I'm trying to access BitBucket from work. The only access to the Internet is via an authenticating HTTP proxy which proxies http on port 8080 and SSL on port 8070. This proxy conducts a man-in-the-middle attack on SSL connections, browsers are able to create HTTPS connections to the Internet only due to the installation of a fake Websense certificate on all clients.
I am able to connect to BitBucket using Git but not using Mercurial. I'm using Mercurial version 2.0.2.
With Git I use the following config in .gitconfig
[user]
name = Firstname Lastname
email = firstname_lastname#domain.co.uk
[http]
proxy = http://name:password#nnn.nnn.nnn.nnn:8080
And can clone a repository with the following command
D:\MercurialTesting>git clone http://Firstname_Lastname#bitbucket.org/Firstname_Lastname/bb102repo.git test1
Cloning into 'test1'...
Password for 'bitbucket.org':
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
D:\MercurialTesting>
With the addition of this config setting
[http]
sslverify = false
I can also clone the repository via the https url https://Firstname_Lastname#bitbucket.org/Firstname_Lastname/bb102repo.git
Using Mercurial though it's a different story. Using the following config in mercurial.ini
[http_proxy]
host = nnn.nnn.nnn.nnn:8080
user = firstname_lastname#domain.co.uk
passwd = password
Mercurial will access my own Mercurial server at home no problem.
D:\MercurialTesting>hg --debug clone http://nnn.nnn.nnn.nnn/hg/Workspaces/Test1
using http://nnn.nnn.nnn.nnn/hg/Workspaces/Test1
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
http authorization required
realm: Mercurial Repositories
user: username
password:
http auth: user username, password *******
destination directory: Test1
query 1; heads
sending batch command
http auth: user username, password *******
requesting all changes
sending getbundle command
http auth: user username, password *******
adding changesets
changesets: 1 chunks
add changeset 711ff2c6f5b2
changesets: 2 chunks
add changeset 9034b963b4c1
. . .
Using the exact same configuration and trying to access BitBucket through Mercurial just hangs.
D:\MercurialTesting>hg --debug clone http://bitbucket.org/Firstname_Lastname/bb101repo
using http://bitbucket.org/Firstname_Lastname/bb101repo
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
abort: error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
D:\MercurialTesting>
Using the same configuration with SSL via the url https://bitbucket.org/Firstname_Lastname/bb101repo Mercurial hangs in exactly the same way. During this process Wireshark detects no network activity at all.
Changing the settings in Mercurial.ini to match the port which the proxy serves SSL through has no effect. Setting the environment variable http_proxy makes no difference, but setting the environment variable https_proxy changes the output completely. Setting https_proxy and adding --insecure to the hg command invocation results in:
D:\MercurialTesting>hg --debug clone http://bitbucket.org/Firstname_Lastname/bb101repo --insecure
using http://bitbucket.org/Firstname_Lastname/bb101repo
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
warning: bitbucket.org certificate with fingerprint 79:ce:0d:30:b0:17:29:6a:d1:9f:dd:d3:62:80:70:28:5e:9f:c2:e3 not verified (check hostfingerprints or web.cacerts config setting)
http authorization required
realm: Bitbucket.org HTTP
user: Firstname_Lastname
password:
http auth: user Firstname_Lastname, password ***
warning: bitbucket.org certificate with fingerprint 79:ce:0d:30:b0:17:29:6a:d1:9f:dd:d3:62:80:70:28:5e:9f:c2:e3 not verified (check hostfingerprints or web.cacerts config setting)
abort: HTTP Error 502: Success
D:\MercurialTesting>
And now Wireshark does detect an exchange taking place between my workstation and the proxy server. What I find most confusing though is that it doesn't make the slightest difference what I set https_proxy to, hg always uses the http proxy setting from Mercurial.ini and produces the same output above irrespective of whether I set https_proxy to the correct details for the SSL proxy or to complete garbage. The only difference is that if the environment variable https_proxy isn't set at all then hg just hangs as described above.
The formats for https_proxy I've tried include all variations of:
https_proxy=ip.ip.ip.ip:8070
https_proxy=ip.ip.ip.ip:8080
https_proxy=username:password#ip.ip.ip.ip:8070
https_proxy=username:password#ip.ip.ip.ip:8080
https_proxy=http://ip.ip.ip.ip:8070
https_proxy=http://ip.ip.ip.ip:8080
https_proxy=http://username:password#ip.ip.ip.ip:8070
https_proxy=http://username:password#ip.ip.ip.ip:8080
The results are the same no matter what I set it to.
So the questions I could really use some help with are:
How come I can access my Mercurial repositories at home but not at BitBucket?
How come I can access BitBucket with Git but not with Mercurial using the same configuration?
Does anyone have any ideas of how I can get this to work or what I can test next?
I am also connecting via proxy to bitbucket. As my settings didn't work as expected I found this SO entry.
I noticed that if I use command line parameters then everything works.
hg --config http_proxy.host=192.168.1.1:8080 --config http_proxy.user=Vad1mo --config http_proxy.passwd=secret clone https://bitbucket.org/Vadimo/test
On the other hand same entries in Mercurial.ini didn't work.
[http_proxy]
host = 192.168.1.1
port = 8080
user = Vad1mo
passwd = internet
By accident I found out the tiny difference between CMD and ini. In CMD the port is postfixed to the host. In ini file it is a new entry.
Changing mercurial.ini to postfix the port to host like on command line solved the problem.
[http_proxy]
host = 192.168.1.1:8080
;port = 8080
user = Vad1mo
passwd = internet
Maybe this also will help you.
btw. my hg version is 2.6.3
I ran into a similar problem with my work's proxy- actually, almost identical.
I've gotten around the problem so far by setting the http_proxy in mercurial.ini and then connecting to BitBucket via their HTTP address hg.io.
For example, my repository at https://bitbucket.org/mattgwagner/mattgwagner.com can be accessed via http://hg.io/mattgwagner/mattgwagner.com . Of course, this will send your password and connection in plaintext, but at least it let me connect.
This came in more use for me when pulling in open source projects hosted on BitBucket for my use.
Mercurial.ini
[http_proxy]
host = 192.168.1.155:8080
no =
user = domainUsername
passwd = pass
Are you able to ssh out? Bitbucket supports ssh access and your proxy won't muck w/ that if it's allowed.
Related
I've been using tortoisehg to work with a repo using ssh and everything is in order. But now i'm trying to clone another repo that uses only https, and I'm welcomed with the following error message:
URLError: [Errno 10061] No connection could be made because the target machine actively refused it
[command returned code 255. . .]
I tried to localized the settings of my current repo, i.e. remove them from global settings, to ...\.hg\hgrc, but i still get the same error when i try to clone.
Any ideas on this?
A bit late response but perhaps its a proxy error...
see:
How to clone a codeplex mercurial repository behind a proxy?
but instead use
[https_proxy]
host = proxy name / ip:port
user = xxxxxxx
passwd = xxxxxxx
I have an internal mercurial web server that is served using IIS, using window security, and another server on my external web server set up the same way.
Developers commit code to the internal server, and teamcity builds from there.
However we are now working on a customer portal on the web site that can list some mercurial information. This connects to the local instance of mercurial (i.e. the one on the external server)
I have installed the mercurial autosync plug-in onto the internal server, with the intention of updating the master copy of the code on the external server, and allowing the website to read it's information from there. Code will never be checked in directly to the external server, all updates will come from the internal server. All repositories are clones of the ones on the external server.
I have run the autosync command in the repositories on the internal server "hg autosync -D" and I have tried it with "hg autosync -D -u username" but when I check the autosync log all I see is this:
------------------------------ 06/08/12 08:54:56 ------------------------------
sync: commit working copy changes
nothing changed
sync: fetch changes from other repository
http authorization required
realm: www.mydomain.co.uk
user: response expected
sync: an error occurred, will retry at next interval
anyone have any idea how to specify the user (and password?) correctly?
You probably need to add credentials to the C:\Users\<username>\mercurial.ini file of the user running Mercurial:
[auth]
mydomain.prefix = mydomain.co.uk
mydomain.username = <username>
mydomain.password = <password>
On my computer I have
.ssh/config:
Host bitbucket
HostName bitbucket.org
User hg
IdentityFile ~/.ssh/id_rsa_pwd
.hg/hgrc
[paths]
default = ssh://hg#bitbucket.org/lohoris/varlibs
(running OSX 10.6)
I have exactly the same files on a debian server, but while "trying" a shell login works on both:
PTY allocation request failed on channel 0
conq: logged in as lohoris.
You can use git or hg to connect to Bitbucket. Shell access is disabled.
Connection to bitbucket.org closed.
mercurial connection only works on my computer, while from the server it refuses to cooperate:
lohoris#office:~/www/varlibs$ hg pull
remote: Permission denied (publickey).
abort: no suitable response from remote hg!
This is the same message you get when the key is wrong, only it is not wrong of course (as I said, trying a ssh bitbucket does work).
It is likely using the wrong key, since it's not even trying to ask me the passphrase, but I can't fathom why.
If you get “Permission denied (publickey)”, it just means that the public key required to access and push to the server cannot be found. To get around this you’re going to run the following commands:
ssh-agent
ssh-add <full path to your key file>
Troubleshooting SSH Issues
Set up SSH for Git and Mercurial (Mac OSX/Linux)
ssh -T hg#bitbucket.org also is good and fast ssh-debugger
In your path, you should use ssh://bitbucket/lohoris/varlibs, not ssh://hg#bitbucket.org/lohoris/varlibs.
I try to connect to a mercurial alias called 'thuis' throughan http proxy. I tried setting the proxy setting in the .hgrc repo config and in the main config via tortoisehg. With both methods I get an abort error:
abort: error: No connection could be made because the target machine actively refused it
Even using the following construct didn't work:
hg --config http_proxy.host=10.192.132.191:5865 --config http_proxy.always=true incoming thuis
If I look with MS network monitor I see that hg directly tries to connect to 'thuis' and not to the proxy at 10.192.132.191
How do you disable HTTPS host authentication in TortoiseHG for internal self-signed certificates. For internal servers HTTPS is primarily used for encryption.
The TortoiseHG documentation says that it is possible to disable host verification (i.e. verification against the Certificate Authority chain) here but I can't seem to find the option.
Its supposed to be an option when cloning a remote repository. I am using the latest TortoiseHG 2.0.5
In the TortoiseHG Workbench, in the Sync tab (or in the Sync screen), if you have a remote path selected, you should see a button with a lock icon on it:
That will bring up the Security window, where you can select the option No host validation, but still encrypted, among other settings. When you turn that on, it adds something like this to your mercurial.ini:
[insecurehosts]
bitbucket.org = 1
That's machine-level config for TortoiseHg, but it doesn't seem to affect the Clone window.
On the command-line, you can use --insecure to skip verifying certificates:
hg clone --insecure https://hostname.org/user/repository repository-clone
This will spit out a number of warnings about not verifying the certificate, and will also show you the host fingerprint in each message, like the example warning below (formatted from the original for readability):
warning: bitbucket.org certificate with fingerprint
24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified
(check hostfingerprints or web.cacerts config setting)
A better option, however, is host fingerprints, which are used by both hg and TortoiseHg. In TortoiseHg's Security window, above No host validation is the option Verify with stored host fingerprint. The Query button retrieves the fingerprint of the host's certificate and stores it in mercurial.ini:
[hostfingerprints]
bitbucket.org = 81:2b:08:90:dc:d3:71:ee:e0:7c:b4:75:ce:9b:6c:48:94:56:a1:fe
This should skip actual verification of the certificate because you are declaring that you already trust the certificate.
This documentation on certificates may help, as well.
In the Clone Repository window expand options and check "Do not verify host certificate" check box.