https://bz.mercurial-scm.org/show_bug.cgi?id=5912
Bug ID: 5912 Summary: Pin the server's host key, not the certificate in .hgrc Product: Mercurial Version: 4.6 Hardware: PC OS: Mac OS Status: UNCONFIRMED Severity: feature Priority: wish Component: Mercurial Assignee: bugzi...@mercurial-scm.org Reporter: ro...@pep-project.org CC: mercurial-devel@mercurial-scm.org We use LetsEncrypt certificates for our mercurial servers. These certificates have (by intention) a quite short livetime, so they change every 2 months or the like. Unfortunately mercurial is unable to validate these certificates via the TLS trust chain (as every webbrowser does) so we have to "pin" the certificate's fingerprints in the [hostsecurity] section of our .hgrc and have to change them quite often on all of our clients. That is annoying. :-( As far as I understand TLS certificates, they are used to provide a trust chain from a few well-known and trustworthy "root certificates" (that are fix or seldom changing and known to the client) to the server's TLS key, so clients don't have to trust (and pin that trust) to every single TLS server. But it seems that mercurial can't do that. Am I right? Or as alternative: Why can't mercurial just pin the server's TLS key (or its fingerprint) directly without any "certificate voodoo" in between? Greetings, Lars R. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel