6dd4b07138eb8f479cc4205036c9d6a1794a9f80
galt
  Mon Nov 15 13:30:07 2021 -0800
Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458

diff --git src/product/ex.hg.conf src/product/ex.hg.conf
index 6623bf3..971b738 100644
--- src/product/ex.hg.conf
+++ src/product/ex.hg.conf
@@ -463,30 +463,32 @@
 # browser.styleDir=style-public
 
 # enable user specific style/images directory
 # browser.styleImagesDir=style/images-public
 
 # enable user specific css file
 # browser.style=/style/mystyle.css
 
 # enable user specific trix file for track search tool
 # does substitution on the $db variable
 # browser.trixPath=/gbdb/$db/trackDb.ix
 
 # HTTPS CERTIFICATE VERIFY
 # Options are abort, warn, or none (currently default is warn)
 #httpsCertCheck=warn
+# domains to whitelist, skip cert checking, space-separated list
+#httpsCertCheckDomainExceptions=
 
 # PROXY
 # enable http(s) proxy support in net.c
 #httpProxy=http://someProxyServer:3128
 #httpsProxy=http://someProxyServer:3128
 #ftpProxy=ftp://127.0.0.1:2121
 # if proxy server needs BASIC authentication
 #httpProxy=http://user:password@someProxyServer:3128
 #httpsProxy=http://user:password@someProxyServer:3128
 # if some domain suffixes should not be proxied:
 #noProxy=ucsc.edu,mit.edu,localhost,127.0.0.1
 
 # enable local file access for custom tracks
 # By default you have to supply http:// URLs for custom track data, e.g. in bigDataUrls
 # With this statement, you can allow loading from local files, as long as the path