|
Size: 6298
Comment:
|
Size: 537
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #pragma section-numbers 2 = CA Certificates = About Mercurial's handling of SSL certificates for `https` urls. <<TableOfContents>> == Changes in Mercurial 1.7.x == Mercurial has improved its HTTPS support in the 1.7.x series. When connecting to an HTTPS server, it will now verify the server's certificate correctly and reject the connection if the server identity can't be confirmed - but only if Certification Authorities (CAs) have been configured. As of 1.7.3, Mercurial will warn if CAs haven't been configured. {i} The new "certificate not verified" warning does not mean that you are less secure than before. It just informs you of how insecure you have always been. You should fix your setup so you get the security you might expect from SSL and don't get any warnings; otherwise you might just as well stop using HTTPS. == Configuration of HTTPS certificate authorities == Most operating systems maintain a set of root certificates that you might decide to trust. Note that any of these authorities can approve any server identity, and any of them will thus be able to spoof any server identity. === Debian/Ubuntu === On Debian and Ubuntu you can use this global configuration: {{{ [web] cacerts = /etc/ssl/certs/ca-certificates.crt }}} === Fedora/RHEL === On Fedora and RHEL you can use this global configuration: {{{ [web] cacerts = /etc/pki/tls/certs/ca-bundle.crt }}} === Mac OS X before 10.6 === You can generate the file you need by opening Keychain Access (from /Applications/Utilities), going to the System Roots keychain, selecting everything and then choosing `Export Items...` from the `File` menu. Make sure the `File Format` is set to `Privacy Enhanced Mail (.pem)`, then save it to your Desktop as `Certificates`. Next, in Terminal enter {{{ sudo cp ~/Desktop/Certificates.pem /etc/hg-ca-roots.pem }}} then configure Mercurial as follows: {{{ [web] cacerts = /etc/hg-ca-roots.pem }}} Note that because the vendor supplied set of CA root certificates on Mac OS X is in the system keychain, you may wish to repeat these steps after installing software updates if they include changes to the root certificate list. === Mac OS X 10.6 and higher === On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore Mercurial use to implement their SSL support) will look in the system keychain. Unfortunately, the SSL code in the Python core doesn't allow for this situation---it always expects you to specify a certificate bundle, and if one is specified if must contain at least one certificate. A simple way to deal with this problem is to enter (in Terminal) {{{ openssl req -new -x509 -extensions v3_ca -keyout /dev/null -out dummycert.pem -days 3650 }}} to generate a dummy certificate (the contents don't matter, so you can just hit return at all of the prompts), then {{{ sudo cp dummycert.pem /etc/hg-dummy-cert.pem }}} and set your configuration as follows: {{{ [web] cacerts = /etc/hg-dummy-cert.pem }}} Don't download a dummy certificate someone on the Internet has created to solve this problem unless you're certain that they're trustworthy; if they kept the private key, they would be able to sign certificates that Mercurial would trust. Better just to enter the commands above. === Windows === The Windows installers for Mercurial 1.7.3 (and corresponding !TortoiseHg installers) contain a `cacert.pem` and will by default configure `web.cacerts` in `hgrc.d\paths.rc` . Note that by default it is no longer possible to connect to repositories with self-signed certificates. === Other platforms === If your platform doesn't provide a usable CA list, you can download a cacert file from http://curl.haxx.se/docs/caextract.html or some other trusted source. === Self-signed certificates === You might want to tweak your cacert file, for examply by removing CAs you don't trust or by adding your own internal or self-signed CAs. Only one cacerts file can be specified at any time, so you might want to override `web.cacerts` in your user or repository configuration. The root CA certificate for a server can for example be retrieved with Firefox. Browse to `https://server/repo` and verify that this is the repository you trust, click the lock symbol in the lower right corner, View Certificate, Details, select the certificate at the top of the Certificate Hierarchy, Export, "X.509 Certificate (PEM)" and save somewhere for example as `server.pem`. With other browsers on Windows you have to view the certificate at the top of the Certification Path and "Copy to File" as "Base-64 encoded X.509 (.CER)". Several such files can be concatenated into one cacerts file. {i} The content of a single PEM encoded certificate can be seen with . {{{ openssl x509 -in server.pem -text }}} == Per-repository configuration == If you want to control more explicitly who can impersonate which servers you will authenticate to and pull from you can explicitly configure the trusted CAs for each local clone. In your local repository edit `.hg/hgrc`and add {{{ [web] cacerts = /path/to/server.pem }}} Note: This requires Mercurial 1.7.3 or later. == Packaging == Packagers are encouraged to integrate as good as possible with the platforms existing PKI, for example by distributing a `hgrc.d/cacert.rc` with configuration of `web.cacerts`. If the platform doesn't have a suitable CA list you might want to distribute your own - for example the one from cURL/Mozilla. Note however that that using a pre-configured cacert list by default will cause a regression for those who connect to servers with self-signed certificates. It should thus not be introduced in a bugfix release but wait for a major update, depending on how your update strategy is. == HTTP proxy support == Mercurial does not currently verify certificates for HTTPS connections made with CONNECT through HTTP proxies. == SMTP TLS certificates == Mercurial does not currently verify TLS certificates for SMTP. == See also == * http://docs.python.org/library/ssl.html#ssl-certificates * http://curl.haxx.se/docs/sslcerts.html * http://bugs.python.org/issue1589 * http://mercurial.selenic.com/bts/issue2407 ---- [[JapaneseCACertificates|日本語]] |
Blase Bloss is the name or company name his parents gave him and his wife does not need to like it at what. To bungee rush is something that bigger been doing for growth cycles. Years ago he positioned to Colorado but his / her wife wants them time for move. He used to be [[http://Www.jobless.com.my/|jobless]] but now he is a database administrator but soon his wife but also him will start your own business. If you wants to find uot whole lot more check out his website: http://www.zkes.tn.edu.tw/alumnus/index.php/User:AmandaRoyal |
Blase Bloss is the name or company name his parents gave him and his wife does not need to like it at what. To bungee rush is something that bigger been doing for growth cycles. Years ago he positioned to Colorado but his / her wife wants them time for move. He used to be jobless but now he is a database administrator but soon his wife but also him will start your own business. If you wants to find uot whole lot more check out his website: http://www.zkes.tn.edu.tw/alumnus/index.php/User:AmandaRoyal