https://bz.mercurial-scm.org/show_bug.cgi?id=5912
Bug ID: 5912
Summary: Pin the server's host key, not the certificate in
.hgrc
Product: Mercurial
Version: 4.6
Hardware: PC
OS: Mac OS
Status: UNCONFIRMED
Severity: feature
Priority: wish
Component: Mercurial
Assignee: bugzi...@mercurial-scm.org
Reporter: ro...@pep-project.org
CC: mercurial-devel@mercurial-scm.org
We use LetsEncrypt certificates for our mercurial servers.
These certificates have (by intention) a quite short livetime, so they change
every 2 months or the like. Unfortunately mercurial is unable to validate these
certificates via the TLS trust chain (as every webbrowser does) so we have to
"pin" the certificate's fingerprints in the [hostsecurity] section of our .hgrc
and have to change them quite often on all of our clients.
That is annoying. :-(
As far as I understand TLS certificates, they are used to provide a trust chain
from a few well-known and trustworthy "root certificates" (that are fix or
seldom changing and known to the client) to the server's TLS key, so clients
don't have to trust (and pin that trust) to every single TLS server.
But it seems that mercurial can't do that. Am I right?
Or as alternative: Why can't mercurial just pin the server's TLS key (or its
fingerprint) directly without any "certificate voodoo" in between?
Greetings,
Lars R.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
