upstream/mercurial-mirror Files · mercurial/help/urls.txt

sslutil: abort when unable to verify peer connection (BC)...

sslutil: abort when unable to verify peer connection (BC) Previously, when we connected to a server and were unable to verify its certificate against a trusted certificate authority we would issue a warning and continue to connect. This is obviously not great behavior because the x509 certificate model is based upon trust of specific CAs. Failure to enforce that trust erodes security. This behavior was defined several years ago when Python did not support loading the system trusted CA store (Python 2.7.9's backports of Python 3's improvements to the "ssl" module enabled this). This commit changes behavior when connecting to abort if the peer certificate can't be validated. With an empty/default Mercurial configuration, the peer certificate can be validated if Python is able to load the system trusted CA store. Environments able to load the system trusted CA store include: * Python 2.7.9+ on most platforms and installations * Python 2.7 distributions with a modern ssl module (e.g. RHEL7's patched 2.7.5 package) * Python shipped on OS X Environments unable to load the system trusted CA store include: * Python 2.6 * Python 2.7 on many existing Linux installs (because they don't ship 2.7.9+ or haven't backported modern ssl module) * Python 2.7.9+ on some installs where Python is unable to locate the system CA store (this is hopefully rare) Users of these Pythongs will need to configure Mercurial to load the system CA store using web.cacerts. This should ideally be performed by packagers (by setting web.cacerts in the global/system hgrc file). Where Mercurial packagers aren't setting this, the linked URL in the new abort message can contain instructions for users. In the future, we may want to add more code for finding the system CA store. For example, many Linux distributions have the CA store at well-known locations (such as /etc/ssl/certs/ca-certificates.crt in the case of Ubuntu). This will enable CA loading to "just work" on more Python configurations and will be best for our users since they won't have to change anything after upgrading to a Mercurial with this patch. We may also want to consider distributing a trusted CA store with Mercurial. Although we should think long and hard about that because most systems have a global CA store and Mercurial should almost certainly use the same store used by everything else on the system.

Mike Williams - - Load All Authors

File last commit:

r19197:01d68fb0 stable


                r29411:e1778b9c

default

Download file

             urls.txt
        
                    66 lines
            
             | 2.3 KiB
            
                | text/plain
            
             |
                TextLexer

/ mercurial / help / urls.txt

History | Annotation | Raw |Copy content |Copy permalink

				Valid URLs are of the form::

				local/filesystem/path[#revision]
				file://local/filesystem/path[#revision]
				http://[user[:pass]@]host[:port]/[path][#revision]
				https://[user[:pass]@]host[:port]/[path][#revision]
				ssh://[user@]host[:port]/[path][#revision]

				Paths in the local filesystem can either point to Mercurial
				repositories or to bundle files (as created by :hg:`bundle` or
				:hg:`incoming --bundle`). See also :hg:`help paths`.

				An optional identifier after # indicates a particular branch, tag, or
				changeset to use from the remote repository. See also :hg:`help
				revisions`.

				Some features, such as pushing to http:// and https:// URLs are only
				possible if the feature is explicitly enabled on the remote Mercurial
				server.

				Note that the security of HTTPS URLs depends on proper configuration of
				web.cacerts.

				Some notes about using SSH with Mercurial:

				- SSH requires an accessible shell account on the destination machine
				and a copy of hg in the remote path or specified with as remotecmd.
				- path is relative to the remote user's home directory by default. Use
				an extra slash at the start of a path to specify an absolute path::

				ssh://example.com//tmp/repository

				- Mercurial doesn't use its own compression via SSH; the right thing
				to do is to configure it in your ~/.ssh/config, e.g.::

				Host *.mylocalnetwork.example.com
				Compression no
				Host *
				Compression yes

				Alternatively specify "ssh -C" as your ssh command in your
				configuration file or with the --ssh command line option.

				These URLs can all be stored in your configuration file with path
				aliases under the [paths] section like so::

				[paths]
				alias1 = URL1
				alias2 = URL2
				...

				You can then use the alias for any command that uses a URL (for
				example :hg:`pull alias1` will be treated as :hg:`pull URL1`).

				Two path aliases are special because they are used as defaults when
				you do not provide the URL to a command:

				default:
				When you create a repository with hg clone, the clone command saves
				the location of the source repository as the new repository's
				'default' path. This is then used when you omit path from push- and
				pull-like commands (including incoming and outgoing).

				default-push:
				The push command will look for a path named 'default-push', and
				prefer it over 'default' if both are defined.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages