[MacPorts] #28065: Error when pulling from https with self signed cert
#28065: Error when pulling from https with self signed cert ------------------------------+--------------------------------------------- Reporter: brejoc@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Keywords: | Port: mercurial ------------------------------+--------------------------------------------- When I try to pull changes from our hg server via https with a self signed certificate hg aborts and present an error message. This happens since version 1.7.3: {{{ $ hg pull abort: error: _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed }}} The same hg version installed via pip gives a warning (warning: repos.myhost.com certificate not verified (check web.cacerts config setting)) but performs the task without abortion. -- Ticket URL: <https://trac.macports.org/ticket/28065> MacPorts <http://www.macports.org/> Ports system for Mac OS
#28065: mercurial: Error when pulling from https with self signed cert ------------------------------+--------------------------------------------- Reporter: brejoc@… | Owner: deric@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Keywords: | Port: mercurial ------------------------------+--------------------------------------------- Changes (by ryandesign@…): * owner: macports-tickets@… => deric@… -- Ticket URL: <https://trac.macports.org/ticket/28065#comment:1> MacPorts <http://www.macports.org/> Ports system for Mac OS
#28065: mercurial: Error when pulling from https with self signed cert ------------------------------+--------------------------------------------- Reporter: brejoc@… | Owner: deric@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Keywords: | Port: mercurial ------------------------------+--------------------------------------------- Changes (by jmr@…): * cc: snc@… (added) -- Ticket URL: <https://trac.macports.org/ticket/28065#comment:2> MacPorts <http://www.macports.org/> Ports system for Mac OS
#28065: mercurial: Error when pulling from https with self signed cert ------------------------------+--------------------------------------------- Reporter: brejoc@… | Owner: deric@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Keywords: | Port: mercurial ------------------------------+--------------------------------------------- Comment(by bpanulla@…): Also occurs with CACert certificates (cacert.org). CACert root certificate is in my system Keychain. -- Ticket URL: <https://trac.macports.org/ticket/28065#comment:3> MacPorts <http://www.macports.org/> Ports system for Mac OS
#28065: mercurial: Error when pulling from https with cert not signed by a CA in the default list ------------------------------+--------------------------------------------- Reporter: brejoc@… | Owner: deric@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Keywords: | Port: mercurial ------------------------------+--------------------------------------------- -- Ticket URL: <https://trac.macports.org/ticket/28065#comment:4> MacPorts <http://www.macports.org/> Ports system for Mac OS
#28065: mercurial: Error when pulling from https with cert not signed by a CA in the default list ------------------------------+--------------------------------------------- Reporter: brejoc@… | Owner: deric@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Keywords: | Port: mercurial ------------------------------+--------------------------------------------- Comment(by jmr@…): I'm not sure there's really a bug here. Accepting certificates not signed by a known CA is not a safe default. The port is initially configured to use curl-ca-bundle for its list of acceptable CAs. If you want to use a different list globally, edit ${prefix}/etc/mercurial/hgrc (or override it in ~/.hgrc). If you want to use a different cacerts file for a clone, use `--config web.cacerts=<path>`. If you really want to skip validating the certificate, use `--insecure`. -- Ticket URL: <https://trac.macports.org/ticket/28065#comment:5> MacPorts <http://www.macports.org/> Ports system for Mac OS
#28065: mercurial: Error when pulling from https with cert not signed by a CA in the default list ------------------------------+--------------------------------------------- Reporter: brejoc@… | Owner: deric@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Keywords: | Port: mercurial ------------------------------+--------------------------------------------- Comment(by brejoc@…): Sorry jmr, but that's not the point. The app could warn (which is the behaviour implemented by the developers) or abort, but not throw an error and exit. -- Ticket URL: <https://trac.macports.org/ticket/28065#comment:6> MacPorts <http://www.macports.org/> Ports system for Mac OS
#28065: mercurial: Error when pulling from https with cert not signed by a CA in the default list ------------------------------+--------------------------------------------- Reporter: brejoc@… | Owner: deric@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Keywords: | Port: mercurial ------------------------------+--------------------------------------------- Comment(by jmr@…): What do you mean "the behaviour implemented by the developers"? Aborting with that error message is not in any way specific to macports, see for example: http://mercurial.selenic.com/bts/issue2596 -- Ticket URL: <https://trac.macports.org/ticket/28065#comment:7> MacPorts <http://www.macports.org/> Ports system for Mac OS
#28065: mercurial: Error when pulling from https with cert not signed by a CA in the default list -------------------------------+-------------------------------------------- Reporter: brejoc@… | Owner: deric@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 1.9.1 Resolution: wontfix | Keywords: Port: mercurial | -------------------------------+-------------------------------------------- Changes (by deric@…): * status: new => closed * resolution: => wontfix Comment: Closing since the issue is really upstream and workarounds have been outlined here. Thanks. -- Ticket URL: <https://trac.macports.org/ticket/28065#comment:8> MacPorts <http://www.macports.org/> Ports system for Mac OS
participants (1)
-
MacPorts