How to entirely disable SSL certificate checks in Mercurial / TortoiseHg?
Solution 1
Setting cacerts in the [web] section to the empty string looks to be the same thing. From the source:
if cmdoptions.get('insecure', False):
ui.setconfig('web', 'cacerts', '!', '--insecure')
which the wiki confirms:
Sometimes it may be expedient to disable security checks, for instance when dealing with hosts with self-signed certificates. This can be done by disabling the CA certificate configuration on the command line:
hg push --config web.cacerts= https://self-signed-host/repo
So putting cacerts=! in the [web] section of your global hgrc (/etc/mercurial/hgrc on linux-likes) will get you there.
Solution 2
If your goal is to eliminate certificate fingerprint warnings during push/pull, there's a better way to do this. Use the [hostfingerprints] in .hg/hgrc (or ~/.hgrc -- see comments).
[hostfingerprints]
server.example.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc
This will eliminate the warnings without eliminating the security checks.
Note: I see from your comments to another answer that you've already found this solution. I'm posting this anyway in case someone else has the same problem.
Solution 3
You can use aliases to achieve that. Add this to your .hgrc :
[alias]
push = push --insecure
Problem is you wil have to do this for each command you want to use and I suggest you use different names for your aliases than the default one.
As far as I know, there's no way to enforce --insecure for all commands "automatically".
Solution 4
Background
As pointed out in Bruce Alderman's answer, a good alternative to using the --insecure option is to simply add the host fingerprints to the ~/.hgrc file. (It's presumably forbidden to add them to .hg/hgrc due to security risks.) The [hostfingerprints] section however has been deprecated.
New instructions
Add the following to ~/.hgrc:
[hostsecurity]
<host>:fingerprints=sha256:<hash>
where <host> should be substituted with the hostname (without the https:// prefix), and <hash> should be substituted with the SHA-256 fingerprint (32 bytes, written as :-separated hexadecimal). The output of the following SHA-256 fingerprint command
openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin
after substituting <host> and <port> is of the form
SHA256 Fingerprint=<hash>
For example, for a self-signed certificate running from the local machine, one might have an entry in ~/.hgrc which looks like
[hostsecurity]
localhost:fingerprints=sha256:DD:30:5A:9B:2C:E1:59:7E:46:C4:42:D3:41:34:03:17:2A:CF:50:E8:DF:78:E6:2E:C9:42:D9:9A:C9:58:AC:52
There is further documentation on Mercurial's page about secure connections.
Related videos on Youtube
14 : 11
![How to disable SSL 2.0 and SSL 3.0 [Windows Server]](https://i.ytimg.com/vi/Auwfo-DKBoY/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCxzc3YZGBcDvyQ4xdGGSnJ_ceO0g)
01 : 30
56 : 00
04 : 43
03 : 24
![[Beginner] Getting started with version control software - TortoiseHG (mercurial) and dropbox](https://i.ytimg.com/vi/67o4cqiyDnE/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLAJFeCST6fHivVEnvlzmoD4esqt1A)
20 : 55
08 : 26
08 : 38
12 : 58
13 : 04
06 : 42
04 : 25
01 : 41
Comments
-
Alex Yakunin about 4 years
I'm looking for a way to make
--insecureoption the default one for anyhg\ TortoiseHg command.Please don't write this is a bad practice - I aware about possible risks and consider they're fully acceptable.
-
Alex Yakunin over 13 yearsThis approach really works - thanks a lot! The only issue is that Hg prints
"warning: something.com certificate with fingerprint 81:....:fe not verified (check hostfingerprints or web.c acerts config setting)"several times duringhg pullandhg push. -
Alex Yakunin over 13 yearsSo I finally decided to use an approach with
[hostfingerprints]section. -
Andriy K about 12 yearsWhat's more good with [hostfingerprinst] is that you can place them in repository hgrc instead of root one, so this change will not affect all the rest repositories.
-
Ry4an Brase about 12 years@AndriyK any setting can go in the repo's
.hg/hgrcfile. No settings are limited to specific locations in the various possible hgrc locations. -
Andriy K about 12 yearsIn my particular case
[web] caserts=wasn't working on the repository level. May be I did something wrong. -
Cypher almost 11 yearsThanks for posting this. It's exactly what I needed.
-
d9k almost 10 yearsThere is a nice question about getting server fingerprints using bash: stackoverflow.com/a/5165073/1760643 Here the command:openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin -
jeremyjjbrown over 9 yearsMine had to go in ~/.hgrc -
Dimitar II over 7 yearsThis works even when Mercurial is called internally (without the parameter) - from IntelliJ IDEA. -
Tom over 7 yearsYou how have to web.cacerts=!
-
Tom over 5 yearsIn Mercurial >= 3.9 web.cacerts=! option has been removed. mercurial-scm.org/wiki/SecureConnections
-
Tom over 4 yearsNote to future self : (should have added this last time) - solved the problem on android + iOS by shipping the python module "certifi"
-
RVT over 2 yearsAs you quietly point out, if you're going to usealias, you should likely use something more likeipush = push --insecureso it's not confused with the standard command (ie. make the user understand what's happening, don't "trick" the command to do "the wrong thing" by-default).
