test-https.t
666 lines
| 35.9 KiB
| text/troff
|
Tads3Lexer
/ tests / test-https.t
Matt Mackall
|
r22046 | #require serve ssl | ||
Mads Kiilerich
|
r12740 | |||
|
Matt Mackall
|
r22046 | Proper https client requires the built-in ssl from Python 2.6. | ||
|
Mads Kiilerich
|
r12740 | |||
Yuya Nishihara
|
r29331 | Make server certificates: | ||
|
Mads Kiilerich
|
r12741 | |||
|
Yuya Nishihara
|
r29331 | $ CERTSDIR="$TESTDIR/sslcerts" | ||
| $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem | ||||
| $ PRIV=`pwd`/server.pem | ||||
| $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem | ||||
| $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem | ||||
|
Yuya Nishihara
|
r25413 | |||
|
Mads Kiilerich
|
r12740 | $ hg init test | ||
| $ cd test | ||||
| $ echo foo>foo | ||||
| $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg | ||||
| $ echo foo>foo.d/foo | ||||
| $ echo bar>foo.d/bAr.hg.d/BaR | ||||
| $ echo bar>foo.d/baR.d.hg/bAR | ||||
| $ hg commit -A -m 1 | ||||
| adding foo | ||||
| adding foo.d/bAr.hg.d/BaR | ||||
| adding foo.d/baR.d.hg/bAR | ||||
| adding foo.d/foo | ||||
| $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV | ||||
| $ cat ../hg0.pid >> $DAEMON_PIDS | ||||
timeless
|
r13544 | cacert not found | ||
| $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ | ||||
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
timeless
|
r13544 | abort: could not find web.cacerts: no-such.pem | ||
| [255] | ||||
|
Mads Kiilerich
|
r12740 | Test server address cannot be reused | ||
Adrian Buehlmann
|
r17023 | $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 | ||
Matt Harbison
|
r35233 | abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$ | ||
|
Adrian Buehlmann
|
r17023 | [255] | ||
|
Matt Harbison
|
r35233 | |||
|
Mads Kiilerich
|
r12740 | $ cd .. | ||
|
Gregory Szorc
|
r29288 | Our test cert is not signed by a trusted CA. It should fail to verify if | ||
| we are able to load CA certs. | ||||
Mads Kiilerich
|
r22575 | |||
|
Gregory Szorc
|
r29481 | #if sslcontext defaultcacerts no-defaultcacertsloaded | ||
|
Mads Kiilerich
|
r22575 | $ hg clone https://localhost:$HGPORT/ copy-pull | ||
|
Gregory Szorc
|
r29449 | (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | ||
Augie Fackler
|
r23823 | abort: error: *certificate verify failed* (glob) | ||
|
Mads Kiilerich
|
r22575 | [255] | ||
|
Gregory Szorc
|
r29481 | #endif | ||
| #if no-sslcontext defaultcacerts | ||||
| $ hg clone https://localhost:$HGPORT/ copy-pull | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29500 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | ||
|
Gregory Szorc
|
r29481 | abort: error: *certificate verify failed* (glob) | ||
| [255] | ||||
| #endif | ||||
|
Gregory Szorc
|
r29489 | #if no-sslcontext windows | ||
| $ hg clone https://localhost:$HGPORT/ copy-pull | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | ||
|
Gregory Szorc
|
r29489 | (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) | ||
| abort: error: *certificate verify failed* (glob) | ||||
| [255] | ||||
| #endif | ||||
|
Gregory Szorc
|
r29499 | #if no-sslcontext osx | ||
| $ hg clone https://localhost:$HGPORT/ copy-pull | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | ||
|
Gregory Szorc
|
r29499 | (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) | ||
| abort: localhost certificate error: no certificate received | ||||
|
Gregory Szorc
|
r29526 | (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) | ||
|
Gregory Szorc
|
r29499 | [255] | ||
| #endif | ||||
|
Gregory Szorc
|
r29481 | #if defaultcacertsloaded | ||
| $ hg clone https://localhost:$HGPORT/ copy-pull | ||||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29500 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | ||
|
Matt Harbison
|
r33494 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | ||
|
Gregory Szorc
|
r29481 | abort: error: *certificate verify failed* (glob) | ||
| [255] | ||||
| #endif | ||||
| #if no-defaultcacerts | ||||
|
Gregory Szorc
|
r29448 | $ hg clone https://localhost:$HGPORT/ copy-pull | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29499 | (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | ||
|
Gregory Szorc
|
r29448 | abort: localhost certificate error: no certificate received | ||
|
Gregory Szorc
|
r29526 | (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) | ||
|
Gregory Szorc
|
r29448 | [255] | ||
|
Gregory Szorc
|
r29288 | #endif | ||
|
Mads Kiilerich
|
r22575 | |||
|
Matt Harbison
|
r31766 | Specifying a per-host certificate file that doesn't exist will abort. The full | ||
| C:/path/to/msysroot will print on Windows. | ||||
|
Gregory Szorc
|
r29334 | |||
| $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Matt Harbison
|
r31766 | abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob) | ||
|
Gregory Szorc
|
r29334 | [255] | ||
| A malformed per-host certificate file will raise an error | ||||
| $ echo baddata > badca.pem | ||||
|
Gregory Szorc
|
r29446 | #if sslcontext | ||
| $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29446 | abort: error loading CA file badca.pem: * (glob) | ||
| (file is empty or malformed?) | ||||
| [255] | ||||
| #else | ||||
|
Gregory Szorc
|
r29334 | $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
Durham Goode
|
r29356 | abort: error: * (glob) | ||
|
Gregory Szorc
|
r29334 | [255] | ||
|
Gregory Szorc
|
r29446 | #endif | ||
|
Gregory Szorc
|
r29334 | |||
| A per-host certificate mismatching the server will fail verification | ||||
|
Gregory Szorc
|
r29449 | (modern ssl is able to discern whether the loaded cert is a CA cert) | ||
| #if sslcontext | ||||
| $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29449 | (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | ||
|
Matt Harbison
|
r33494 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | ||
|
Gregory Szorc
|
r29449 | abort: error: *certificate verify failed* (glob) | ||
| [255] | ||||
| #else | ||||
|
Gregory Szorc
|
r29334 | $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29334 | abort: error: *certificate verify failed* (glob) | ||
| [255] | ||||
|
Gregory Szorc
|
r29449 | #endif | ||
|
Gregory Szorc
|
r29334 | |||
| A per-host certificate matching the server's cert will be accepted | ||||
| $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29334 | requesting all changes | ||
| adding changesets | ||||
| adding manifests | ||||
| adding file changes | ||||
| added 1 changesets with 4 changes to 4 files | ||||
Denis Laxalde
|
r34662 | new changesets 8b6053c928fe | ||
|
Gregory Szorc
|
r29334 | |||
| A per-host certificate with multiple certs and one matching will be accepted | ||||
| $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem | ||||
| $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29334 | requesting all changes | ||
| adding changesets | ||||
| adding manifests | ||||
| adding file changes | ||||
| added 1 changesets with 4 changes to 4 files | ||||
|
Denis Laxalde
|
r34662 | new changesets 8b6053c928fe | ||
|
Gregory Szorc
|
r29334 | |||
| Defining both per-host certificate and a fingerprint will print a warning | ||||
|
Gregory Szorc
|
r29526 | $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29334 | (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) | ||
| requesting all changes | ||||
| adding changesets | ||||
| adding manifests | ||||
| adding file changes | ||||
| added 1 changesets with 4 changes to 4 files | ||||
|
Denis Laxalde
|
r34662 | new changesets 8b6053c928fe | ||
|
Gregory Szorc
|
r29334 | |||
|
Gregory Szorc
|
r29288 | $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" | ||
|
Mads Kiilerich
|
r22575 | |||
|
Gregory Szorc
|
r29411 | Inability to verify peer certificate will result in abort | ||
|
Mads Kiilerich
|
r12740 | |||
|
Gregory Szorc
|
r29288 | $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29411 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect | ||
|
Gregory Szorc
|
r29526 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) | ||
|
Gregory Szorc
|
r29411 | [255] | ||
| $ hg clone --insecure https://localhost:$HGPORT/ copy-pull | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29411 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | ||
|
Mads Kiilerich
|
r12740 | requesting all changes | ||
| adding changesets | ||||
| adding manifests | ||||
| adding file changes | ||||
| added 1 changesets with 4 changes to 4 files | ||||
|
Denis Laxalde
|
r34662 | new changesets 8b6053c928fe | ||
|
Mads Kiilerich
|
r12740 | updating to branch default | ||
| 4 files updated, 0 files merged, 0 files removed, 0 files unresolved | ||||
| $ hg verify -R copy-pull | ||||
| checking changesets | ||||
| checking manifests | ||||
| crosschecking files in changesets and manifests | ||||
| checking files | ||||
| 4 files, 1 changesets, 4 total revisions | ||||
| $ cd test | ||||
| $ echo bar > bar | ||||
| $ hg commit -A -d '1 0' -m 2 | ||||
| adding bar | ||||
| $ cd .. | ||||
|
Mads Kiilerich
|
r13192 | pull without cacert | ||
|
Mads Kiilerich
|
r12740 | |||
| $ cd copy-pull | ||||
FUJIWARA Katsunori
|
r30234 | $ cat >> .hg/hgrc <<EOF | ||
| > [hooks] | ||||
| > changegroup = sh -c "printenv.py changegroup" | ||||
| > EOF | ||||
|
Gregory Szorc
|
r29288 | $ hg pull $DISABLECACERTS | ||
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29411 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect | ||
|
Gregory Szorc
|
r29526 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) | ||
|
Gregory Szorc
|
r29411 | [255] | ||
| $ hg pull --insecure | ||||
| pulling from https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29411 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | ||
|
Mads Kiilerich
|
r12740 | searching for changes | ||
| adding changesets | ||||
| adding manifests | ||||
| adding file changes | ||||
| added 1 changesets with 1 changes to 1 files | ||||
|
Denis Laxalde
|
r34662 | new changesets 5fed3813f7f5 | ||
Pierre-Yves David
|
r31747 | changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/ | ||
|
Mads Kiilerich
|
r12740 | (run 'hg update' to get a working copy) | ||
| $ cd .. | ||||
|
Mads Kiilerich
|
r12741 | |||
|
Mads Kiilerich
|
r13192 | cacert configured in local repo | ||
|
Mads Kiilerich
|
r12741 | |||
|
Mads Kiilerich
|
r13192 | $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu | ||
| $ echo "[web]" >> copy-pull/.hg/hgrc | ||||
|
Yuya Nishihara
|
r29331 | $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc | ||
|
Augie Fackler
|
r29842 | $ hg -R copy-pull pull | ||
|
Mads Kiilerich
|
r12741 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Mads Kiilerich
|
r12741 | searching for changes | ||
| no changes found | ||||
|
Mads Kiilerich
|
r13192 | $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc | ||
Eduard-Cristian Stefan
|
r13231 | cacert configured globally, also testing expansion of environment | ||
| variables in the filename | ||||
|
Mads Kiilerich
|
r13192 | |||
| $ echo "[web]" >> $HGRCPATH | ||||
|
Eduard-Cristian Stefan
|
r13231 | $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH | ||
|
Yuya Nishihara
|
r29331 | $ P="$CERTSDIR" hg -R copy-pull pull | ||
|
Mads Kiilerich
|
r13192 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Mads Kiilerich
|
r13192 | searching for changes | ||
| no changes found | ||||
|
Yuya Nishihara
|
r29331 | $ P="$CERTSDIR" hg -R copy-pull pull --insecure | ||
|
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29289 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | ||
|
Yuya Nishihara
|
r13328 | searching for changes | ||
| no changes found | ||||
|
Mads Kiilerich
|
r13192 | |||
|
Gregory Szorc
|
r29445 | empty cacert file | ||
| $ touch emptycafile | ||||
|
Gregory Szorc
|
r29446 | |||
| #if sslcontext | ||||
| $ hg --config web.cacerts=emptycafile -R copy-pull pull | ||||
| pulling from https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29446 | abort: error loading CA file emptycafile: * (glob) | ||
| (file is empty or malformed?) | ||||
| [255] | ||||
| #else | ||||
|
Gregory Szorc
|
r29445 | $ hg --config web.cacerts=emptycafile -R copy-pull pull | ||
| pulling from https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29445 | abort: error: * (glob) | ||
| [255] | ||||
|
Gregory Szorc
|
r29446 | #endif | ||
|
Gregory Szorc
|
r29445 | |||
|
Mads Kiilerich
|
r13192 | cacert mismatch | ||
|
Yuya Nishihara
|
r29331 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ | ||
Jun Wu
|
r31008 | > https://$LOCALIP:$HGPORT/ | ||
| pulling from https://*:$HGPORT/ (glob) | ||||
| warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||||
|
Augie Fackler
|
r31813 | abort: $LOCALIP certificate error: certificate is for localhost (glob) | ||
|
Jun Wu
|
r31008 | (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) | ||
|
Mads Kiilerich
|
r12741 | [255] | ||
|
Yuya Nishihara
|
r29331 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ | ||
|
Jun Wu
|
r31008 | > https://$LOCALIP:$HGPORT/ --insecure | ||
| pulling from https://*:$HGPORT/ (glob) | ||||
| warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||||
|
Augie Fackler
|
r31813 | warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) | ||
|
Yuya Nishihara
|
r13328 | searching for changes | ||
| no changes found | ||||
|
Yuya Nishihara
|
r29331 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" | ||
|
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Matt Harbison
|
r33494 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | ||
|
Augie Fackler
|
r23823 | abort: error: *certificate verify failed* (glob) | ||
|
Mads Kiilerich
|
r12741 | [255] | ||
|
Yuya Nishihara
|
r29331 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ | ||
| > --insecure | ||||
|
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29289 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | ||
|
Yuya Nishihara
|
r13328 | searching for changes | ||
| no changes found | ||||
|
Mads Kiilerich
|
r12741 | |||
| Test server cert which isn't valid yet | ||||
|
Jun Wu
|
r28549 | $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem | ||
|
Mads Kiilerich
|
r12741 | $ cat hg1.pid >> $DAEMON_PIDS | ||
|
Yuya Nishihara
|
r29331 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ | ||
| > https://localhost:$HGPORT1/ | ||||
|
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT1/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Matt Harbison
|
r33494 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | ||
|
Augie Fackler
|
r23823 | abort: error: *certificate verify failed* (glob) | ||
|
Mads Kiilerich
|
r12741 | [255] | ||
| Test server cert which no longer is valid | ||||
|
Jun Wu
|
r28549 | $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem | ||
|
Mads Kiilerich
|
r12741 | $ cat hg2.pid >> $DAEMON_PIDS | ||
|
Yuya Nishihara
|
r29331 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ | ||
| > https://localhost:$HGPORT2/ | ||||
|
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT2/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Matt Harbison
|
r33494 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | ||
|
Augie Fackler
|
r23823 | abort: error: *certificate verify failed* (glob) | ||
|
Mads Kiilerich
|
r12741 | [255] | ||
|
Mads Kiilerich
|
r13314 | |||
|
Gregory Szorc
|
r29561 | Disabling the TLS 1.0 warning works | ||
| $ hg -R copy-pull id https://localhost:$HGPORT/ \ | ||||
| > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \ | ||||
| > --config hostsecurity.disabletls10warning=true | ||||
| 5fed3813f7f5 | ||||
|
Gregory Szorc
|
r32230 | Error message for setting ciphers is different depending on SSLContext support | ||
|
Gregory Szorc
|
r29577 | |||
|
Gregory Szorc
|
r32230 | #if no-sslcontext | ||
|
Gregory Szorc
|
r29577 | $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ | ||
| warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | ||||
| abort: *No cipher can be selected. (glob) | ||||
| [255] | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ | ||||
| warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | ||||
| 5fed3813f7f5 | ||||
| #endif | ||||
| #if sslcontext | ||||
| Setting ciphers to an invalid value aborts | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29577 | abort: could not set ciphers: No cipher can be selected. | ||
| (change cipher string (invalid) in config) | ||||
| [255] | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29577 | abort: could not set ciphers: No cipher can be selected. | ||
| (change cipher string (invalid) in config) | ||||
| [255] | ||||
| Changing the cipher string works | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29577 | 5fed3813f7f5 | ||
| #endif | ||||
|
Mads Kiilerich
|
r13314 | Fingerprints | ||
|
Mads Kiilerich
|
r30332 | - works without cacerts (hostfingerprints) | ||
|
Gregory Szorc
|
r29526 | $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r32273 | (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) | ||
|
Mads Kiilerich
|
r13314 | 5fed3813f7f5 | ||
|
Gregory Szorc
|
r29267 | - works without cacerts (hostsecurity) | ||
|
Gregory Szorc
|
r29526 | $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29267 | 5fed3813f7f5 | ||
|
Gregory Szorc
|
r29526 | $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29267 | 5fed3813f7f5 | ||
|
Gregory Szorc
|
r28525 | - multiple fingerprints specified and first matches | ||
|
Gregory Szorc
|
r29526 | $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r32273 | (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) | ||
|
Gregory Szorc
|
r28525 | 5fed3813f7f5 | ||
|
Gregory Szorc
|
r29526 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29267 | 5fed3813f7f5 | ||
|
Gregory Szorc
|
r28525 | - multiple fingerprints specified and last matches | ||
|
Gregory Szorc
|
r29526 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r32273 | (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) | ||
|
Gregory Szorc
|
r28525 | 5fed3813f7f5 | ||
|
Gregory Szorc
|
r29526 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29267 | 5fed3813f7f5 | ||
|
Gregory Szorc
|
r28525 | - multiple fingerprints specified and none match | ||
|
Gregory Szorc
|
r28847 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29526 | abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 | ||
|
Gregory Szorc
|
r28525 | (check hostfingerprint configuration) | ||
| [255] | ||||
|
Gregory Szorc
|
r29267 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29526 | abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 | ||
|
Gregory Szorc
|
r29268 | (check hostsecurity configuration) | ||
|
Gregory Szorc
|
r29267 | [255] | ||
|
Mads Kiilerich
|
r13314 | - fails when cert doesn't match hostname (port is ignored) | ||
|
Gregory Szorc
|
r29526 | $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29526 | abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 | ||
|
Matt Mackall
|
r15997 | (check hostfingerprint configuration) | ||
|
Mads Kiilerich
|
r13314 | [255] | ||
Augie Fackler
|
r18588 | |||
|
Mads Kiilerich
|
r13314 | - ignores that certificate doesn't match hostname | ||
|
Jun Wu
|
r31008 | $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | ||
| warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||||
|
Gregory Szorc
|
r32273 | (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) | ||
|
Mads Kiilerich
|
r13314 | 5fed3813f7f5 | ||
|
Mads Kiilerich
|
r13423 | |||
|
Gregory Szorc
|
r29559 | Ports used by next test. Kill servers. | ||
| $ killdaemons.py hg0.pid | ||||
|
Matt Mackall
|
r25472 | $ killdaemons.py hg1.pid | ||
|
Gregory Szorc
|
r29559 | $ killdaemons.py hg2.pid | ||
|
Gregory Szorc
|
r29601 | #if sslcontext tls1.2 | ||
|
Gregory Szorc
|
r29559 | Start servers running supported TLS versions | ||
| $ cd test | ||||
| $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ | ||||
| > --config devel.serverexactprotocol=tls1.0 | ||||
| $ cat ../hg0.pid >> $DAEMON_PIDS | ||||
| $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \ | ||||
| > --config devel.serverexactprotocol=tls1.1 | ||||
| $ cat ../hg1.pid >> $DAEMON_PIDS | ||||
| $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ | ||||
| > --config devel.serverexactprotocol=tls1.2 | ||||
| $ cat ../hg2.pid >> $DAEMON_PIDS | ||||
| $ cd .. | ||||
| Clients talking same TLS versions work | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ | ||||
| 5fed3813f7f5 | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ | ||||
| 5fed3813f7f5 | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ | ||||
| 5fed3813f7f5 | ||||
| Clients requiring newer TLS version than what server supports fail | ||||
|
Gregory Szorc
|
r29560 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29619 | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
|
Gregory Szorc
|
r29560 | abort: error: *unsupported protocol* (glob) | ||
| [255] | ||||
|
Gregory Szorc
|
r29559 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29619 | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
|
Gregory Szorc
|
r29559 | abort: error: *unsupported protocol* (glob) | ||
| [255] | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29619 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
|
Gregory Szorc
|
r29559 | abort: error: *unsupported protocol* (glob) | ||
| [255] | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ | ||||
|
Gregory Szorc
|
r29619 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
|
Gregory Szorc
|
r29559 | abort: error: *unsupported protocol* (glob) | ||
| [255] | ||||
|
Gregory Szorc
|
r29617 | --insecure will allow TLS 1.0 connections and override configs | ||
| $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ | ||||
| warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | ||||
| 5fed3813f7f5 | ||||
|
Gregory Szorc
|
r29559 | The per-host config option overrides the default | ||
| $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | ||||
| > --config hostsecurity.minimumprotocol=tls1.2 \ | ||||
| > --config hostsecurity.localhost:minimumprotocol=tls1.0 | ||||
| 5fed3813f7f5 | ||||
| The per-host config option by itself works | ||||
| $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | ||||
| > --config hostsecurity.localhost:minimumprotocol=tls1.2 | ||||
|
Gregory Szorc
|
r29619 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
|
Gregory Szorc
|
r29559 | abort: error: *unsupported protocol* (glob) | ||
| [255] | ||||
|
Gregory Szorc
|
r29616 | .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) | ||
| $ cat >> copy-pull/.hg/hgrc << EOF | ||||
| > [hostsecurity] | ||||
| > localhost:minimumprotocol=tls1.2 | ||||
| > EOF | ||||
| $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ | ||||
|
Gregory Szorc
|
r29619 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
|
Gregory Szorc
|
r29635 | abort: error: *unsupported protocol* (glob) | ||
|
Gregory Szorc
|
r29616 | [255] | ||
|
Gregory Szorc
|
r29559 | $ killdaemons.py hg0.pid | ||
| $ killdaemons.py hg1.pid | ||||
| $ killdaemons.py hg2.pid | ||||
| #endif | ||||
|
Matt Mackall
|
r16300 | |||
|
Mads Kiilerich
|
r13423 | Prepare for connecting through proxy | ||
|
Gregory Szorc
|
r29559 | $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV | ||
| $ cat hg0.pid >> $DAEMON_PIDS | ||||
| $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem | ||||
| $ cat hg2.pid >> $DAEMON_PIDS | ||||
| tinyproxy.py doesn't fully detach, so killing it may result in extra output | ||||
| from the shell. So don't kill it. | ||||
|
Matt Mackall
|
r25472 | $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & | ||
|
Mads Kiilerich
|
r16496 | $ while [ ! -f proxy.pid ]; do sleep 0; done | ||
|
Mads Kiilerich
|
r13423 | $ cat proxy.pid >> $DAEMON_PIDS | ||
| $ echo "[http_proxy]" >> copy-pull/.hg/hgrc | ||||
| $ echo "always=True" >> copy-pull/.hg/hgrc | ||||
| $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc | ||||
| $ echo "localhost =" >> copy-pull/.hg/hgrc | ||||
| Test unvalidated https through proxy | ||||
|
Augie Fackler
|
r29842 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure | ||
|
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Gregory Szorc
|
r29289 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | ||
|
Mads Kiilerich
|
r13423 | searching for changes | ||
| no changes found | ||||
| Test https with cacert and fingerprint through proxy | ||||
|
Yuya Nishihara
|
r29331 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ | ||
| > --config web.cacerts="$CERTSDIR/pub.pem" | ||||
|
Mads Kiilerich
|
r13423 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Mads Kiilerich
|
r13423 | searching for changes | ||
| no changes found | ||||
|
Jun Wu
|
r31008 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace | ||
| pulling from https://*:$HGPORT/ (glob) | ||||
| warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||||
|
Gregory Szorc
|
r32273 | (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) | ||
|
Mads Kiilerich
|
r13423 | searching for changes | ||
| no changes found | ||||
| Test https with cert problems through proxy | ||||
|
Yuya Nishihara
|
r29331 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ | ||
| > --config web.cacerts="$CERTSDIR/pub-other.pem" | ||||
|
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Matt Harbison
|
r33494 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | ||
|
Augie Fackler
|
r23823 | abort: error: *certificate verify failed* (glob) | ||
|
Mads Kiilerich
|
r13424 | [255] | ||
|
Yuya Nishihara
|
r29331 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ | ||
| > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ | ||||
|
Thomas Arendsen Hein
|
r24138 | pulling from https://localhost:$HGPORT2/ | ||
|
Gregory Szorc
|
r29561 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Matt Harbison
|
r33494 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | ||
|
Augie Fackler
|
r23823 | abort: error: *certificate verify failed* (glob) | ||
|
Mads Kiilerich
|
r13424 | [255] | ||
|
Yuya Nishihara
|
r25413 | |||
|
Matt Mackall
|
r25472 | $ killdaemons.py hg0.pid | ||
|
Yuya Nishihara
|
r25413 | |||
| #if sslcontext | ||||
|
Gregory Szorc
|
r33381 | $ cd test | ||
| Missing certificate file(s) are detected | ||||
| $ hg serve -p $HGPORT --certificate=/missing/certificate \ | ||||
| > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true | ||||
|
Matt Harbison
|
r33576 | abort: referenced certificate file (*/missing/certificate) does not exist (glob) | ||
|
Gregory Szorc
|
r33381 | [255] | ||
| $ hg serve -p $HGPORT --certificate=$PRIV \ | ||||
| > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true | ||||
|
Matt Harbison
|
r33576 | abort: referenced certificate file (*/missing/cafile) does not exist (glob) | ||
|
Gregory Szorc
|
r33381 | [255] | ||
|
Gregory Szorc
|
r29555 | Start hgweb that requires client certificates: | ||
|
Yuya Nishihara
|
r25413 | |||
| $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ | ||||
|
Gregory Szorc
|
r29555 | > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true | ||
|
Yuya Nishihara
|
r25413 | $ cat ../hg0.pid >> $DAEMON_PIDS | ||
| $ cd .. | ||||
| without client certificate: | ||||
|
Yuya Nishihara
|
r29331 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Yuya Nishihara
|
r25413 | abort: error: *handshake failure* (glob) | ||
| [255] | ||||
| with client certificate: | ||||
| $ cat << EOT >> $HGRCPATH | ||||
| > [auth] | ||||
| > l.prefix = localhost | ||||
|
Yuya Nishihara
|
r29331 | > l.cert = $CERTSDIR/client-cert.pem | ||
| > l.key = $CERTSDIR/client-key.pem | ||||
|
Yuya Nishihara
|
r25413 | > EOT | ||
|
Yuya Nishihara
|
r29331 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | ||
| > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem" | ||||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Yuya Nishihara
|
r25413 | 5fed3813f7f5 | ||
|
Yuya Nishihara
|
r29331 | $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | ||
|
Yuya Nishihara
|
r25415 | > --config ui.interactive=True --config ui.nontty=True | ||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Yuya Nishihara
|
r29331 | passphrase for */client-key.pem: 5fed3813f7f5 (glob) | ||
|
Yuya Nishihara
|
r25415 | |||
|
Yuya Nishihara
|
r29331 | $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ | ||
|
Gregory Szorc
|
r29601 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | ||
|
Yuya Nishihara
|
r25415 | abort: error: * (glob) | ||
| [255] | ||||
|
Gregory Szorc
|
r33381 | Missing certficate and key files result in error | ||
| $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert | ||||
|
Matt Harbison
|
r33576 | abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob) | ||
|
Gregory Szorc
|
r33381 | (restore missing file or fix references in Mercurial config) | ||
| [255] | ||||
| $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key | ||||
|
Matt Harbison
|
r33576 | abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob) | ||
|
Gregory Szorc
|
r33381 | (restore missing file or fix references in Mercurial config) | ||
| [255] | ||||
|
Yuya Nishihara
|
r25413 | #endif | ||