Want more timely Centmin Mod News Updates?
Become a Member

Upgrade How to upgrade CentOS Mercurial version to 4.9

Discussion in 'Centmin Mod Insights' started by eva2000, Apr 10, 2019.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    5:52 AM
    Nginx 1.25.x
    MariaDB 10.x
    CentOS seems to install a very old version of Mercurial. CentOS 6 uses Mercurial 1.4.5 and CentOS 7 uses Mercurial 2.6.2. This led to a problem I experienced trying to clone Nginx NJS repository on CentOS 7 where Mercurial versions older than 2.7.9 do not have HTTPS SNI support so connecting to hg.nginx.org/njs server over HTTPS doesn't support more than one SSL certificate per IP address.

    This means that Mercurial version 2.6.2 connected to the main SSL certificate on that server which actually belongs to a hostname = pubserv.nginx.com vhost which resides on same server as hg.nginx.org which has SSL certificate with common name = *.nginx.com nginx.com.
    Code (Text):
    hg clone https://hg.nginx.org/njs/
    abort: hg.nginx.org certificate error: certificate is for *.nginx.com, nginx.com
    (configure hostfingerprint bd:90:5e:95:b4:51:d8:0b:b0:36:41:6f:99:a7:80:01:4e:cf:ee:c2 or use --insecure to connect insecurely) 

    The ideal fix would be for pubserv.nginx.com SSL certificate to contain both common names for *.nginx.com and *.nginx.org wildcards.

    But this is out of our control, so we can update to a newer version of Mercurial which is currently at Mercurial 4.9.

    For CentOS 7
    Code (Text):
    yum -y localinstall https://centminmod.com/centminmodparts/mercurial/centos7/mercurial-4.9-1.x86_64.rpm

    For CentOS 6
    Code (Text):
    yum -y localinstall https://centminmod.com/centminmodparts/mercurial/centos6/mercurial-4.9-1+2.7.14.x86_64.rpm

    End result is updated Mercurial version
    Code (Text):
    hg --version
    Mercurial Distributed SCM (version 4.9)
    (see https://mercurial-scm.org for more information)
    Copyright (C) 2005-2019 Matt Mackall and others
    This is free software; see the source for copying conditions. There is NO

    now retry hg clone and it works
    Code (Text):
    hg clone https://hg.nginx.org/njs/
    destination directory: njs
    requesting all changes
    adding changesets
    adding manifests
    adding file changes
    added 874 changesets with 3131 changes to 187 files
    updating to branch default
    162 files updated, 0 files merged, 0 files removed, 0 files unresolved

    testssl 3.0rc4 output for troubleshooting
    Code (Text):
    testssl hg.nginx.org:443
    Testing server defaults (Server Hello)
    TLS extensions (standard) "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15" "next protocol/#13172" "application layer protocol negotiation/#16"
    Session Ticket RFC 5077 hint 14400 seconds, session tickets keys seems to be rotated < daily
    SSL Session ID support yes
    Session Resumption Tickets: yes, ID: yes
    TLS clock skew Random values, no fingerprinting possible
    Signature Algorithm SHA256 with RSA
    Server key size RSA 2048 bits
    Server key usage Digital Signature, Key Encipherment
    Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
    Serial / Fingerprints 030D311281F9B8198440D9E1F99E6DCBEA36 / SHA1 FCFED1288228D3D056CD63018F453AF21F2520E7
    SHA256 237EE7B9E1FD73D9462D1730F6C706E4636CE2D85B2372E4936B61EFE58C0111
    Common Name (CN) mailman.nginx.org (CN in response to request w/o SNI: *.nginx.com)
    subjectAltName (SAN) hg.nginx.org mailman.nginx.com mailman.nginx.org trac.nginx.org
    Issuer Let's Encrypt Authority X3 (Let's Encrypt from US)
    Trust (hostname) Ok via SAN (SNI mandatory)
    Chain of trust Ok
    EV cert (experimental) no
    "eTLS" (visibility info) not present
    Certificate Validity (UTC) 36 >= 30 days (2019-02-14 15:18 --> 2019-05-15 15:18)
    # of certificates provided 2
    Certificate Revocation List --
    OCSP URI http://ocsp.int-x3.letsencrypt.org
    OCSP stapling not offered
    OCSP must staple extension --
    DNS CAA RR (experimental) not offered
    Certificate Transparency yes (certificate extension)

    of note look at the message = CN in response to request w/o SNI: *.nginx.com which means for non-SNI supported client HTTPS requests, the common name of the SSL cert is *.nginx.com which corresponds to pubserv.nginx.com SSL certificate.
    Code (Text):
    Common Name (CN) mailman.nginx.org (CN in response to request w/o SNI: *.nginx.com)
    subjectAltName (SAN) hg.nginx.org mailman.nginx.com mailman.nginx.org trac.nginx.org
Thread Status:
Not open for further replies.