Wednesday, May 30, 2012

Mercurial does not support HTTPS SNI

If you read my blog for content, please skip this entry, as it will disappoint. I am writing this entry so it's indexed by Google. I spent hours yesterday struggling with this issue, and various searches on Google were not fruitful. I hope this helps someone else.

I wanted to set up Mercurial repositories on my server using HTTPS, using a StartSSL certificate. But when I tried to check out a repository using TortoiseHg or the official 'hg' client, I would get this error:
SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
Whereas if I browsed to the same URL using any web browser, the browser would have no complaints about the SSL certificate.

Turns out that the Mercurial does not support Python 3 yet, requiring Python 2. And Python 2 does not support Server Name Indication, an feature of SSL/TLS that allows the web server to send an SSL certificate appropriate to the virtual host requested. Without SNI, my web server was sending its default SSL certificate, which did not match

The solution for me was to configure my web server to send the Mercurial SSL certificate to the default virtual host, since (hopefully) 'hg' will be the only client accessing my webserver without SNI support. Alternately, you could configure your web server to use a custom path for the WSGI script rather than its own subdomain/vhost. Then the default SSL certificate should work fine, and you'd point people to the equivalent of<repo>.