974 |
974 |
975 |
975 |
976 ``hostfingerprints`` |
976 ``hostfingerprints`` |
977 -------------------- |
977 -------------------- |
978 |
978 |
|
979 (Deprecated. Use ``[hostsecurity]``'s ``fingerprints`` options instead.) |
|
980 |
979 Fingerprints of the certificates of known HTTPS servers. |
981 Fingerprints of the certificates of known HTTPS servers. |
980 |
982 |
981 A HTTPS connection to a server with a fingerprint configured here will |
983 A HTTPS connection to a server with a fingerprint configured here will |
982 only succeed if the servers certificate matches the fingerprint. |
984 only succeed if the servers certificate matches the fingerprint. |
983 This is very similar to how ssh known hosts works. |
985 This is very similar to how ssh known hosts works. |
992 For example:: |
994 For example:: |
993 |
995 |
994 [hostfingerprints] |
996 [hostfingerprints] |
995 hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
997 hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
996 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
998 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
|
999 |
|
1000 ``hostsecurity`` |
|
1001 ---------------- |
|
1002 |
|
1003 Used to specify per-host security settings. |
|
1004 |
|
1005 Options in this section have the form ``hostname``:``setting``. This allows |
|
1006 multiple settings to be defined on a per-host basis. |
|
1007 |
|
1008 The following per-host settings can be defined. |
|
1009 |
|
1010 ``fingerprints`` |
|
1011 A list of hashes of the DER encoded peer/remote certificate. Values have |
|
1012 the form ``algorithm``:``fingerprint``. e.g. |
|
1013 ``sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2``. |
|
1014 |
|
1015 The following algorithms/prefixes are supported: ``sha1``, ``sha256``, |
|
1016 ``sha512``. |
|
1017 |
|
1018 Use of ``sha256`` or ``sha512`` is preferred. |
|
1019 |
|
1020 If a fingerprint is specified, the CA chain is not validated for this |
|
1021 host and Mercurial will require the remote certificate to match one |
|
1022 of the fingerprints specified. This means if the server updates its |
|
1023 certificate, Mercurial will abort until a new fingerprint is defined. |
|
1024 This can provide stronger security than traditional CA-based validation |
|
1025 at the expense of convenience. |
|
1026 |
|
1027 For example:: |
|
1028 |
|
1029 [hostsecurity] |
|
1030 hg.example.com:fingerprints = sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2 |
|
1031 hg2.example.com:fingerprints = sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
997 |
1032 |
998 ``http_proxy`` |
1033 ``http_proxy`` |
999 -------------- |
1034 -------------- |
1000 |
1035 |
1001 Used to access web-based Mercurial repositories through a HTTP |
1036 Used to access web-based Mercurial repositories through a HTTP |