Upcoming hg.mozilla.org certificate change

Gregory Szorc gps at mozilla.com
Thu Sep 22 20:57:05 UTC 2016


hg.mozilla.org's x509 server certificate (AKA an "SSL certificate") expires
next week.

A new certificate has already been issued and it is scheduled to be swapped
in around 2016-09-26T17:00Z (Monday September 26 10:00 PDT). The transition
may be delayed to avoid downtime in automation, which hasn't fully prepared
for the change yet.

The only major change to the certificate is it is using SHA-256 for
signatures. This is known to not work with ancient software (such as
Windows XP SP2). We don't anticipate any major problems with this, however.

If you pin the host fingerprint in your Mercurial config file, you'll need
to install a new fingerprint or Mercurial will refuse to connect once the
certificate is swapped. The fingerprint of the new certificate and
Mercurial config snippets for configuring it are available at
https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12.

It's worth noting that Mercurial 3.8+ supports pinning multiple
fingerprints per host. So, if you install the new fingerprint today, you
don't need to take action when the server certificate is swapped next week.

If you notice any problems after the cert change, please make noise in #vcs
on IRC.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20160922/8bd30b26/attachment.html>


More information about the firefox-dev mailing list