5

I am building vim from source and keep having to update the SSL hostfingerprints of my ~/.hgrc file. It's getting a little silly and large – see below. The pattern is the same: run update, find SSL finger print has changed, update fingerprint…

Anyone knows of a simpler way to keep this updated?

### openssl s_client -connect  vim.googlecode.com:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
[hostfingerprints]
vim.googlecode.com = CB:F1:C8:AC:28:D5:61:B7:C1:9C:73:7E:3A:B6:BB:E2:E6:55:95:2A 
vim.googlecode.com = 52:BC:6F:6A:D5:86:38:B1:F5:FE:07:B3:A5:88:72:DC:EB:49:BF:5D
vim.googlecode.com = FD:02:92:B1:B3:32:27:F4:7B:40:3D:0A:CA:9E:DD:EE:22:17:52:02
vim.googlecode.com = F6:21:3F:1D:BA:DC:6A:0D:7C:AF:00:E4:C4:12:87:DC:1B:7C:1D:11
vim.googlecode.com = A0:60:E5:C3:DB:27:FB:31:B5:B2:D2:79:8E:24:4D:70:0E:E0:4B:EE
vim.googlecode.com = 65:A0:A7:8D:8F:48:EB:13:5C:81:3C:47:2D:6B:73:C4:7E:EA:61:5F
Anthon
  • 78,313
  • 42
  • 165
  • 222
Sardathrion - against SE abuse
  • 4,423
  • 7
  • 37
  • 67

1 Answers1

8

Have a look at http://mercurial.selenic.com/wiki/CACertificates - it should be enough to specify the cacerts. In short don't depend on the specific fingerprint but check if the cert is signed by a trusted source.

For Debian/Ubuntu/Arch/Gentoo:

[web]
cacerts = /etc/ssl/certs/ca-certificates.crt

Fedora/RHEL:

[web]
cacerts = /etc/pki/tls/certs/ca-bundle.crt
Ulrich Dangel
  • 25,079
  • 3
  • 80
  • 80
  • Or if you don't want to trust every certificate authority, you can download only the Google Internet Authority CA certificate from http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crt. – Mikel Jun 26 '12 at 04:28
  • For OS-X: `brew install curl-ca-bundle` and then point `cacerts` at `/usr/local/share/ca-bundle.crt` – docwhat Apr 25 '13 at 00:37