New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mk-ca-bundle: use secure connection to hg.mozilla.org #1012

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
4 participants
@indygreg

indygreg commented Sep 14, 2016

Previously, connections to hg.mozilla.org were insecure and could be
subject to a MitM attack. With this change, someone has to MitM you
with a certificate signed by a trusted CA, which is a bit harder.

mk-ca-bundle: use secure connection to hg.mozilla.org
Previously, connections to hg.mozilla.org were insecure and could be
subject to a MitM attack. With this change, someone has to MitM you
with a certificate signed by a trusted CA, which is a bit harder.
@mention-bot

This comment has been minimized.

Show comment
Hide comment
@mention-bot

mention-bot Sep 14, 2016

@indygreg, thanks for your PR! By analyzing the annotation information on this pull request, we identified @bagder, @gknauf and @watson81 to be potential reviewers

mention-bot commented Sep 14, 2016

@indygreg, thanks for your PR! By analyzing the annotation information on this pull request, we identified @bagder, @gknauf and @watson81 to be potential reviewers

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Sep 14, 2016

Member

It would only use HTTP instead of HTTPS if you don't have curl installed or your curl has a problem to download the cert data using HTTPS. Maybe we should instead only try plain HTTP if being allowed to with a dedicated command line option?

Member

bagder commented Sep 14, 2016

It would only use HTTP instead of HTTPS if you don't have curl installed or your curl has a problem to download the cert data using HTTPS. Maybe we should instead only try plain HTTP if being allowed to with a dedicated command line option?

jay added a commit to jay/curl that referenced this pull request Sep 15, 2016

mk-ca-bundle: Change URL retrieval to HTTPS-only by default. draft1
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).

- New option -k to allow URLs other than HTTPS and enable HTTP fallback.

Prior to this change the default URL retrieval mode was to fall back to
HTTP if HTTPS didn't work.

Reported-by: Gregory Szorc
Bug: curl#1012
@jay

This comment has been minimized.

Show comment
Hide comment
@jay

jay Sep 15, 2016

Member

It would only use HTTP instead of HTTPS if you don't have curl installed or your curl has a problem to download the cert data using HTTPS. Maybe we should instead only try plain HTTP if being allowed to with a dedicated command line option?

Definitely, see master...jay:mk-ca-bundle_https-only_by_default

Member

jay commented Sep 15, 2016

It would only use HTTP instead of HTTPS if you don't have curl installed or your curl has a problem to download the cert data using HTTPS. Maybe we should instead only try plain HTTP if being allowed to with a dedicated command line option?

Definitely, see master...jay:mk-ca-bundle_https-only_by_default

@jay jay added the SSL/TLS label Sep 15, 2016

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Sep 15, 2016

Member

@jay : a big 👍 on that!

Member

bagder commented Sep 15, 2016

@jay : a big 👍 on that!

@bagder

I'd like to see @jay's approach either replace this or getting merged into this version.

@bagder bagder closed this in 1ad2bdc Oct 24, 2016

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Oct 24, 2016

Member

I decided to go ahead and merge @jay's patch here since I think it was a good approach to this and makes mk-ca-bundle.pl better! Thanks both of you!

Member

bagder commented Oct 24, 2016

I decided to go ahead and merge @jay's patch here since I think it was a good approach to this and makes mk-ca-bundle.pl better! Thanks both of you!

@jay

This comment has been minimized.

Show comment
Hide comment
@jay

jay Oct 24, 2016

Member

I forgot about this. I actually worked on the vbs too, I'll find it tomorrow (or today depending on where you're at) and merge it in.

Member

jay commented Oct 24, 2016

I forgot about this. I actually worked on the vbs too, I'll find it tomorrow (or today depending on where you're at) and merge it in.

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Oct 24, 2016

Member

Lovely. I've been pondering about removing the vbs version before as it hasn't gotten the same attention as the perl version, but if you're up to bringing it back to life I'm fine with that too!

Member

bagder commented Oct 24, 2016

Lovely. I've been pondering about removing the vbs version before as it hasn't gotten the same attention as the perl version, but if you're up to bringing it back to life I'm fine with that too!

jay added a commit that referenced this pull request Oct 30, 2016

mk-ca-bundle.vbs: Fix UTF-8 output
- Change initial message box to mention delay when downloading/parsing.

Since there is no progress meter it was somewhat unexpected that after
choosing a filename nothing appears to happen, when actually the cert
data is in the process of being downloaded and parsed.

- Warn if OpenSSL is not present.

- Use a UTF-8 stream to make the ca-bundle data.

- Save the UTF-8 ca-bundle stream as binary so that no BOM is added.

---

This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
ANSI due to corrupt UTF-8 output, now fixed.

This change completes making the default certificate bundle output of
mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
should make it easier to review any difference between their output.

Ref: #1012

@indygreg indygreg deleted the indygreg:https-in-mk-ca-bundle branch Jan 27, 2017

@indygreg

This comment has been minimized.

Show comment
Hide comment
@indygreg

indygreg Jan 27, 2017

I just wanted to give a heads up that http://hg.mozilla.org/ will HTTP 301 to https://hg.mozilla.org/ starting around 2017-02-01 0800 PST. I know mk-ca-bundle.pl is used in random places throughout the Internets. So if you hear about it breaking on Wednesday, that's probably why.

https://groups.google.com/d/msg/mozilla.dev.version-control/7A6WwhraKm4/QxRs2dw5BAAJ for the full announcement.

indygreg commented Jan 27, 2017

I just wanted to give a heads up that http://hg.mozilla.org/ will HTTP 301 to https://hg.mozilla.org/ starting around 2017-02-01 0800 PST. I know mk-ca-bundle.pl is used in random places throughout the Internets. So if you hear about it breaking on Wednesday, that's probably why.

https://groups.google.com/d/msg/mozilla.dev.version-control/7A6WwhraKm4/QxRs2dw5BAAJ for the full announcement.

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Jan 27, 2017

Member

Ah right, thanks @indygreg. This will make the mk-ca-bundle.pl start to fail unconditionally unless curl is installed and working on the machine running the script. But I consider the switch a good thing nonetheless and such failures will help users to fix their stuff and get secure transfers going.

Member

bagder commented Jan 27, 2017

Ah right, thanks @indygreg. This will make the mk-ca-bundle.pl start to fail unconditionally unless curl is installed and working on the machine running the script. But I consider the switch a good thing nonetheless and such failures will help users to fix their stuff and get secure transfers going.

bagder added a commit that referenced this pull request Aug 18, 2017

http2_recv: return error better on fatal h2 errors
Ref #1012
Figured-out-by: Tatsuhiro Tsujikawa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment