savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers-public] Mercurial/hg and savannah's HTTPS


From: Assaf Gordon
Subject: [Savannah-hackers-public] Mercurial/hg and savannah's HTTPS
Date: Thu, 12 Jan 2017 14:10:49 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1

Hi,

A quick note for future reference:

Older 'hg' clients do not support SNI (Server Name Indication,
https://en.wikipedia.org/wiki/Server_Name_Indication ).
Savannah uses SNI to serve hg repositories over https (together with
cvs/svn/bzr and soon git).

The symptom is:

    $ hg clone https://hg.sv.gnu.org/hgweb/test-project/
    abort: hg.sv.gnu.org certificate error: certificate is for \
        bzr.savannah.gnu.org, bzr.savannah.nongnu.org, bzr.sv.gnu.org, \
        bzr.sv.nongnu.org
    (configure hostfingerprint \
       c0:50:9b:12:09:6c:d7:f4:7e:3e:7d:d8:eb:17:a3:8b:17:ad:36:77 or \
       use --insecure to connect insecurely)

Easily reproduced with:

    $ openssl s_client -connect hg.sv.gnu.org:443 < /dev/null 2>&1 \
         | grep ^subject
    subject=/CN=bzr.savannah.gnu.org

    $ openssl s_client -servername hg.sv.gnu.org \
                       -connect hg.sv.gnu.org:443 < /dev/null 2>&1 \
         | grep ^subject
    subject=/CN=hg.savannah.gnu.org

Also discussed here:
   https://www.mercurial-scm.org/wiki/SecureConnections


Possible workarounds include:
1. Use 'http' instead of 'https'

2. Use '--insecure' :
     hg clone --insecure https://hg.sv.gnu.org/hgweb/test-project/

3. Add the fingerprint to your '.hgrc' file:

    $ FP=c0:50:9b:12:09:6c:d7:f4:7e:3e:7d:d8:eb:17:a3:8b:17:ad:36:77
    $ cat<<EOF>>.hgrc
    [hostfingerprints]
    hg.sv.gnu.org = $FP
    hg.sv.nongnu.org = $FP
    hg.savannah.gnu.org = $FP
    hg.savannah.nongnu.org = $FP
    EOF

  (though note that this is fingerprint might change in the future,
   and it's rather arbitrary that 'bzr' certificate is used instead
   of another).

4. Upgrade 'hg' (and/or the underlying python setup).



comments welcomed,
 - assaf



reply via email to

[Prev in Thread] Current Thread [Next in Thread]