Mercurial: mercurial/help/config.txt comparison

comparison mercurial/help/config.txt @ 28525:dfb21c34e07d

sslutil: allow multiple fingerprints per host Certificate pinning via [hostfingerprints] is a useful security feature. Currently, we only support one fingerprint per hostname. This is simple but it fails in the real world: * Switching certificates breaks clients until they change the pinned certificate fingerprint. This incurs client downtime and can require massive amounts of coordination to perform certificate changes. * Some servers operate with multiple certificates on the same hostname. This patch adds support for defining multiple certificate fingerprints per host. This overcomes the deficiencies listed above. I anticipate the primary use case of this feature will be to define both the old and new certificate so a certificate transition can occur with minimal interruption, so this scenario has been called out in the help documentation.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Sun, 13 Mar 2016 14:03:58 -0700
parents	ce1160ae2150
children	71e12fc53b80

comparison

equal deleted inserted replaced

-:ce1160ae2150
+:dfb21c34e07d
 A HTTPS connection to a server with a fingerprint configured here will
 only succeed if the servers certificate matches the fingerprint.
 This is very similar to how ssh known hosts works.
 The fingerprint is the SHA-1 hash value of the DER encoded certificate.
+Multiple values can be specified (separated by spaces or commas). This can
+be used to define both old and new fingerprints while a host transitions
+to a new certificate.
 The CA chain and web.cacerts is not used for servers with a fingerprint.
 For example::

Mercurial > hg

comparison mercurial/help/config.txt @ 28525:dfb21c34e07d