Hi Assaf, Good work on getting hg moved over.
Assaf Gordon wrote: > Older 'hg' clients do not support SNI (Server Name Indication, Would it be sufficient simply to state that for https to be used that clients simply must use a suitable up to date client? I think that is more than sufficient. Especially considering that they could not previously use https at all. It supports the natural progression of things. If you want to use the new thing then you need the new thing compatible software. Is there any way to tell by statics how many older hg clients are still in use? Or perhaps what environments or OS distributions are shipping older hg clients? Obviously this has not previously been a problem because https has not previously been offered for hg. They never had this problem before. This is simply a new feature which is only available to up to date software. I think that is okay. I also suspect that older clients not getting updated anymore will soon have problems with dropped protocols such as SSLv3 now dropped too. I see that TLS1.0 is the lastest supported by these older clients. When TLS1.0 becomes unsupportable they will be forced to upgrade at that point. > Possible workarounds include: One you did not mention is that on the server side we could allocate another IP address specifically for hg use. That would allow us to avoid needing SNI to serve the certificate. However given that the problem is outdated hg clients not getting updated which leads to other problems I don't think we should help them do the wrong thing here. > 1. Use 'http' instead of 'https' Or use the bzr:// protocol. No difference then. One of these two options is what they have been using all of this while already. > 2. Use '--insecure' : > hg clone --insecure https://hg.sv.gnu.org/hgweb/test-project/ Better than not using it. > 3. Add the fingerprint to your '.hgrc' file: > > $ FP=c0:50:9b:12:09:6c:d7:f4:7e:3e:7d:d8:eb:17:a3:8b:17:ad:36:77 > $ cat<<EOF>>.hgrc > [hostfingerprints] > hg.sv.gnu.org = $FP > hg.sv.nongnu.org = $FP > hg.savannah.gnu.org = $FP > hg.savannah.nongnu.org = $FP > EOF > > (though note that this is fingerprint might change in the future, > and it's rather arbitrary that 'bzr' certificate is used instead > of another). Not sure but won't that change every time the certificate is renewed? Being as we renew every two months and during our development we add and remove sites from the certificate routinely I think the fingerprint will not remain constant. I worry about suggesting that workaround as I do not think it will last. > 4. Upgrade 'hg' (and/or the underlying python setup). That seems like the best answer. However I do have sympathy if old clients are still in long term supported OS releases. Bob
