6dd4b07138eb8f479cc4205036c9d6a1794a9f80 galt Mon Nov 15 13:30:07 2021 -0800 Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458 diff --git src/hg/lib/cart.c src/hg/lib/cart.c index 22d86d0..deb1903 100644 --- src/hg/lib/cart.c +++ src/hg/lib/cart.c @@ -2263,30 +2263,33 @@ { /* Most cgis call this routine */ if (sameOk(cfgOption("signalsHandler"), "on")) /* most cgis call this routine */ initSigHandlers(hDumpStackEnabled()); /* HTTPS SSL Cert Checking Settings */ char *httpsCertCheck = cfgOption("httpsCertCheck"); if (httpsCertCheck) setenv("https_cert_check", httpsCertCheck, TRUE); char *httpsCertCheckVerbose = cfgOption("httpsCertCheckVerbose"); if (httpsCertCheckVerbose) setenv("https_cert_check_verbose", httpsCertCheckVerbose, TRUE); char *httpsCertCheckDepth = cfgOption("httpsCertCheckDepth"); if (httpsCertCheckDepth) setenv("https_cert_check_depth", httpsCertCheckDepth, TRUE); +char *httpsCertCheckDomainExceptions = cfgOption("httpsCertCheckDomainExceptions"); +if (httpsCertCheckDomainExceptions) + setenv("https_cert_check_domain_exceptions", httpsCertCheckDomainExceptions, TRUE); /* Proxy Settings * net.c cannot see the cart, pass the value through env var */ char *httpProxy = cfgOption("httpProxy"); if (httpProxy) setenv("http_proxy", httpProxy, TRUE); char *httpsProxy = cfgOption("httpsProxy"); if (httpsProxy) setenv("https_proxy", httpsProxy, TRUE); char *ftpProxy = cfgOption("ftpProxy"); if (ftpProxy) setenv("ftp_proxy", ftpProxy, TRUE); char *noProxy = cfgOption("noProxy"); if (noProxy)