upstream/mercurial-mirror Files · tests/test-https.t

histedit: more precise user message when changeset is missing...

histedit: more precise user message when changeset is missing Now that we explicitly detect duplicated changesets, we can explicitly detect missing ones. We cover the same cases as before, some others and we offer a better error message in all cases.

Simon Heimberg - - Load All Authors

File last commit:

r18682:408f2202 default


                r19048:1163ff06

default

Download file

             test-https.t
        
                    281 lines
            
             | 11.3 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-https.t
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Mads Kiilerich
    
hgweb: use Pythons ssl module for HTTPS serve when using Python 2.6 or later...

              r12784
            
      Proper https client requires the built-in ssl from Python 2.6.

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        Mads Kiilerich
    
tests: use 'hghave serve' to guard tests that requires serve daemon management

              r15446
            
        $ "$TESTDIR/hghave" serve ssl || exit 80

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
      Certificates created with:

       printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

       openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

      Can be dumped with:

       openssl x509 -in pub.pem -text

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > priv.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        > -----BEGIN PRIVATE KEY-----

        > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

        > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

        > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

        > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

        > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

        > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

        > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

        > HY8gUVkVRVs=

        > -----END PRIVATE KEY-----

        > EOT

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

        > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

        > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

        > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

        > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

        > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

        > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

        > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

        > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub.pem >> server.pem

        $ PRIV=`pwd`/server.pem

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-other.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

        > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

        > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

        > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

        > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

        > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

        > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

        > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

        > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

        > -----END CERTIFICATE-----

        > EOT

      pub.pem patched with other notBefore / notAfter:

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-not-yet.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

        > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

        > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

        > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

        > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

        > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

        > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

        > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub-not-yet.pem > server-not-yet.pem

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-expired.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

        > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

        > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

        > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

        > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

        > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

        > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

        > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub-expired.pem > server-expired.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ hg init test

        $ cd test

        $ echo foo>foo

        $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

        $ echo foo>foo.d/foo

        $ echo bar>foo.d/bAr.hg.d/BaR

        $ echo bar>foo.d/baR.d.hg/bAR

        $ hg commit -A -m 1

        adding foo

        adding foo.d/bAr.hg.d/BaR

        adding foo.d/baR.d.hg/bAR

        adding foo.d/foo

        $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

        $ cat ../hg0.pid >> $DAEMON_PIDS

        timeless
    
cacert: improve error report when web.cacert file does not exist

              r13544
            
      cacert not found

        $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

        abort: could not find web.cacerts: no-such.pem

        [255]

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
      Test server address cannot be reused

        Adrian Buehlmann
    
test-http and test-https: partially adapt for Windows

              r17023
            
      #if windows

        $ hg serve -p $HGPORT --certificate=$PRIV 2>&1

        Simon Heimberg
    
tests: remove glob from output lines containing no glob character

              r18682
            
        abort: cannot start server at ':$HGPORT':

        Adrian Buehlmann
    
test-http and test-https: partially adapt for Windows

              r17023
            
        [255]

      #else

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ hg serve -p $HGPORT --certificate=$PRIV 2>&1

        abort: cannot start server at ':$HGPORT': Address already in use

        [255]

        Adrian Buehlmann
    
test-http and test-https: partially adapt for Windows

              r17023
            
      #endif

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ cd ..

      clone via pull

        $ hg clone https://localhost:$HGPORT/ copy-pull

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        requesting all changes

        adding changesets

        adding manifests

        adding file changes

        added 1 changesets with 4 changes to 4 files

        updating to branch default

        4 files updated, 0 files merged, 0 files removed, 0 files unresolved

        $ hg verify -R copy-pull

        checking changesets

        checking manifests

        crosschecking files in changesets and manifests

        checking files

        4 files, 1 changesets, 4 total revisions

        $ cd test

        $ echo bar > bar

        $ hg commit -A -d '1 0' -m 2

        adding bar

        $ cd ..

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      pull without cacert

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ cd copy-pull

        $ echo '[hooks]' >> .hg/hgrc

        Mads Kiilerich
    
tests: consistently use printenv.py the same MSYS/Windows-compatible way...

              r17018
            
        $ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ hg pull

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        adding changesets

        adding manifests

        adding file changes

        added 1 changesets with 1 changes to 1 files

        Adrian Buehlmann
    
tests/printenv.py: eliminate trailing spaces on output

              r16982
            
        changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        (run 'hg update' to get a working copy)

        $ cd ..

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      cacert configured in local repo

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

        $ echo "[web]" >> copy-pull/.hg/hgrc

        $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

        $ hg -R copy-pull pull --traceback

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

        Eduard-Cristian Stefan
    
url: expand path for web.cacerts

              r13231
            
      cacert configured globally, also testing expansion of environment

      variables in the filename

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ echo "[web]" >> $HGRCPATH

        Eduard-Cristian Stefan
    
url: expand path for web.cacerts

              r13231
            
        $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

        $ P=`pwd` hg -R copy-pull pull

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ P=`pwd` hg -R copy-pull pull --insecure

        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      cacert mismatch

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

        Mads Kiilerich
    
sslutil: show fingerprint when cacerts validation fails

              r15814
            
        abort: 127.0.0.1 certificate error: certificate is for localhost

        (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        [255]

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

        warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://127.0.0.1:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ hg -R copy-pull pull --config web.cacerts=pub-other.pem

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
      Test server cert which isn't valid yet

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ cat hg1.pid >> $DAEMON_PIDS

        $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

      Test server cert which no longer is valid

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ cat hg2.pid >> $DAEMON_PIDS

        $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
      Fingerprints

        $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

        $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

        $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

      - works without cacerts

        $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=

        5fed3813f7f5

      - fails when cert doesn't match hostname (port is ignored)

        $ hg -R copy-pull id https://localhost:$HGPORT1/

        Matt Mackall
    
sslutil: more helpful fingerprint mismatch message...

              r15997
            
        abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

        (check hostfingerprint configuration)

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
        [255]

        Augie Fackler
    
test-https.t: stop using kill `cat $pidfile`

              r18588
            
        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
      - ignores that certificate doesn't match hostname

        $ hg -R copy-pull id https://127.0.0.1:$HGPORT/

        5fed3813f7f5

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        Augie Fackler
    
test-https.t: stop using kill `cat $pidfile`

              r18588
            
      HGPORT1 is reused below for tinyproxy tests. Kill that server.

        $ "$TESTDIR/killdaemons.py" hg1.pid

        Matt Mackall
    
tests: fix startup/shutdown races in test-https...

              r16300
            
        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
      Prepare for connecting through proxy

        Matt Mackall
    
tests: fix startup/shutdown races in test-https...

              r16300
            
        $ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

        Mads Kiilerich
    
tests: use 'do sleep 0' instead of 'do true', also on first line of command...

              r16496
            
        $ while [ ! -f proxy.pid ]; do sleep 0; done

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        $ cat proxy.pid >> $DAEMON_PIDS

        $ echo "[http_proxy]" >> copy-pull/.hg/hgrc

        $ echo "always=True" >> copy-pull/.hg/hgrc

        $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

        $ echo "localhost =" >> copy-pull/.hg/hgrc

      Test unvalidated https through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

      Test https with cacert and fingerprint through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

        pulling from https://127.0.0.1:$HGPORT/

        searching for changes

        no changes found

      Test https with cert problems through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        Mads Kiilerich
    
url: merge BetterHTTPS with httpsconnection to get some proxy https validation

              r13424
            
        [255]

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        Mads Kiilerich
    
url: merge BetterHTTPS with httpsconnection to get some proxy https validation

              r13424
            
        [255]

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Mads Kiilerich hgweb: use Pythons ssl module for HTTPS serve when using Python 2.6 or later...	r12784	Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich serve: fix https mode and add test...	r12740
Mads Kiilerich tests: use 'hghave serve' to guard tests that requires serve daemon management	r15446	$ "$TESTDIR/hghave" serve ssl \|\| exit 80
Mads Kiilerich serve: fix https mode and add test...	r12740
		Certificates created with:
		printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' \| \
		openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
		Can be dumped with:
		openssl x509 -in pub.pem -text

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > priv.pem
Mads Kiilerich serve: fix https mode and add test...	r12740	> -----BEGIN PRIVATE KEY-----
		> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
		> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
		> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
		> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
		> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
		> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
		> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
		> HY8gUVkVRVs=
		> -----END PRIVATE KEY-----
		> EOT

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub.pem
Mads Kiilerich serve: fix https mode and add test...	r12740	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
		> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
		> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
		> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
		> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
		> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
		> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
		> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
		> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub.pem >> server.pem
		$ PRIV=`pwd`/server.pem

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-other.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
		> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
		> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
		> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
		> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
		> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
		> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
		> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
		> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
		> -----END CERTIFICATE-----
		> EOT

		pub.pem patched with other notBefore / notAfter:

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-not-yet.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
		> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
		> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
		> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
		> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
		> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
		> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
		> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-expired.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
		> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
		> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
		> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
		> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
		> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
		> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
		> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub-expired.pem > server-expired.pem

Mads Kiilerich serve: fix https mode and add test...	r12740	$ hg init test
		$ cd test
		$ echo foo>foo
		$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
		$ echo foo>foo.d/foo
		$ echo bar>foo.d/bAr.hg.d/BaR
		$ echo bar>foo.d/baR.d.hg/bAR
		$ hg commit -A -m 1
		adding foo
		adding foo.d/bAr.hg.d/BaR
		adding foo.d/baR.d.hg/bAR
		adding foo.d/foo
		$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
		$ cat ../hg0.pid >> $DAEMON_PIDS

timeless cacert: improve error report when web.cacert file does not exist	r13544	cacert not found

		$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
		abort: could not find web.cacerts: no-such.pem
		[255]

Mads Kiilerich serve: fix https mode and add test...	r12740	Test server address cannot be reused

Adrian Buehlmann test-http and test-https: partially adapt for Windows	r17023	#if windows
		$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Simon Heimberg tests: remove glob from output lines containing no glob character	r18682	abort: cannot start server at ':$HGPORT':
Adrian Buehlmann test-http and test-https: partially adapt for Windows	r17023	[255]
		#else
Mads Kiilerich serve: fix https mode and add test...	r12740	$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
		abort: cannot start server at ':$HGPORT': Address already in use
		[255]
Adrian Buehlmann test-http and test-https: partially adapt for Windows	r17023	#endif
Mads Kiilerich serve: fix https mode and add test...	r12740	$ cd ..

		clone via pull

		$ hg clone https://localhost:$HGPORT/ copy-pull
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	requesting all changes
		adding changesets
		adding manifests
		adding file changes
		added 1 changesets with 4 changes to 4 files
		updating to branch default
		4 files updated, 0 files merged, 0 files removed, 0 files unresolved
		$ hg verify -R copy-pull
		checking changesets
		checking manifests
		crosschecking files in changesets and manifests
		checking files
		4 files, 1 changesets, 4 total revisions
		$ cd test
		$ echo bar > bar
		$ hg commit -A -d '1 0' -m 2
		adding bar
		$ cd ..

Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	pull without cacert
Mads Kiilerich serve: fix https mode and add test...	r12740
		$ cd copy-pull
		$ echo '[hooks]' >> .hg/hgrc
Mads Kiilerich tests: consistently use printenv.py the same MSYS/Windows-compatible way...	r17018	$ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc
Mads Kiilerich serve: fix https mode and add test...	r12740	$ hg pull
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	pulling from https://localhost:$HGPORT/
		searching for changes
		adding changesets
		adding manifests
		adding file changes
		added 1 changesets with 1 changes to 1 files
Adrian Buehlmann tests/printenv.py: eliminate trailing spaces on output	r16982	changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
Mads Kiilerich serve: fix https mode and add test...	r12740	(run 'hg update' to get a working copy)
		$ cd ..
Mads Kiilerich test-https: test web.cacerts functionality	r12741
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	cacert configured in local repo
Mads Kiilerich test-https: test web.cacerts functionality	r12741
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
		$ echo "[web]" >> copy-pull/.hg/hgrc
		$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
		$ hg -R copy-pull pull --traceback
Mads Kiilerich test-https: test web.cacerts functionality	r12741	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

Eduard-Cristian Stefan url: expand path for web.cacerts	r13231	cacert configured globally, also testing expansion of environment
		variables in the filename
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192
		$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan url: expand path for web.cacerts	r13231	$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
		$ P=`pwd` hg -R copy-pull pull
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ P=`pwd` hg -R copy-pull pull --insecure
		warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192
		cacert mismatch

Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
Mads Kiilerich sslutil: show fingerprint when cacerts validation fails	r15814	abort: 127.0.0.1 certificate error: certificate is for localhost
		(configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
Mads Kiilerich test-https: test web.cacerts functionality	r12741	[255]
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
		warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://127.0.0.1:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ hg -R copy-pull pull --config web.cacerts=pub-other.pem
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
		warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich test-https: test web.cacerts functionality	r12741
		Test server cert which isn't valid yet

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ cat hg1.pid >> $DAEMON_PIDS
		$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]

		Test server cert which no longer is valid

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ cat hg2.pid >> $DAEMON_PIDS
		$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314
		Fingerprints

		$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
		$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
		$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

		- works without cacerts
		$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
		5fed3813f7f5

		- fails when cert doesn't match hostname (port is ignored)
		$ hg -R copy-pull id https://localhost:$HGPORT1/
Matt Mackall sslutil: more helpful fingerprint mismatch message...	r15997	abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
		(check hostfingerprint configuration)
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	[255]

Augie Fackler test-https.t: stop using kill `cat $pidfile`	r18588
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	- ignores that certificate doesn't match hostname
		$ hg -R copy-pull id https://127.0.0.1:$HGPORT/
		5fed3813f7f5
Mads Kiilerich tests: test https through http proxy...	r13423
Augie Fackler test-https.t: stop using kill `cat $pidfile`	r18588	HGPORT1 is reused below for tinyproxy tests. Kill that server.
		$ "$TESTDIR/killdaemons.py" hg1.pid
Matt Mackall tests: fix startup/shutdown races in test-https...	r16300
Mads Kiilerich tests: test https through http proxy...	r13423	Prepare for connecting through proxy

Matt Mackall tests: fix startup/shutdown races in test-https...	r16300	$ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich tests: use 'do sleep 0' instead of 'do true', also on first line of command...	r16496	$ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich tests: test https through http proxy...	r13423	$ cat proxy.pid >> $DAEMON_PIDS

		$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
		$ echo "always=True" >> copy-pull/.hg/hgrc
		$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
		$ echo "localhost =" >> copy-pull/.hg/hgrc

		Test unvalidated https through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
Mads Kiilerich tests: update test-https.t output...	r13438	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich tests: test https through http proxy...	r13423	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found

		Test https with cacert and fingerprint through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
		pulling from https://127.0.0.1:$HGPORT/
		searching for changes
		no changes found

		Test https with cert problems through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
Mads Kiilerich tests: update test-https.t output...	r13438	abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
Mads Kiilerich url: merge BetterHTTPS with httpsconnection to get some proxy https validation	r13424	[255]
Mads Kiilerich tests: test https through http proxy...	r13423	$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
Mads Kiilerich tests: update test-https.t output...	r13438	abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
Mads Kiilerich url: merge BetterHTTPS with httpsconnection to get some proxy https validation	r13424	[255]