[PATCH] sslutil: per-host config option to define certificates

Yuya Nishihara yuya at tcha.org
Fri Jun 10 10:14:05 EDT 2016 

On Thu, 9 Jun 2016 23:32:38 -0400, Augie Fackler wrote:
> On Tue, Jun 07, 2016 at 09:03:44PM -0700, Gregory Szorc wrote:
> > # HG changeset patch
> > # User Gregory Szorc <gregory.szorc at gmail.com>
> > # Date 1465356594 25200
> > #      Tue Jun 07 20:29:54 2016 -0700
> > # Node ID 323f0c9c91e02be86bde60620cec5f38020f4c86
> > # Parent  1b3a0b0c414faa3d6d4dbcf4c5abbbe18aa9efd4
> > sslutil: per-host config option to define certificates

> > +A per-host certificate mismatching the server will fail verification
> > +
> > +  $ hg --config hostsecurity.localhost:verifycertsfile=client-cert.pem clone https://localhost:$HGPORT/
> > +  abort: error: *certificate verify failed* (glob)
> > +  [255]
> > +
> > +A per-host certificate matching the server's cert will be accepted
> > +
> > +  $ hg --config hostsecurity.localhost:verifycertsfile=pub.pem clone -U https://localhost:$HGPORT/ perhostgood1
> > +  requesting all changes
> > +  adding changesets
> > +  adding manifests
> > +  adding file changes
> > +  added 1 changesets with 4 changes to 4 files
> > +
> > +A per-host certificate with multiple certs and one matching will be accepted
> > +
> > +  $ cat client-cert.pem pub.pem > perhost.pem
> > +  $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
> > +  requesting all changes
> > +  adding changesets
> > +  adding manifests
> > +  adding file changes
> > +  added 1 changesets with 4 changes to 4 files
> > +
> > +Defining both per-host certificate and a fingerprint will print a warning
> > +
> > +  $ hg --config hostsecurity.localhost:verifycertsfile=pub.pem --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning
> > +  (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
> > +  requesting all changes
> > +  adding changesets
> > +  adding manifests
> > +  adding file changes
> > +  added 1 changesets with 4 changes to 4 files

Updated $CERTSDIR per my change.

More information about the Mercurial-devel mailing list