mk-ca-bundle: use secure connection to hg.mozilla.org #1012

Closed
wants to merge 1 commit into
from

Projects

None yet

4 participants

@indygreg

Previously, connections to hg.mozilla.org were insecure and could be
subject to a MitM attack. With this change, someone has to MitM you
with a certificate signed by a trusted CA, which is a bit harder.

@indygreg indygreg mk-ca-bundle: use secure connection to hg.mozilla.org
Previously, connections to hg.mozilla.org were insecure and could be
subject to a MitM attack. With this change, someone has to MitM you
with a certificate signed by a trusted CA, which is a bit harder.
2e17fc9
@mention-bot

@indygreg, thanks for your PR! By analyzing the annotation information on this pull request, we identified @bagder, @gknauf and @watson81 to be potential reviewers

@bagder
Member
bagder commented Sep 14, 2016

It would only use HTTP instead of HTTPS if you don't have curl installed or your curl has a problem to download the cert data using HTTPS. Maybe we should instead only try plain HTTP if being allowed to with a dedicated command line option?

@jay jay added a commit to jay/curl that referenced this pull request Sep 15, 2016
@jay jay mk-ca-bundle: Change URL retrieval to HTTPS-only by default. draft1
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).

- New option -k to allow URLs other than HTTPS and enable HTTP fallback.

Prior to this change the default URL retrieval mode was to fall back to
HTTP if HTTPS didn't work.

Reported-by: Gregory Szorc
Bug: curl#1012
48d46ce
@jay
Member
jay commented Sep 15, 2016

It would only use HTTP instead of HTTPS if you don't have curl installed or your curl has a problem to download the cert data using HTTPS. Maybe we should instead only try plain HTTP if being allowed to with a dedicated command line option?

Definitely, see master...jay:mk-ca-bundle_https-only_by_default

@jay jay added the SSL/TLS label Sep 15, 2016
@bagder
Member
bagder commented Sep 15, 2016

@jay : a big 👍 on that!

@bagder

I'd like to see @jay's approach either replace this or getting merged into this version.

@jay jay was assigned by bagder Sep 24, 2016
@bagder bagder added a commit that closed this pull request Oct 24, 2016
@jay @bagder jay + bagder mk-ca-bundle: Change URL retrieval to HTTPS-only by default
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).

- New option -k to allow URLs other than HTTPS and enable HTTP fallback.

Prior to this change the default URL retrieval mode was to fall back to
HTTP if HTTPS didn't work.

Reported-by: Gregory Szorc

Closes #1012
1ad2bdc
@bagder bagder closed this in 1ad2bdc Oct 24, 2016
@bagder
Member
bagder commented Oct 24, 2016

I decided to go ahead and merge @jay's patch here since I think it was a good approach to this and makes mk-ca-bundle.pl better! Thanks both of you!

@jay
Member
jay commented Oct 24, 2016

I forgot about this. I actually worked on the vbs too, I'll find it tomorrow (or today depending on where you're at) and merge it in.

@bagder
Member
bagder commented Oct 24, 2016

Lovely. I've been pondering about removing the vbs version before as it hasn't gotten the same attention as the perl version, but if you're up to bringing it back to life I'm fine with that too!

@jay jay added a commit that referenced this pull request Oct 30, 2016
@jay jay mk-ca-bundle.vbs: Fix UTF-8 output
- Change initial message box to mention delay when downloading/parsing.

Since there is no progress meter it was somewhat unexpected that after
choosing a filename nothing appears to happen, when actually the cert
data is in the process of being downloaded and parsed.

- Warn if OpenSSL is not present.

- Use a UTF-8 stream to make the ca-bundle data.

- Save the UTF-8 ca-bundle stream as binary so that no BOM is added.

---

This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
ANSI due to corrupt UTF-8 output, now fixed.

This change completes making the default certificate bundle output of
mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
should make it easier to review any difference between their output.

Ref: #1012
2e750ce
@indygreg indygreg deleted the indygreg:https-in-mk-ca-bundle branch Jan 27, 2017
@indygreg

I just wanted to give a heads up that http://hg.mozilla.org/ will HTTP 301 to https://hg.mozilla.org/ starting around 2017-02-01 0800 PST. I know mk-ca-bundle.pl is used in random places throughout the Internets. So if you hear about it breaking on Wednesday, that's probably why.

https://groups.google.com/d/msg/mozilla.dev.version-control/7A6WwhraKm4/QxRs2dw5BAAJ for the full announcement.

@bagder
Member
bagder commented Jan 27, 2017

Ah right, thanks @indygreg. This will make the mk-ca-bundle.pl start to fail unconditionally unless curl is installed and working on the machine running the script. But I consider the switch a good thing nonetheless and such failures will help users to fix their stuff and get secure transfers going.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment