SSL-encrypted connections

If your installation requires SSL, make sure your P4PORT is of the form ssl:hostname:port. If you attempt to communicate in plaintext with an SSL-enabled Helix Server, the following error message is displayed:

Failed client connect, server using SSL.
Client must add SSL protocol prefix to P4PORT.

Set P4PORT to ssl:hostname:port, and attempt to reconnect to the server.

The first time you establish an encrypted connection with an SSL-enabled server, you are prompted to verify the server’s fingerprint:

The authenticity of '10.0.0.2:1818' can't be established,
this may be your first attempt to connect to this P4PORT.
The fingerprint for the key sent to your client is
CA:BE:5B:77:14:1B:2E:97:F0:5F:31:6E:33:6F:0E:1A:E9:DA:EF:E2

Your administrator can confirm whether the displayed fingerprint is correct or not. If (and only if) the fingerprint is correct, use the p4 trust command to add it to your P4TRUST file. If P4TRUST is unset, this file is assumed to be .p4trust in your home directory:

$ p4 trust
The fingerprint of the server of your P4PORT setting
'ssl:example.com:1818' (10.0.0.2:1818) is not known.
That fingerprint is
CA:BE:5B:77:14:1B:2E:97:F0:5F:31:6E:33:6F:0E:1A:E9:DA:EF:E2
Are you sure you want to establish trust (yes/no)?
Added trust for P4PORT 'ssl:example.com:1818' (10.0.0.2:1818)

If the fingerprint is accurate, enter yes to trust this server. You can also install a fingerprint directly into your trust file from the command line. Run:

$ p4 trust -p ssl:hostname:port -i fingerprint

where ssl:hostname:port corresponds to your P4PORT setting, and fingerprint corresponds to a fingerprint that your administrator has verified.

From this point forward, any SSL connection to ssl:example.com:1818 is trusted, so long as the server at example.com:1818 continues to report a fingerprint that matches the one recorded in your P4TRUST file.

If the Helix Server ever reports a different fingerprint than the one that you have trusted, the following error message is displayed:

******* WARNING P4PORT IDENTIFICATION HAS CHANGED! *******
It is possible that someone is intercepting your connection
to the Perforce P4PORT '10.0.50.39:1667'
If this is not a scheduled key change, then you should contact
your Perforce administrator.
The fingerprint for the mismatched key sent to your client is
18:FC:4F:C3:2E:FA:7A:AE:BC:74:58:2F:FC:F5:87:7C:BE:C0:2D:B5
To allow connection use the 'p4 trust' command.

This error message indicates that the server’s fingerprint has changed from one that you stored in your P4TRUST file and indicates that the server’s SSL credentials have changed.

Although the change to the fingerprint may be legitimate (for example, your administrator controls the length of time for which your server’s SSL credentials remain valid, and your server’s credentials may have expired), it can also indicate the presence of a security risk.