How to entirely disable SSL certificate checks in Mercurial / TortoiseHg?
Solution 1
Setting cacerts
in the [web]
section to the empty string looks to be the same thing. From the source:
if cmdoptions.get('insecure', False):
ui.setconfig('web', 'cacerts', '!', '--insecure')
which the wiki confirms:
Sometimes it may be expedient to disable security checks, for instance when dealing with hosts with self-signed certificates. This can be done by disabling the CA certificate configuration on the command line:
hg push --config web.cacerts= https://self-signed-host/repo
So putting cacerts=!
in the [web]
section of your global hgrc (/etc/mercurial/hgrc
on linux-likes) will get you there.
Solution 2
If your goal is to eliminate certificate fingerprint warnings during push/pull, there's a better way to do this. Use the [hostfingerprints] in .hg/hgrc (or ~/.hgrc -- see comments).
[hostfingerprints]
server.example.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc
This will eliminate the warnings without eliminating the security checks.
Note: I see from your comments to another answer that you've already found this solution. I'm posting this anyway in case someone else has the same problem.
Solution 3
You can use aliases to achieve that. Add this to your .hgrc
:
[alias]
push = push --insecure
Problem is you wil have to do this for each command you want to use and I suggest you use different names for your aliases than the default one.
As far as I know, there's no way to enforce --insecure
for all commands "automatically".
Solution 4
Background
As pointed out in Bruce Alderman's answer, a good alternative to using the --insecure
option is to simply add the host fingerprints to the ~/.hgrc
file. (It's presumably forbidden to add them to .hg/hgrc
due to security risks.) The [hostfingerprints]
section however has been deprecated.
New instructions
Add the following to ~/.hgrc
:
[hostsecurity]
<host>:fingerprints=sha256:<hash>
where <host>
should be substituted with the hostname (without the https://
prefix), and <hash>
should be substituted with the SHA-256 fingerprint (32 bytes, written as :
-separated hexadecimal). The output of the following SHA-256 fingerprint command
openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin
after substituting <host>
and <port>
is of the form
SHA256 Fingerprint=<hash>
For example, for a self-signed certificate running from the local machine, one might have an entry in ~/.hgrc
which looks like
[hostsecurity]
localhost:fingerprints=sha256:DD:30:5A:9B:2C:E1:59:7E:46:C4:42:D3:41:34:03:17:2A:CF:50:E8:DF:78:E6:2E:C9:42:D9:9A:C9:58:AC:52
There is further documentation on Mercurial's page about secure connections.
Related videos on Youtube
Comments
-
Alex Yakunin about 4 years
I'm looking for a way to make
--insecure
option the default one for anyhg
\ TortoiseHg command.Please don't write this is a bad practice - I aware about possible risks and consider they're fully acceptable.
-
Alex Yakunin over 13 yearsThis approach really works - thanks a lot! The only issue is that Hg prints
"warning: something.com certificate with fingerprint 81:....:fe not verified (check hostfingerprints or web.c acerts config setting)"
several times duringhg pull
andhg push
. -
Alex Yakunin over 13 yearsSo I finally decided to use an approach with
[hostfingerprints]
section. -
Andriy K about 12 yearsWhat's more good with [hostfingerprinst] is that you can place them in repository hgrc instead of root one, so this change will not affect all the rest repositories.
-
Ry4an Brase about 12 years@AndriyK any setting can go in the repo's
.hg/hgrc
file. No settings are limited to specific locations in the various possible hgrc locations. -
Andriy K about 12 yearsIn my particular case
[web] caserts=
wasn't working on the repository level. May be I did something wrong. -
Cypher almost 11 yearsThanks for posting this. It's exactly what I needed.
-
d9k almost 10 yearsThere is a nice question about getting server fingerprints using bash: stackoverflow.com/a/5165073/1760643 Here the command:
openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
-
jeremyjjbrown over 9 yearsMine had to go in ~/.hgrc
-
Dimitar II over 7 yearsThis works even when Mercurial is called internally (without the parameter) - from IntelliJ IDEA.
-
Tom over 7 yearsYou how have to web.cacerts=!
-
Tom over 5 yearsIn Mercurial >= 3.9 web.cacerts=! option has been removed. mercurial-scm.org/wiki/SecureConnections
-
Tom over 4 yearsNote to future self : (should have added this last time) - solved the problem on android + iOS by shipping the python module "certifi"
-
RVT over 2 yearsAs you quietly point out, if you're going to use
alias
, you should likely use something more likeipush = push --insecure
so it's not confused with the standard command (ie. make the user understand what's happening, don't "trick" the command to do "the wrong thing" by-default).