Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
mk-ca-bundle: use secure connection to hg.mozilla.org #1012
Previously, connections to hg.mozilla.org were insecure and could be subject to a MitM attack. With this change, someone has to MitM you with a certificate signed by a trusted CA, which is a bit harder.
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc). - New option -k to allow URLs other than HTTPS and enable HTTP fallback. Prior to this change the default URL retrieval mode was to fall back to HTTP if HTTPS didn't work. Reported-by: Gregory Szorc Bug: curl#1012
Definitely, see master...jay:mk-ca-bundle_https-only_by_default
- Change initial message box to mention delay when downloading/parsing. Since there is no progress meter it was somewhat unexpected that after choosing a filename nothing appears to happen, when actually the cert data is in the process of being downloaded and parsed. - Warn if OpenSSL is not present. - Use a UTF-8 stream to make the ca-bundle data. - Save the UTF-8 ca-bundle stream as binary so that no BOM is added. --- This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to ANSI due to corrupt UTF-8 output, now fixed. This change completes making the default certificate bundle output of mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which should make it easier to review any difference between their output. Ref: #1012
I just wanted to give a heads up that http://hg.mozilla.org/ will HTTP 301 to https://hg.mozilla.org/ starting around 2017-02-01 0800 PST. I know mk-ca-bundle.pl is used in random places throughout the Internets. So if you hear about it breaking on Wednesday, that's probably why.
https://groups.google.com/d/msg/mozilla.dev.version-control/7A6WwhraKm4/QxRs2dw5BAAJ for the full announcement.
Ah right, thanks @indygreg. This will make the mk-ca-bundle.pl start to fail unconditionally unless curl is installed and working on the machine running the script. But I consider the switch a good thing nonetheless and such failures will help users to fix their stuff and get secure transfers going.
Ref #1012 Figured-out-by: Tatsuhiro Tsujikawa