[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers-public] Mercurial/hg and savannah's HTTPS
|
From: |
Assaf Gordon |
|
Subject: |
[Savannah-hackers-public] Mercurial/hg and savannah's HTTPS |
|
Date: |
Thu, 12 Jan 2017 14:10:49 -0500 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 |
Hi,
A quick note for future reference:
Older 'hg' clients do not support SNI (Server Name Indication,
https://en.wikipedia.org/wiki/Server_Name_Indication ).
Savannah uses SNI to serve hg repositories over https (together with
cvs/svn/bzr and soon git).
The symptom is:
$ hg clone https://hg.sv.gnu.org/hgweb/test-project/
abort: hg.sv.gnu.org certificate error: certificate is for \
bzr.savannah.gnu.org, bzr.savannah.nongnu.org, bzr.sv.gnu.org, \
bzr.sv.nongnu.org
(configure hostfingerprint \
c0:50:9b:12:09:6c:d7:f4:7e:3e:7d:d8:eb:17:a3:8b:17:ad:36:77 or \
use --insecure to connect insecurely)
Easily reproduced with:
$ openssl s_client -connect hg.sv.gnu.org:443 < /dev/null 2>&1 \
| grep ^subject
subject=/CN=bzr.savannah.gnu.org
$ openssl s_client -servername hg.sv.gnu.org \
-connect hg.sv.gnu.org:443 < /dev/null 2>&1 \
| grep ^subject
subject=/CN=hg.savannah.gnu.org
Also discussed here:
https://www.mercurial-scm.org/wiki/SecureConnections
Possible workarounds include:
1. Use 'http' instead of 'https'
2. Use '--insecure' :
hg clone --insecure https://hg.sv.gnu.org/hgweb/test-project/
3. Add the fingerprint to your '.hgrc' file:
$ FP=c0:50:9b:12:09:6c:d7:f4:7e:3e:7d:d8:eb:17:a3:8b:17:ad:36:77
$ cat<<EOF>>.hgrc
[hostfingerprints]
hg.sv.gnu.org = $FP
hg.sv.nongnu.org = $FP
hg.savannah.gnu.org = $FP
hg.savannah.nongnu.org = $FP
EOF
(though note that this is fingerprint might change in the future,
and it's rather arbitrary that 'bzr' certificate is used instead
of another).
4. Upgrade 'hg' (and/or the underlying python setup).
comments welcomed,
- assaf
- [Savannah-hackers-public] Mercurial/hg and savannah's HTTPS,
Assaf Gordon <=