6dd4b07138eb8f479cc4205036c9d6a1794a9f80
galt
  Mon Nov 15 13:30:07 2021 -0800
Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458

diff --git src/lib/net.c src/lib/net.c
index d6db8b4..1601ac5 100644
--- src/lib/net.c
+++ src/lib/net.c
@@ -1315,30 +1315,31 @@
     if (endsWith(host, word))
 	return TRUE;
     }
 return FALSE;
 }
 
 int netHttpConnect(char *url, char *method, char *protocol, char *agent, char *optionalHeader)
 /* Parse URL, connect to associated server on port, and send most of
  * the request to the server.  If specified in the url send user name
  * and password too.  Typically the "method" will be "GET" or "POST"
  * and the agent will be the name of your program or
  * library. optionalHeader may be NULL or contain additional header
  * lines such as cookie info. 
  * Proxy support via hg.conf httpProxy or env var http_proxy
  * Cert verification control via hg.conf httpsCertCheck or env var https_cert_check
+ * Cert verify domains exception white-list via hg.conf httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions
  * Return data socket, or -1 if error.*/
 {
 struct netParsedUrl npu;
 struct netParsedUrl pxy;
 struct dyString *dy = newDyString(512);
 int sd = -1;
 /* Parse the URL and connect. */
 netParseUrl(url, &npu);
 
 boolean noProxy = checkNoProxy(npu.host);
 char *proxyUrl = getenv("http_proxy");
 if (sameString(npu.protocol, "https"))
     proxyUrl = NULL;
 if (noProxy)
     proxyUrl = NULL;