[issue2811] ssl warning fingerprint or the documentation seems wrong

[stackmagic]

New submission from stackmagic <stackmagic at gmail.com>:

With an upgrade I started to get these SSL warnings. Now I just wanted to 
deal with those and after some 
reading, the plan was to put the following into my ~/.hgrc:
----- start -----
[web]
cacerts = /etc/ssl/certs/ca-certificates.crt

[hostfingerprints]
myserver = {fingerprint}
-----  end  -----

So public servers are checked trough the cacerts and that one exception is 
set explicitly. The Documentation 
says, the fingerprint to use is the sha1 hash of the DER encoded server 
certificate (as documented here: 
http://www.selenic.com/mercurial/hgrc.5.html#hostfingerprints)

But, this does not work. Apparently Mercurial uses a different hash (and 
reports that in the SSL warnings on 
the commandline) and I can't seem to find a matching hash (tried different 
md* and sha* algorithms) and I'd 
rather not blindly copy/paste the hash from the console, what is going on 
here?

Sometimes I'm behind a company proxy (using env variable $http_proxy) and 
sometimes I'm not. Behind the 
proxy, there is NO warning! Without proxy there is a warning... Another 
thing that puzzles me at the moment.

The fingerprint is determined using the cert exported from firefox (I tried 
DER and PEM), and then extracted 
via openssl: openssl x509 -in myserver.cert -inform DER -fingerprint -sha1. 
The cert is self-signed.

Mercurial: 1.7.5
Python: 2.7.1+
Openssl: 0.9.8o
KUbuntu natty

Is this a bug? What hashing algorithm is used by mercurial? Are the docs 
wrong?

Thanks

----------
messages: 16286
nosy: stackmagic
priority: bug
status: unread
title: ssl warning fingerprint or the documentation seems wrong

____________________________________________________
Mercurial issue tracker <bugs at mercurial.selenic.com>
<http://mercurial.selenic.com/bts/issue2811>
____________________________________________________