How to entirely disable SSL certificate checks in Mercurial / TortoiseHg?

I'm looking for a way to make --insecure option the default one for any hg \ TortoiseHg command.

Please don't write this is a bad practice - I aware about possible risks and consider they're fully acceptable.

Answers


Setting cacerts in the [web] section to the empty string looks to be the same thing. From the source:

if cmdoptions.get('insecure', False):
    ui.setconfig('web', 'cacerts', '!', '--insecure')

which the wiki confirms:

Sometimes it may be expedient to disable security checks, for instance when dealing with hosts with self-signed certificates. This can be done by disabling the CA certificate configuration on the command line:

hg push --config web.cacerts= https://self-signed-host/repo

So putting cacerts=! in the [web] section of your global hgrc (/etc/mercurial/hgrc on linux-likes) will get you there.


If your goal is to eliminate certificate fingerprint warnings during push/pull, there's a better way to do this. Use the [hostfingerprints] in .hg/hgrc (or ~/.hgrc -- see comments).

[hostfingerprints]
server.example.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc

This will eliminate the warnings without eliminating the security checks.

Note: I see from your comments to another answer that you've already found this solution. I'm posting this anyway in case someone else has the same problem.


You can use aliases to achieve that. Add this to your .hgrc :

[alias]
push = push --insecure

Problem is you wil have to do this for each command you want to use and I suggest you use different names for your aliases than the default one.

As far as I know, there's no way to enforce --insecure for all commands "automatically".


Background

As pointed out in Bruce Alderman's answer, a good alternative to using the --insecure option is to simply add the host fingerprints to the ~/.hgrc file. (It's presumably forbidden to add them to .hg/hgrc due to security risks.) The [hostfingerprints] section however has been deprecated.

New instructions

Add the following to ~/.hgrc:

[hostsecurity]
<host>:fingerprints=sha256:<hash>

where <host> should be substituted with the hostname (without the https:// prefix), and <hash> should be substituted with the SHA-256 fingerprint (32 bytes, written as :-separated hexadecimal). The output of the following SHA-256 fingerprint command

openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin

after substituting <host> and <port> is of the form

SHA256 Fingerprint=<hash>

For example, for a self-signed certificate running from the local machine, one might have an entry in ~/.hgrc which looks like

[hostsecurity]
localhost:fingerprints=sha256:DD:30:5A:9B:2C:E1:59:7E:46:C4:42:D3:41:34:03:17:2A:CF:50:E8:DF:78:E6:2E:C9:42:D9:9A:C9:58:AC:52

There is further documentation on Mercurial's page about secure connections.


Need Your Help

boost serialization vs google protocol buffers?

c++ performance serialization protocol-buffers boost-serialization

Does anyone with experience with these libraries have any comment on which one they preferred? Were there any performance differences or difficulties in using?

How to programmatically get sites list and virtual dirs in IIS 7?

c# .net iis-7

Does anybody know how to programmatically get the sites list and virtual dirs in IIS 7?