info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Upcoming hg.mozilla.org certificate change
236 views
Skip to first unread message
Gregory Szorc
Sep 22, 2016, 4:57:29 PM9/22/16
to dev-platform, Firefox Dev
hg.mozilla.org's x509 server certificate (AKA an "SSL certificate") expires
next week.
A new certificate has already been issued and it is scheduled to be swapped
in around 2016-09-26T17:00Z (Monday September 26 10:00 PDT). The transition
may be delayed to avoid downtime in automation, which hasn't fully prepared
for the change yet.
The only major change to the certificate is it is using SHA-256 for
signatures. This is known to not work with ancient software (such as
Windows XP SP2). We don't anticipate any major problems with this, however.
If you pin the host fingerprint in your Mercurial config file, you'll need
to install a new fingerprint or Mercurial will refuse to connect once the
certificate is swapped. The fingerprint of the new certificate and
Mercurial config snippets for configuring it are available at
https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12.
It's worth noting that Mercurial 3.8+ supports pinning multiple
fingerprints per host. So, if you install the new fingerprint today, you
don't need to take action when the server certificate is swapped next week.
If you notice any problems after the cert change, please make noise in #vcs
on IRC.
next week.
A new certificate has already been issued and it is scheduled to be swapped
in around 2016-09-26T17:00Z (Monday September 26 10:00 PDT). The transition
may be delayed to avoid downtime in automation, which hasn't fully prepared
for the change yet.
The only major change to the certificate is it is using SHA-256 for
signatures. This is known to not work with ancient software (such as
Windows XP SP2). We don't anticipate any major problems with this, however.
If you pin the host fingerprint in your Mercurial config file, you'll need
to install a new fingerprint or Mercurial will refuse to connect once the
certificate is swapped. The fingerprint of the new certificate and
Mercurial config snippets for configuring it are available at
https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12.
It's worth noting that Mercurial 3.8+ supports pinning multiple
fingerprints per host. So, if you install the new fingerprint today, you
don't need to take action when the server certificate is swapped next week.
If you notice any problems after the cert change, please make noise in #vcs
on IRC.
Gregory Szorc
Sep 26, 2016, 1:20:42 PM9/26/16
to Gregory Szorc, dev-platform, Firefox Dev
The certificate has been flipped.
New hashes are:
sha1:73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
You can pin these in your hgrc via:
# Mercurial 3.9+
[hostsecurity]
hg.mozilla.org:fingerprints =
sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
# Mercurial <= 3.8
[hostfingerprints]hg.mozilla.org =
73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
Please make noise in #vcs or #releng if you see breakage.
New hashes are:
sha1:73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
You can pin these in your hgrc via:
# Mercurial 3.9+
[hostsecurity]
hg.mozilla.org:fingerprints =
sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
# Mercurial <= 3.8
[hostfingerprints]hg.mozilla.org =
73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
Please make noise in #vcs or #releng if you see breakage.
Mats Palmgren
Sep 26, 2016, 2:11:19 PM9/26/16
to Gregory Szorc, dev-platform, Firefox Dev
On 09/26/2016 07:20 PM, Gregory Szorc wrote:
> # Mercurial 3.9+
>
> [hostsecurity]
> hg.mozilla.org:fingerprints =
> sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
>
> # Mercurial <= 3.8
>
> [hostfingerprints]hg.mozilla.org =
> 73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
Note that the "name = value" should be on a single line or else
> # Mercurial 3.9+
>
> [hostsecurity]
> hg.mozilla.org:fingerprints =
> sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
>
> # Mercurial <= 3.8
>
> [hostfingerprints]hg.mozilla.org =
> 73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
you will get "hg: parse error". That is, there should be
no newline after the "=".
In case your mail reading application helpfully added a newline
there for you...
/Mats
Justin D'Arcangelo
Sep 26, 2016, 2:22:49 PM9/26/16
to Mats Palmgren, Mozilla dev-platform mailing list mailing list, Firefox Dev
Looks like the cert change broke try:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a83c34bc2716 <https://treeherder.mozilla.org/#/jobs?repo=try&revision=a83c34bc2716>
-Justin
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a83c34bc2716 <https://treeherder.mozilla.org/#/jobs?repo=try&revision=a83c34bc2716>
-Justin
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
Gregory Szorc
Sep 26, 2016, 2:47:10 PM9/26/16
to Justin D'Arcangelo, Mozilla dev-platform mailing list mailing list, Mats Palmgren, Firefox Dev
Yup. There are a few outstanding issues in automation. People in #releng
are on it.
On Mon, Sep 26, 2016 at 11:22 AM, Justin D'Arcangelo <
jdarc...@mozilla.com> wrote:
> Looks like the cert change broke try:
>
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=a83c34bc2716 <
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=a83c34bc2716>
>
> -Justin
>
>
> > On Sep 26, 2016, at 2:11 PM, Mats Palmgren <ma...@mozilla.com> wrote:
> >
are on it.
On Mon, Sep 26, 2016 at 11:22 AM, Justin D'Arcangelo <
jdarc...@mozilla.com> wrote:
> Looks like the cert change broke try:
>
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=a83c34bc2716 <
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=a83c34bc2716>
>
> -Justin
>
>
> > On Sep 26, 2016, at 2:11 PM, Mats Palmgren <ma...@mozilla.com> wrote:
> >
Mats Palmgren
Sep 27, 2016, 9:53:16 AM9/27/16
to Gregory Szorc, dev-platform, Firefox Dev
On 09/26/2016 07:20 PM, Gregory Szorc wrote:
> # Mercurial 3.9+
>
> [hostsecurity]
> hg.mozilla.org:fingerprints =
> sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
>
> # Mercurial <= 3.8
>
> [hostfingerprints]hg.mozilla.org =
> 73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
>
> [hostsecurity]
> hg.mozilla.org:fingerprints =
> sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
>
> # Mercurial <= 3.8
>
> [hostfingerprints]hg.mozilla.org =
> 73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
0 new messages