How do you disable HTTPS host authentication in TortoiseHG for internal self-signed certificates. For internal servers HTTPS is primarily used for encryption.
The TortoiseHG documentation says that it is possible to disable host verification (i.e. verification against the Certificate Authority chain) here but I can't seem to find the option.
Its supposed to be an option when cloning a remote repository. I am using the latest TortoiseHG 2.0.5
In the TortoiseHG Workbench, in the Sync tab (or in the Sync screen), if you have a remote path selected, you should see a button with a lock icon on it:
That will bring up the Security window, where you can select the option
No host validation, but still encrypted
, among other settings. When you turn that on, it adds something like this to yourmercurial.ini
:That's machine-level config for TortoiseHg, but it doesn't seem to affect the Clone window.
On the command-line, you can use
--insecure
to skip verifying certificates:This will spit out a number of warnings about not verifying the certificate, and will also show you the host fingerprint in each message, like the example warning below (formatted from the original for readability):
A better option, however, is host fingerprints, which are used by both
hg
and TortoiseHg. In TortoiseHg's Security window, aboveNo host validation
is the optionVerify with stored host fingerprint
. The Query button retrieves the fingerprint of the host's certificate and stores it inmercurial.ini
:This should skip actual verification of the certificate because you are declaring that you already trust the certificate.
This documentation on certificates may help, as well.