Opened 14 years ago

Closed 13 years ago

#28065 closed defect (wontfix)

mercurial: Error when pulling from https with cert not signed by a CA in the default list

Reported by: brejoc@… Owned by: deric@…
Priority: Normal Milestone:
Component: ports Version: 1.9.1
Keywords: Cc: nerdling (Jeremy Lavergne)
Port: mercurial

Description

When I try to pull changes from our hg server via https with a self signed certificate hg aborts and present an error message. This happens since version 1.7.3:

$ hg pull
abort: error: _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The same hg version installed via pip gives a warning (warning: repos.myhost.com certificate not verified (check web.cacerts config setting)) but performs the task without abortion.

Change History (8)

comment:1 Changed 14 years ago by ryandesign (Ryan Carsten Schmidt)

Owner: changed from macports-tickets@… to deric@…
Summary: Error when pulling from https with self signed certmercurial: Error when pulling from https with self signed cert

comment:2 Changed 14 years ago by jmroot (Joshua Root)

Cc: snc@… added

comment:3 Changed 14 years ago by bpanulla (Brian Panulla)

Also occurs with CACert certificates (cacert.org). CACert root certificate is in my system Keychain.

comment:4 Changed 13 years ago by jmroot (Joshua Root)

Summary: mercurial: Error when pulling from https with self signed certmercurial: Error when pulling from https with cert not signed by a CA in the default list

comment:5 Changed 13 years ago by jmroot (Joshua Root)

I'm not sure there's really a bug here. Accepting certificates not signed by a known CA is not a safe default.

The port is initially configured to use curl-ca-bundle for its list of acceptable CAs. If you want to use a different list globally, edit ${prefix}/etc/mercurial/hgrc (or override it in ~/.hgrc). If you want to use a different cacerts file for a clone, use --config web.cacerts=<path>. If you really want to skip validating the certificate, use --insecure.

comment:6 Changed 13 years ago by brejoc@…

Sorry jmr, but that's not the point. The app could warn (which is the behaviour implemented by the developers) or abort, but not throw an error and exit.

comment:7 Changed 13 years ago by jmroot (Joshua Root)

What do you mean "the behaviour implemented by the developers"? Aborting with that error message is not in any way specific to macports, see for example: http://mercurial.selenic.com/bts/issue2596

comment:8 Changed 13 years ago by deric@…

Resolution: wontfix
Status: newclosed

Closing since the issue is really upstream and workarounds have been outlined here. Thanks.

Note: See TracTickets for help on using tickets.