File Changes for galt

v424_preview to v424_preview2 (2021-11-15 to 2021-11-22) v424

• src/hg/htdocs/goldenPath/help/mirrorManual.html
  • lines changed 5, context: html, text, full: html, text
    6dd4b07138eb8f479cc4205036c9d6a1794a9f80 Mon Nov 15 13:30:07 2021 -0800
    Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458
  • lines changed 4, context: html, text, full: html, text
    f90dad3fd12f2d38f0407507297343d692a56a48 Fri Nov 19 14:42:03 2021 -0800
    Adding log setting to httpsCertCheck and making it the new default. This makes it even softer on users, gives us more time to prepare, only logs certs to stderr and only if run as a CGI so that SCRIPT_NAME env var is set. The user does not see anything diffent in behavior and output for log level, but we see cert issues in the log.
• src/hg/lib/cart.c
  • lines changed 3, context: html, text, full: html, text
    6dd4b07138eb8f479cc4205036c9d6a1794a9f80 Mon Nov 15 13:30:07 2021 -0800
    Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458
• src/hg/utils/hubCheck/hubCheck.c
  • lines changed 6, context: html, text, full: html, text
    f90dad3fd12f2d38f0407507297343d692a56a48 Fri Nov 19 14:42:03 2021 -0800
    Adding log setting to httpsCertCheck and making it the new default. This makes it even softer on users, gives us more time to prepare, only logs certs to stderr and only if run as a CGI so that SCRIPT_NAME env var is set. The user does not see anything diffent in behavior and output for log level, but we see cert issues in the log.
• src/inc/net.h
  • lines changed 1, context: html, text, full: html, text
    6dd4b07138eb8f479cc4205036c9d6a1794a9f80 Mon Nov 15 13:30:07 2021 -0800
    Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458
• src/lib/https.c
  • lines changed 81, context: html, text, full: html, text
    6dd4b07138eb8f479cc4205036c9d6a1794a9f80 Mon Nov 15 13:30:07 2021 -0800
    Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458
  • lines changed 11, context: html, text, full: html, text
    f90dad3fd12f2d38f0407507297343d692a56a48 Fri Nov 19 14:42:03 2021 -0800
    Adding log setting to httpsCertCheck and making it the new default. This makes it even softer on users, gives us more time to prepare, only logs certs to stderr and only if run as a CGI so that SCRIPT_NAME env var is set. The user does not see anything diffent in behavior and output for log level, but we see cert issues in the log.
  • lines changed 87, context: html, text, full: html, text
    5018192830765549851ab9fda888f4714d126029 Sun Nov 21 15:22:05 2021 -0800
    Added 62 domains with cert issues to https.c domain exceptions whitelist. Also adding a special flag value httpsCertCheckDomainExceptions=noHardwiredExceptions which if present in the hg.conf exceptions list causes the hardwired whitelist in https.c to be ignored. Meanwhile other values in the hg.conf softwired list can be still used. This is very handy for testing purposes. refs #28458
• src/lib/net.c
  • lines changed 1, context: html, text, full: html, text
    6dd4b07138eb8f479cc4205036c9d6a1794a9f80 Mon Nov 15 13:30:07 2021 -0800
    Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458
• src/product/ex.hg.conf
  • lines changed 2, context: html, text, full: html, text
    6dd4b07138eb8f479cc4205036c9d6a1794a9f80 Mon Nov 15 13:30:07 2021 -0800
    Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458
  • lines changed 2, context: html, text, full: html, text
    f90dad3fd12f2d38f0407507297343d692a56a48 Fri Nov 19 14:42:03 2021 -0800
    Adding log setting to httpsCertCheck and making it the new default. This makes it even softer on users, gives us more time to prepare, only logs certs to stderr and only if run as a CGI so that SCRIPT_NAME env var is set. The user does not see anything diffent in behavior and output for log level, but we see cert issues in the log.
• src/product/mirrorManual.txt
  • lines changed 3, context: html, text, full: html, text
    6dd4b07138eb8f479cc4205036c9d6a1794a9f80 Mon Nov 15 13:30:07 2021 -0800
    Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458
  • lines changed 3, context: html, text, full: html, text
    f90dad3fd12f2d38f0407507297343d692a56a48 Fri Nov 19 14:42:03 2021 -0800
    Adding log setting to httpsCertCheck and making it the new default. This makes it even softer on users, gives us more time to prepare, only logs certs to stderr and only if run as a CGI so that SCRIPT_NAME env var is set. The user does not see anything diffent in behavior and output for log level, but we see cert issues in the log.