Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LibGit2: respect NetworkOptions.verify_host #38506

Merged
merged 1 commit into from
Nov 22, 2020
Merged

LibGit2: respect NetworkOptions.verify_host #38506

merged 1 commit into from
Nov 22, 2020

Conversation

StefanKarpinski
Copy link
Sponsor Member

No description provided.

@StefanKarpinski
Copy link
Sponsor Member Author

Everything passed except aarch64 which has some numerical test failures that definitely aren't related. I'm gonna do some more testing before merge to make sure this is doing what I think it is, but at least it doesn't break anything.

omus
omus approved these changes Nov 20, 2020
View reviewed changes
stdlib/LibGit2/src/callbacks.jl Outdated Show resolved Hide resolved
stdlib/LibGit2/src/callbacks.jl Outdated Show resolved Hide resolved
@StefanKarpinski
Copy link
Sponsor Member Author

StefanKarpinski commented Nov 22, 2020
edited
Loading

Ok, so here's a way to test this using ghostunnel. First, set up the "client" side that connects to github.com:

ghostunnel client --target=github.com:443 --listen=localhost:1234 --disable-authentication

Next, generate a phony key/cert pair:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Then start the "server" side that serves incoming HTTPS connections and sends them through to the client:

sudo ghostunnel server --listen $ip:443 --target localhost:1234 --key key.pem --cert cert.pem --disable-authentication

Then you modify /etc/hosts on the machine you're running julia on to add this entry:

$ip github.com

With this configuration, the local machine will be man-in-the-middled for HTTPS connections to github.com. In order to test that this is correctly rejected by Pkg, you'll want to export JULIA_PKG_SERVER="" and delete ~/.julia/registries/General so that Pkg uses LibGit2 to clone the registry. Pkg should abort since it's getting man-in-the-middled. However, if you set JULIA_NO_VERIFY_HOSTS="github.com" then you should be able to clone registry again, despite the man-in-the-middle attack.

This is useful because this kind of man-in-the-middle attack is exactly what is done behind many firewalls. If this kind of man-in-the-middle proxy is correctly setup, it is still secure (aside from the operator being able to snoop on your traffic) since the proxy will verify it's outbound connections. In these situations the client systems should have a CA root certificate for the certificate that the proxy uses on the internal side, but sometimes that's misconfigured or not done.

@StefanKarpinski StefanKarpinski merged commit 5b76992 into master Nov 22, 2020
@StefanKarpinski StefanKarpinski deleted the sk/libgit2-no-verify-hosts branch November 22, 2020 19:37
@GunnarFarneback
Copy link
Contributor

This is not working right with ssh keys, as discussed on slack. To reproduce, try to add your own fork of General with git URL.

(@v1.6) pkg> registry add [email protected]:GunnarFarneback/General.git
     Cloning registry from "[email protected]:GunnarFarneback/General.git"
ERROR: failed to clone from [email protected]:GunnarFarneback/General.git, error: GitError(Code:ERROR, Class:Net, user cancelled hostkey check)

@StefanKarpinski
Copy link
Sponsor Member Author

SSH issue should be fixed by #38563.

@GunnarFarneback
Copy link
Contributor

Confirmed, works well now.

@goretkin goretkin mentioned this pull request Mar 27, 2021
Closed
@KristofferC KristofferC mentioned this pull request Oct 18, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omus omus omus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@StefanKarpinski @GunnarFarneback @omus