Use SHA-2 (SHA-512) to store the certificate fingerprint instead of SHA-1

Because SHA-1 is not really relevant anymore. Too bad it's significantly longer and tiring to check, even if that is to be expected.

Use SHA-2 (SHA-512) to store the certificate fingerprint instead of SHA-1
Because SHA-1 is not really relevant anymore. Too bad it's significantly longer and tiring to check, even if that is to be expected.
8d2408c1 · mathieui · dc4f9cc3 · 8d2408c1 · 8d2408c1
Verified Commit 8d2408c1 authored Oct 08, 2014 by mathieui
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 14 deletions

doc/source/configuration.rst doc/source/configuration.rst +5 -2

src/core/handlers.py src/core/handlers.py +23 -12

No files found.
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -62,8 +62,11 @@ and certificate validation.

        **Default value:** ``[empty]``

-        The fingerprint of the SSL certificate as a hexadecimal string, you should
-        not touch it, except if know what you are doing.
+        The SHA-2 fingerprint of the SSL certificate as a hexadecimal string,
+        you should not touch it, except if know what you are doing.
+
+        .. note:: the fingerprint was previously stored in SHA-1, and has been
+                silently upgraded to SHA-2 if the SHA-1 still matched.

    ciphers


--- a/src/core/handlers.py
+++ b/src/core/handlers.py
@@ -8,7 +8,7 @@ log = logging.getLogger(__name__)
 import curses
 import ssl
 import time
-from hashlib import sha1
+from hashlib import sha1, sha512
 from gettext import gettext as _

 from sleekxmpp import InvalidJID
@@ -1069,16 +1069,27 @@ def validate_ssl(self, pem):
        config.set_and_save('certificate', cert)

    der = ssl.PEM_cert_to_DER_cert(pem)
-    digest = sha1(der).hexdigest().upper()
-    found_cert = ':'.join(i + j for i, j in zip(digest[::2], digest[1::2]))
+    sha1_digest = sha1(der).hexdigest().upper()
+    sha1_found_cert = ':'.join(i + j for i, j in zip(sha1_digest[::2], sha1_digest[1::2]))
+    sha2_digest = sha512(der).hexdigest().upper()
+    sha2_found_cert = ':'.join(i + j for i, j in zip(sha2_digest[::2], sha2_digest[1::2]))
    if cert:
-        if found_cert == cert:
-            log.debug('Cert %s OK', found_cert)
+        if sha1_found_cert == cert:
+            log.debug('Cert %s OK', sha1_found_cert)
+            log.debug('Current hash is SHA-1, moving to SHA-2 (%s)',
+                      sha2_found_cert)
+            config.set_and_save('certificate', sha2_found_cert)
+            return
+        elif sha2_found_cert == cert:
+            log.debug('Cert %s OK', sha2_found_cert)
            return
        else:
            saved_input = self.current_tab().input
-            log.debug('\nWARNING: CERTIFICATE CHANGED old: %s, new: %s\n', cert, found_cert)
-            input = windows.YesNoInput(text="WARNING! Server certificate has changed, accept? (y/n) (%s)" % found_cert)
+            log.debug('\nWARNING: CERTIFICATE CHANGED old: %s, new: %s\n', cert, sha2_found_cert)
+            self.information('New certificate found (sha-2 hash:'
+                             ' %s)\nPlease validate or abort' % sha2_found_cert,
+                             'Warning')
+            input = windows.YesNoInput(text="WARNING! Server certificate has changed, accept? (y/n)")
            self.current_tab().input = input
            input.resize(1, self.current_tab().width, self.current_tab().height-1, 0)
            input.refresh()
@@ -1089,16 +1100,16 @@ def validate_ssl(self, pem):
            self.current_tab().input = saved_input
            self.paused = False
            if input.value:
-                self.information('Setting new certificate: old: %s, new: %s' % (cert, found_cert), 'Info')
-                log.debug('Setting certificate to %s', found_cert)
-                if not config.silent_set('certificate', found_cert):
+                self.information('Setting new certificate: old: %s, new: %s' % (cert, sha2_found_cert), 'Info')
+                log.debug('Setting certificate to %s', sha2_found_cert)
+                if not config.silent_set('certificate', sha2_found_cert):
                    self.information(_('Unable to write in the config file'), 'Error')
            else:
                self.information('You refused to validate the certificate. You are now disconnected', 'Info')
                self.xmpp.disconnect()
    else:
-        log.debug('First time. Setting certificate to %s', found_cert)
-        if not config.silent_set('certificate', found_cert):
+        log.debug('First time. Setting certificate to %s', sha2_found_cert)
+        if not config.silent_set('certificate', sha2_found_cert):
            self.information(_('Unable to write in the config file'), 'Error')

 def _composing_tab_state(tab, state):