upstream/mercurial-mirror Files · tests/sslcerts/README

sslutil: print a warning when using TLS 1.0 on legacy Python...

sslutil: print a warning when using TLS 1.0 on legacy Python Mercurial now requires TLS 1.1+ when TLS 1.1+ is supported by the client. Since we made the decision to require TLS 1.1+ when running with modern Python versions, it makes sense to do something for legacy Python versions that only support TLS 1.0. Feature parity would be to prevent TLS 1.0 connections out of the box and require a config option to enable them. However, this is extremely user hostile since Mercurial wouldn't talk to https:// by default in these installations! I can easily see how someone would do something foolish like use "--insecure" instead - and that would be worse than allowing TLS 1.0! This patch takes the compromise position of printing a warning when performing TLS 1.0 connections when running on old Python versions. While this warning is no more annoying than the CA certificate / fingerprint warnings in Mercurial 3.8, we provide a config option to disable the warning because to many people upgrading Python to make the warning go away is not an available recourse (unlike pinning fingerprints is for the CA warning). The warning appears as optional output in a lot of tests.

Gregory Szorc - - Load All Authors

File last commit:

r29526:9d02bed8 default


                r29561:1a782fab

default

Download file

             README
        
                    50 lines
            
             | 2.0 KiB
            
                | text/plain
            
             |
                TextLexer

/ tests / sslcerts / README

History | Source | Raw |Copy content |Copy permalink

Gregory Szorc tests: regenerate x509 test certificates...	r29526	Generate a private key (priv.pem):

		$ openssl genrsa -out priv.pem 2048

		Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):

		$ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' \| \
		openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem

		$ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' \| \
		openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem
Yuya Nishihara tests: extract SSL certificates from test-https.t...	r29331
Gregory Szorc tests: regenerate x509 test certificates...	r29526	Now generate an expired certificate by turning back the system time:

		$ date --set='2016-01-01T00:00:00Z'
		$ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' \| \
		openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem
Yuya Nishihara tests: extract SSL certificates from test-https.t...	r29331
Gregory Szorc tests: regenerate x509 test certificates...	r29526	Generate a certificate not yet active by advancing the system time:

		$ date --set='2030-01-01T00:00:00Z'
		$ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' \| \
		openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem
Yuya Nishihara tests: extract SSL certificates from test-https.t...	r29331
Gregory Szorc tests: regenerate x509 test certificates...	r29526	Note: When adjusting system time, verify the time change sticks. If running
		systemd, you may want to use `timedatectl set-ntp false` and e.g.
		`timedatectl set-time '2016-01-01 00:00:00'` to set system time.

		Generate a passphrase protected client certificate private key:

		$ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048

		Create a copy of the private key without a passphrase:

		$ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
Yuya Nishihara tests: extract SSL certificates from test-https.t...	r29331
Gregory Szorc tests: regenerate x509 test certificates...	r29526	Create a CSR and sign the key using the server keypair:

		$ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' \| \
		openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
		$ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
		-set_serial 01 -out client-cert.pem
Yuya Nishihara tests: extract SSL certificates from test-https.t...	r29331
Gregory Szorc tests: regenerate x509 test certificates...	r29526	When replacing the certificates, references to certificate fingerprints will
		need to be updated in test files.

		Fingerprints for certs can be obtained by running:

		$ openssl x509 -in pub.pem -noout -sha1 -fingerprint
		$ openssl x509 -in pub.pem -noout -sha256 -fingerprint

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages