Cannot pull/push to https server with self-signed certificate

Steve Borho steve at borho.org
Thu Jan 6 21:45:36 CST 2011 

On Thu, Jan 6, 2011 at 8:43 PM, Brian Sullivan <bmsullivan at gmail.com> wrote:
> Mads,
> Thanks for the response!
> After reading your message, I performed the steps exactly as described on
> the Mercurial wiki page you linked to.  I navigated to our repo site in
> Firefox and exported the certificate at the root of the hierarchy (there was
> actually only one in the tree).  Once exported, I got the hash on my Mac
> using openssl and copied that into the cacert.pem file on my Windows VM.
>  This still results in the same error when trying to perform a remote
> operation.
> Could this have something to do with line endings, since I'm copying the
> hash text from a Mac terminal window into my Windows text editor (GVim)?  To
> address that possibility, I joined the whole hash onto one line and entered
> the carriage returns manually, but it didn't seem to have any effect.  GVim
> says the file is [unix], is that what it should be, even on a Windows
> system?  I'm grasping at straws, here.

I don't believe line endings have any effect one way or another.  gvim
can convert from dos to unix using the ':set ff=dos' and ':set
ff=unix' commands, fwiw.

> I really appreciate your help.  And I also appreciate the security concerns
> of the Mercurial developers, and think they made the right decision for the
> long run.  I just hope the usability around using self-signed certs gets a
> bit easier; I think some of my coworkers might have a difficult time with
> this, even if I explained the steps to them.  Keep in mind, these are guys
> who would have used TFS if I hadn't convinced them otherwise. ;-)
> Brian

Are you sure the server certificate is self-signed.  I've discovered
that some servers that are virtual hosted will depend on SNI [1] to
learn of the proper server hostname to validate against, and Python
2.6 (the basis of Mercurial Windows installers) does not support SNI
for SSL connections.  This feature was just recently added to Python
3.2, and Mercurial itself does not support Python 3 (nor does
TortoiseHg for that matter).  hg.assembla.com seems to fall into this
category.

Beyond SNI, there could be other reasons for server validation failure
(certificate is out of date, invalid host names, no known valid CA),
and they are all unhelpfully lumped together into a single error
message from the openssl library.

As mentioned in the docs, you _can_ connect to the server by setting
[web] cacerts= in your user Mercurial.ini file.  You will get warnings
during pushes saying that the server was not validated, but it will at
least work.

[1] http://en.wikipedia.org/wiki/Server_Name_Indication

-- 
Steve Borho

More information about the Mercurial mailing list