Mercurial > hg
diff mercurial/dummycert.pem @ 22575:d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
This will give PKI-secure behaviour out of the box, without any configuration.
Setting web.cacerts to any value or empty will disable this trick.
This dummy cert trick only works on OS X 10.6+, but 10.5 had Python 2.5 which
didn't have certificate validation at all.
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Fri, 26 Sep 2014 02:19:48 +0200 |
parents | |
children |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mercurial/dummycert.pem Fri Sep 26 02:19:48 2014 +0200 @@ -0,0 +1,56 @@ +A dummy certificate that will make OS X 10.6+ Python use the system CA +certificate store: + +-----BEGIN CERTIFICATE----- +MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn +LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX +MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA +mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK +CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a +IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We +aKdQRekuMQ== +-----END CERTIFICATE----- + +This certificate was generated to be syntactically valid but never be usable; +it expired before it became valid. + +Created as: + + $ cat > cn.conf << EOT + > [req] + > distinguished_name = req_distinguished_name + > [req_distinguished_name] + > commonName = Common Name + > commonName_default = no.example.com + > EOT + $ openssl req -nodes -new -x509 -keyout /dev/null \ + > -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com' + +To verify the content of this certificate: + + $ openssl x509 -in dummycert.pem -noout -text + Certificate: + Data: + Version: 1 (0x0) + Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166) + Signature Algorithm: sha1WithRSAEncryption + Issuer: CN=hg.example.com + Validity + Not Before: Aug 30 08:45:59 2014 GMT + Not After : Aug 29 08:45:59 2014 GMT + Subject: CN=hg.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (512 bit) + Modulus: + 00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58: + 19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2: + 51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77: + f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7: + a4:05:81:60:29 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1: + 5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1: + f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd: + 27:b5:9e:68:a7:50:45:e9:2e:31