Saturday, October 13, 2012

Mercurial and self-signed server certificates

So mercurial aborts when you want to interact with a repository that uses a self-signed certificate, as is the case for my own little mercurial repo exposed over https.

NOTE: this is obviously insecure and you must verify the ssl cert's fingerprint is correct. If you roll your own server, log into the server and get the fingerprint from the cert file itself, not over https since there could be a man in the middle.

Alright so you need to get a hold of the cert and extract its fingerprint. Over https it works like that:

user@local:/tmp$ openssl s_client -connect server:port -showcerts | openssl x509 -fingerprint -noout
depth=0 C = CH, ST = Example, L = Example, O = Example, OU = Example, CN = Example, emailAddress =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, ST = Example, L = Example, O = Example, OU = Example, CN = Example, emailAddress =
verify return:1
SHA1 Fingerprint=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

And to get the fingerprint from your cert file directly on the server, do this:

user@remote:/tmp$ openssl x509 -in /path/to/the/cert.pem | openssl x509 -fingerprint -noout
SHA1 Fingerprint=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

So now you have the fingerprint you need to tell mercurial to accept said self-signed certificate for a given hostname, which you do in ~/.hgrc

[hostfingerprints] = 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

And that's it!

1 comment:

  1. Games advertising excessive 메리트카지노 volatility probably to|are inclined to} cater to the hardcore gaming crowd who are extra ready to resist the wild swings inherent in these video games. Low volatility video games, conversely, are far better suited to players in search of a extra informal experience. All you need to|you must} do is select one of many online casinos we recommend or play them on our website.