Opened 14 years ago
Closed 13 years ago
#28065 closed defect (wontfix)
mercurial: Error when pulling from https with cert not signed by a CA in the default list
Reported by: | brejoc@… | Owned by: | deric@… |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | 1.9.1 |
Keywords: | Cc: | nerdling (Jeremy Lavergne) | |
Port: | mercurial |
Description
When I try to pull changes from our hg server via https with a self signed certificate hg aborts and present an error message. This happens since version 1.7.3:
$ hg pull abort: error: _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The same hg version installed via pip gives a warning (warning: repos.myhost.com certificate not verified (check web.cacerts config setting)) but performs the task without abortion.
Change History (8)
comment:1 Changed 14 years ago by ryandesign (Ryan Carsten Schmidt)
Owner: | changed from macports-tickets@… to deric@… |
---|---|
Summary: | Error when pulling from https with self signed cert → mercurial: Error when pulling from https with self signed cert |
comment:2 Changed 14 years ago by jmroot (Joshua Root)
Cc: | snc@… added |
---|
comment:3 Changed 14 years ago by bpanulla (Brian Panulla)
comment:4 Changed 13 years ago by jmroot (Joshua Root)
Summary: | mercurial: Error when pulling from https with self signed cert → mercurial: Error when pulling from https with cert not signed by a CA in the default list |
---|
comment:5 Changed 13 years ago by jmroot (Joshua Root)
I'm not sure there's really a bug here. Accepting certificates not signed by a known CA is not a safe default.
The port is initially configured to use curl-ca-bundle for its list of acceptable CAs. If you want to use a different list globally, edit ${prefix}/etc/mercurial/hgrc (or override it in ~/.hgrc). If you want to use a different cacerts file for a clone, use --config web.cacerts=<path>
. If you really want to skip validating the certificate, use --insecure
.
comment:6 Changed 13 years ago by brejoc@…
Sorry jmr, but that's not the point. The app could warn (which is the behaviour implemented by the developers) or abort, but not throw an error and exit.
comment:7 Changed 13 years ago by jmroot (Joshua Root)
What do you mean "the behaviour implemented by the developers"? Aborting with that error message is not in any way specific to macports, see for example: http://mercurial.selenic.com/bts/issue2596
comment:8 Changed 13 years ago by deric@…
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Closing since the issue is really upstream and workarounds have been outlined here. Thanks.
Also occurs with CACert certificates (cacert.org). CACert root certificate is in my system Keychain.