|
Size: 2979
Comment: Clean up per WikiStyleGuide, copy-edit
|
Size: 537
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #pragma section-numbers 2 = CA Certificates = About Mercurial's handling of SSL certificates for https urls. <<TableOfContents>> == Changes in Mercurial 1.7.x == Mercurial has improved its https support in the 1.7.x series. When connecting to an https server, it will now verify the server's certificate. Connections to a server with the wrong identity will be rejected. As of 1.7.3, Mercurial will warn if it doesn't know how to verify it because no Certification Authorities (CAs) have been configured. {i} The "certificate not verified" warning does not mean that you are less secure than before. It just informs you how insecure you always has been. You should fix your setup so you get the security you might expect from SSL and don't get any warnings; otherwise you might just as well stop using https. == Configuration of Certificate Authorities == Most operating systems maintain a set of root certificates that you might decide to trust. Note that any of these authorities can approve a server identity, and any of them will thus be able to spoof any server identity. On Debian and Ubuntu you can use this global configuration: {{{ [web] cacerts = /etc/ssl/certs/ca-certificates.crt }}} On Fedora and RHEL you can use this global configuration: {{{ [web] cacerts = /etc/pki/tls/certs/ca-bundle.crt }}} On other platforms you can download a cacert file from http://curl.haxx.se/docs/caextract.html . The Mercurial-1.7.3 installers for Windows already contains a `misc\cacert.pem`. You might want to modify the cacert file, for examply by removing CAs you don't trust or by adding your own internal or self-signed CAs. == Per-repository configuration == If you want to control explicitly which servers you will authenticate to and pull from you can explicitly configure the trusted servers identity for each local clone. The server's public identity can for example be retrieved with Firefox. Browse to `https://server/repo`, click the lock symbol in the lower right corner, View Certificate, Details, Export, "X.509 Certificate (PEM)" and save somewhere as server.pem. In your local repo edit .hg/hgrc and add {{{ [web] cacerts = /path/to/server.pem }}} Note: This requires Mercurial 1.7.3 or later. == Packaging == Packagers are encouraged to integrate as good as possible with the platforms existing PKI, for example by distributing a `hgrc.d/cacert.rc` with configuration of `web.cacerts`. If the platform don't have a suitable CA list you might want to distribute your own - for example the one from cURL/Mozilla. Note however that that will cause a regression for those who connect to servers with self-signed certificates. It should thus not be introduced in a bugfix release but wait for a major update, depending on how your update strategy is. == See also == * http://curl.haxx.se/docs/sslcerts.html * http://bugs.python.org/issue1589 * http://mercurial.selenic.com/bts/issue2407 |
Blase Bloss is the name or company name his parents gave him and his wife does not need to like it at what. To bungee rush is something that bigger been doing for growth cycles. Years ago he positioned to Colorado but his / her wife wants them time for move. He used to be [[http://Www.jobless.com.my/|jobless]] but now he is a database administrator but soon his wife but also him will start your own business. If you wants to find uot whole lot more check out his website: http://www.zkes.tn.edu.tw/alumnus/index.php/User:AmandaRoyal |
Blase Bloss is the name or company name his parents gave him and his wife does not need to like it at what. To bungee rush is something that bigger been doing for growth cycles. Years ago he positioned to Colorado but his / her wife wants them time for move. He used to be jobless but now he is a database administrator but soon his wife but also him will start your own business. If you wants to find uot whole lot more check out his website: http://www.zkes.tn.edu.tw/alumnus/index.php/User:AmandaRoyal