Upcoming changes to how Mercurial verifies secure connections

Gregory Szorc gregory.szorc at gmail.com
Thu Jul 7 06:53:34 UTC 2016


Packagers,

Mercurial 3.9 will contain a lot of changes to secure connection
management. The big highlight is Mercurial will require CA certificate
verification. Before, it might (depending on Python's capabilities) print a
warning with the host certificate's fingerprint and continue connecting.
This meant that Mercurial connected to servers with self-signed certs, was
susceptible to MitM attacks, etc.

There are still some security pieces landing in the 3.9 release. But we
know enough about the CA changes for packagers to start assessing the
impact.

https://www.mercurial-scm.org/wiki/SecureConnections contains details of
what all is changing in 3.9 and what the recommendations for Mercurial
packages/packagers are. tl;dr we want Mercurial packages/installs to have
out-of-the-box access to a CA store - ideally the same CA store used by the
system. This way CA verification "just works" and no end-user configuration
is needed.

As the primary author of these patches, I wanted to reach out to packagers
a few weeks before the 3.9 RC so you have a little more time to prepare for
this change.

If you have any questions or need any help, just reply or make noise on
mercurial-devel at mercurial-scm.org. I want to make this transition as
painless as possible for everyone involved.

Gregory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-packaging/attachments/20160706/281c04be/attachment.html>


More information about the Mercurial-packaging mailing list