Disabling HTTPS host authentication in TortoiseHG for internal self-signed certificates

mercurial tortoisehg tortoisehg-2.0
24,102

Solution 1

In the TortoiseHG Workbench, in the Sync tab (or in the Sync screen), if you have a remote path selected, you should see a button with a lock icon on it:

enter image description here

That will bring up the Security window, where you can select the option No host validation, but still encrypted, among other settings. When you turn that on, it adds something like this to your mercurial.ini:

[insecurehosts]
bitbucket.org = 1

That's machine-level config for TortoiseHg, but it doesn't seem to affect the Clone window.

On the command-line, you can use --insecure to skip verifying certificates:

hg clone --insecure https://hostname.org/user/repository repository-clone

This will spit out a number of warnings about not verifying the certificate, and will also show you the host fingerprint in each message, like the example warning below (formatted from the original for readability):

warning: bitbucket.org certificate with fingerprint 
 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified
 (check hostfingerprints or web.cacerts config setting)

A better option, however, is host fingerprints, which are used by both hg and TortoiseHg. In TortoiseHg's Security window, above No host validation is the option Verify with stored host fingerprint. The Query button retrieves the fingerprint of the host's certificate and stores it in mercurial.ini:

[hostfingerprints]
bitbucket.org = 81:2b:08:90:dc:d3:71:ee:e0:7c:b4:75:ce:9b:6c:48:94:56:a1:fe

This should skip actual verification of the certificate because you are declaring that you already trust the certificate.

This documentation on certificates may help, as well.

Solution 2

In the Clone Repository window expand options and check "Do not verify host certificate" check box.

Share:
24,102
jbx
Author by

jbx

Updated on February 23, 2020

Comments

  • jbx
    jbx over 4 years

    How do you disable HTTPS host authentication in TortoiseHG for internal self-signed certificates. For internal servers HTTPS is primarily used for encryption.

    The TortoiseHG documentation says that it is possible to disable host verification (i.e. verification against the Certificate Authority chain) here but I can't seem to find the option.

    Its supposed to be an option when cloning a remote repository. I am using the latest TortoiseHG 2.0.5

  • jbx
    jbx about 13 years
    Thanks for that. What is not clear though is how to do it during cloning. Before being able to synchronise you first need to clone it also with the same settings, or the error occurs. Is there a way to do it during clone?
  • jbx
    jbx about 13 years
    Just found out that cloning without Host validation is not yet possible through TortoiseHG. However the feature is on the way and already in the unstable release 2.0.5516.4529, so anyone needing this will need to use that version for now until it is released in the stable version. More details here: bitbucket.org/tortoisehg/thg/issue/718/…
  • Joel B Fant
    Joel B Fant about 13 years
    Saw your first commented and worked for a while on adding more.
  • jbx
    jbx about 13 years
    Thanks about the Host Fingerprint tip. The problem is that in the clone dialog that option is not available (not even in the latest unstable release) while the 'Do not verify host certificates' is. (Maybe I should add it as a request in the issue list of TortoiseHG.)
  • Joel B Fant
    Joel B Fant about 13 years
    The dialog may not have it yet, but I think if you have the host fingerprint already in your global config, cloning will use that instead of verifying the certificate. Don't know of any hosts using self-signed certificates, so I haven't tried it out.
  • securecurve
    securecurve over 11 years
    @JoelBFant How would I know then the host fingerprint, it just throws error with no indication to any kind of fingerprints
  • Joel B Fant
    Joel B Fant over 11 years
    @securecurve: Please read the answer again, paying particular attention to the paragraph that contains the phrase "Query button retrieves the fingerprint".
  • securecurve
    securecurve over 11 years
    Thank you Joe for your answer. I'm talking about the command line hg tool, how would I do this?
  • Joel B Fant
    Joel B Fant over 11 years
    @securecurve: How about the paragraph right above that? If you use hg clone --insecure, it gives you several certificate warnings and displays the fingerprint in the message. From there you can copy it and edit your [hostfingerprints] config section.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Mercurial/TortoiseHG Merge Trunk Changes into Branch
How to let TortoiseHg (Mercurial) on Windows use the Private Key file generated (by Puttygen)?
HG: Undo a commit from history
Mercurial via TortoiseHg - Merge a named branch then close it
Mercurial - How to remove a file from version control?
Undo an hg push (backout?)
How to entirely disable SSL certificate checks in Mercurial / TortoiseHg?
Hg: How to move files (to subfolder) without losing history?
"Not a head revision!" in Mercurial Hg
How to let TortoiseHg (Mercurial) on Windows use the Private Key file generated (by Puttygen)?