[Bug 873500] New: Mercurial no longer pushes\clones to self-signed repos
https://bugzilla.novell.com/show_bug.cgi?id=873500 https://bugzilla.novell.com/show_bug.cgi?id=873500#c0 Summary: Mercurial no longer pushes\clones to self-signed repos Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: c_eric@sbcglobal.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 After trying to clone or push data to a self-signed repo mercurial aborts with an error. This can be done with any combination of the following options: 1) --insecure 2) --config web.cacerts= There are tips on how to fix this on the mercurial website: http://mercurial.selenic.com/wiki/CACertificates however, these do not work. This is not a problem with python as trying a very simple ssl program: https://docs.python.org/2/library/ssl.html#client-side-operation with this change: ssl_sock = ssl.wrap_socket(s) does work. This was tested on both version 2.7.1 and version 2.9.1. Reproducible: Always Steps to Reproduce: 1. hg clone --insecure https://self.signed.repo.tld/path-to-hg Actual Results: pushing to https://self.signed.repo.tld/path-to-hg abort: error: _ssl.c:357: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib Expected Results: Data to be pushed to the server. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c
Xiyuan Liu
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c1
Takashi Iwai
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c2
Andrei Dziahel
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c3
--- Comment #3 from Eric Neblock
Eric, can you confirm http://mercurial.selenic.com/wiki/CACertificates#Host_certificate_fingerprin... doesn't work either?
When following the directions at the provided link, this DOES work with hg version 2.9.1 for x86_64 on OpenSuSE 13.1 All of ~/.hgrc was commented out (#) and replaced with only: [hostfingerprints] hg.intevation.org = fa:1f:d9:48:f1:e7:74:30:38:8d:d8:58:b6:94:b8:58:28:7d:8b:d0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c4
--- Comment #4 from Andrei Dziahel
[hostfingerprints] self.signed.repo.tld = <fingerprint of self.signed.repo.tld SSL certificate>
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c5
--- Comment #5 from Eric Neblock
Well, that's not exactly I've had in mind; you should have had following stuff in your .hgrc in order to test if it helps:
[hostfingerprints] self.signed.repo.tld = <fingerprint of self.signed.repo.tld SSL certificate>
Ah, well, filling in the fingerprints for my own host and then trying to clone does not cause an error. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c6
Andrei Dziahel
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c7
Eric Neblock
Great! Closing then.
Well the problem was not being able to use the --insecure method. This solution doesn't solve it unless I go and copy the fingerprints. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c8
--- Comment #8 from Andrei Dziahel
(In reply to comment #6)
Great! Closing then.
Well the problem was not being able to use the --insecure method.
This solution doesn't solve it unless I go and copy the fingerprints.
Of course you should copy&paste host fingerprints around. Because in case of self-signed certificate removing host fingerprint is only way to revoke that certificate. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=873500
https://bugzilla.novell.com/show_bug.cgi?id=873500#c9
--- Comment #9 from Eric Neblock
(In reply to comment #7)
(In reply to comment #6)
Great! Closing then.
Well the problem was not being able to use the --insecure method.
This solution doesn't solve it unless I go and copy the fingerprints.
Of course you should copy&paste host fingerprints around. Because in case of self-signed certificate removing host fingerprint is only way to revoke that certificate.
Yes, that would be best. However, if I want don't want to, shouldn't I be allowed to like the original code permits? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com