hg.mozilla.org now redirects to hg-edge.mozilla.org. This presents a
couple of unique challenges:
- OpenSSL s_client cannot follow redirects.
- hg-edge.mozilla.org is configured differently than hg.mozilla.org was.
- The certificate used for hg-edge.mozilla.org is signed by Let's
Encrypt instead of the Mozilla CA root.
To fix this, we have done the following:
- Removed the mozilla CA root from the make-ca package, and replaced it
with ISRG-Root-X1, which is the signing root certificate for Let's
Encrypt certificates.
- Adjusted the Makefile to install the new signing root certificate.
- Changed the URL for downloading the certdata.txt file to
hg-edge.mozilla.org
- Fixed problems with retrieving the certificate data from that website
by specifying the HTTP version and turning off keep-alive support. As
part of this we need to change from using "echo" to "printf" due to
a behavior change in how "\n" is handled. Note that "\n" must be
specified or else the connection will hang.
This will allow certificate data to be updated once again.
Before this, make-ca does not verify the certificate of hg.mozilla.org
at all. It makes sense as make-ca often runs on systems without trust
anchor. But, a MIM can easily fake hg.mozilla.org and completely hijack
the trust anchor of a BLFS system.
To improve the situation, we ship the certificate of the CA root for
hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use
it to verify hg.mozilla.org.
