Cannot pull/push to https server with self-signed certificate
Yuya Nishihara
yuya at tcha.org
Mon Jan 10 08:13:26 CST 2011
Gilles Moris wrote:
> On Sunday 09 January 2011 08:30:49 pm timeless wrote:
> > On Sun, Jan 9, 2011 at 9:09 PM, Yuya Nishihara <yuya at tcha.org> wrote:
> > >> On Sun, Jan 9, 2011 at 8:11 PM, Yuya Nishihara <yuya at tcha.org> wrote:
> > >> > If you have a list of trusted hosts, and have certificates,
> > >> > you can use them in place of global root cacerts, maybe.
> > >>
> > >> global root management is a disaster.
> > >
> > > Oops, I tried to mean if we have something like the following hgrc:
> > >
> > > [auth]
> > > foo.prefix = foo.example.org
> > > foo.cacerts = path/to/cert.pem or inline certificate data
> > >
> > > we can just use foo.cacerts instead of web.cacerts when connecting to
> > > foo.example.org, instead of "disable any validation (cacerts=None)".
> > >
> > > Or I completely misread the story?
> >
> > no, my fault, i misread 'in place of global root cacerts'. thanks for
> > clarifying
>
> Unfortunately, this might not be sufficient for the validation to succeed.
> Ususally, the auto-generated certificates are using localhost.localdomain for
> the fully qualified address, and this will be rejected by the validation
> algorithm as it will not match the real fully qualified address.
In that case, I think it's better to bypass only _verifycert().
If the pair of cacert and servercert is private one, it won't need to
verify commonName field.
Yuya,
More information about the Mercurial-devel
mailing list