mercurial: Error when pulling from https with cert not signed by a CA in the default list

[brejoc@…]

When I try to pull changes from our hg server via https with a self signed certificate hg aborts and present an error message. This happens since version 1.7.3:

$ hg pull
abort: error: _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The same hg version installed via pip gives a warning (warning: repos.myhost.com certificate not verified (check web.cacerts config setting)) but performs the task without abortion.

[bpanulla (Brian Panulla)]

Also occurs with CACert certificates (cacert.org). CACert root certificate is in my system Keychain.

[jmroot (Joshua Root)]

I'm not sure there's really a bug here. Accepting certificates not signed by a known CA is not a safe default.

The port is initially configured to use curl-ca-bundle for its list of acceptable CAs. If you want to use a different list globally, edit ${prefix}/etc/mercurial/hgrc (or override it in ~/.hgrc). If you want to use a different cacerts file for a clone, use --config web.cacerts=<path>. If you really want to skip validating the certificate, use --insecure.

[brejoc@…]

Sorry jmr, but that's not the point. The app could warn (which is the behaviour implemented by the developers) or abort, but not throw an error and exit.

[jmroot (Joshua Root)]

What do you mean "the behaviour implemented by the developers"? Aborting with that error message is not in any way specific to macports, see for example: ​http://mercurial.selenic.com/bts/issue2596

[deric@…]

Closing since the issue is really upstream and workarounds have been outlined here. Thanks.