How to entirely disable SSL certificate checks in Mercurial / TortoiseHg?
I'm looking for a way to make --insecure option the default one for any hg \ TortoiseHg command.
Please don't write this is a bad practice - I aware about possible risks and consider they're fully acceptable.
Setting cacerts in the [web] section to the empty string looks to be the same thing. From the source:
if cmdoptions.get('insecure', False): ui.setconfig('web', 'cacerts', '!', '--insecure')
which the wiki confirms:
Sometimes it may be expedient to disable security checks, for instance when dealing with hosts with self-signed certificates. This can be done by disabling the CA certificate configuration on the command line:
hg push --config web.cacerts= https://self-signed-host/repo
So putting cacerts=! in the [web] section of your global hgrc (/etc/mercurial/hgrc on linux-likes) will get you there.
If your goal is to eliminate certificate fingerprint warnings during push/pull, there's a better way to do this. Use the [hostfingerprints] in .hg/hgrc (or ~/.hgrc -- see comments).
[hostfingerprints] server.example.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc
This will eliminate the warnings without eliminating the security checks.
Note: I see from your comments to another answer that you've already found this solution. I'm posting this anyway in case someone else has the same problem.
You can use aliases to achieve that. Add this to your .hgrc :
[alias] push = push --insecure
Problem is you wil have to do this for each command you want to use and I suggest you use different names for your aliases than the default one.
As far as I know, there's no way to enforce --insecure for all commands "automatically".
As pointed out in Bruce Alderman's answer, a good alternative to using the --insecure option is to simply add the host fingerprints to the ~/.hgrc file. (It's presumably forbidden to add them to .hg/hgrc due to security risks.) The [hostfingerprints] section however has been deprecated.
Add the following to ~/.hgrc:
where <host> should be substituted with the hostname (without the https:// prefix), and <hash> should be substituted with the SHA-256 fingerprint (32 bytes, written as :-separated hexadecimal). The output of the following SHA-256 fingerprint command
openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin
after substituting <host> and <port> is of the form
For example, for a self-signed certificate running from the local machine, one might have an entry in ~/.hgrc which looks like
There is further documentation on Mercurial's page about secure connections.