints] and add the following entry to the new [hostsecurity] 
section: 
localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5
 
 - works without cacerts (hostsecurity)
@@ -387,7 +387,7 @@ Fingerprints
 - multiple fingerprints specified and first matches
   $ hg --config 
'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, 
deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id 
https://localhost:$HGPORT/ --insecure
   warning: connecting to localhost using legacy security technology (TLS 1.0); 
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; 
if you trust this fingerprint, set the following config value in [hostsecurity] 
and remove the old one from [hostfingerprints] to upgrade to a more secure 
SHA-256 fingerprint: 
localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
+  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; 
if you trust this fingerprint, remove the old SHA-1 fingerprint from 
[hostfingerprints] and add the following entry to the new [hostsecurity] 
section: 
localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5
 
   $ hg --config 
'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03,
 sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id 
https://localhost:$HGPORT/
@@ -397,7 +397,7 @@ Fingerprints
 - multiple fingerprints specified and last matches
   $ hg --config 
'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 
ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id 
https://localhost:$HGPORT/ --insecure
   warning: connecting to localhost using legacy security technology (TLS 1.0); 
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; 
if you trust this fingerprint, set the following config value in [hostsecurity] 
and remove the old one from [hostfingerprints] to upgrade to a more