##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

hgweb: support constructing URLs from an alternate base URL...
hgweb: support constructing URLs from an alternate base URL The web.baseurl config option allows server operators to define a custom URL for hosted content. The way it works today is that hgwebdir parses this config option into URL components then updates the appropriate WSGI environment variables so the request "lies" about its details. For example, SERVER_NAME is updated to reflect the alternate base URL's hostname. The WSGI environment should not be modified because WSGI applications may want to know the original request details (for debugging, etc). This commit teaches our request parser about the existence of an alternate base URL. If defined, the advertised URL and other self-reflected paths will take the alternate base URL into account. The hgweb WSGI application didn't use web.baseurl. But hgwebdir did. We update hgwebdir to alter the environment parsing accordingly. The old code around environment manipulation has been removed. With this change, parserequestfromenv() has grown to a bit unwieldy. Now that practically everyone is using it, it is obvious that there is some unused features that can be trimmed. So look for this in follow-up commits. Differential Revision: https://phab.mercurial-scm.org/D2822
Matt Harbison - - Load All Authors

File last commit:

r35233:1b22d325 default
r36916:219b2335 default
Show More
test-https.t
666 lines | 35.9 KiB | text/troff | Tads3Lexer
/ tests / test-https.t
History | Source | Raw |Copy content |Copy permalink
Matt Mackall
tests: replace exit 80 with #require
 r22046 #require serve ssl
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Matt Mackall
tests: replace exit 80 with #require
 r22046 Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 Make server certificates:
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ CERTSDIR="$TESTDIR/sslcerts"
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
$ PRIV=`pwd`/server.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg init test
$ cd test
$ echo foo>foo
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
$ echo foo>foo.d/foo
$ echo bar>foo.d/bAr.hg.d/BaR
$ echo bar>foo.d/baR.d.hg/bAR
$ hg commit -A -m 1
adding foo
adding foo.d/bAr.hg.d/BaR
adding foo.d/baR.d.hg/bAR
adding foo.d/foo
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
$ cat ../hg0.pid >> $DAEMON_PIDS
timeless
cacert: improve error report when web.cacert file does not exist
 r13544 cacert not found
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
timeless
cacert: improve error report when web.cacert file does not exist
 r13544 abort: could not find web.cacerts: no-such.pem
[255]
Mads Kiilerich
serve: fix https mode and add test...
 r12740 Test server address cannot be reused
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Matt Harbison
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages...
 r35233 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 [255]
Matt Harbison
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages...
 r35233
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ cd ..
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 #if sslcontext defaultcacerts no-defaultcacertsloaded
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 $ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 [255]
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 #endif
#if no-sslcontext defaultcacerts
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: try to find CA certficates in well-known locations...
 r29500 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 abort: error: *certificate verify failed* (glob)
[255]
#endif
Gregory Szorc
sslutil: handle default CA certificate loading on Windows...
 r29489 #if no-sslcontext windows
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
Gregory Szorc
sslutil: handle default CA certificate loading on Windows...
 r29489 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
abort: error: *certificate verify failed* (glob)
[255]
#endif
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
 r29499 #if no-sslcontext osx
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
 r29499 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
abort: localhost certificate error: no certificate received
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
 r29499 [255]
#endif
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 #if defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: try to find CA certficates in well-known locations...
 r29500 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 abort: error: *certificate verify failed* (glob)
[255]
#endif
#if no-defaultcacerts
Gregory Szorc
tests: test case where default ca certs not available...
 r29448 $ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
 r29499 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Gregory Szorc
tests: test case where default ca certs not available...
 r29448 abort: localhost certificate error: no certificate received
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
Gregory Szorc
tests: test case where default ca certs not available...
 r29448 [255]
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 #endif
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Matt Harbison
tests: add globs for Windows
 r31766 Specifying a per-host certificate file that doesn't exist will abort. The full
C:/path/to/msysroot will print on Windows.
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Matt Harbison
tests: add globs for Windows
 r31766 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 [255]
A malformed per-host certificate file will raise an error
$ echo baddata > badca.pem
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 #if sslcontext
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 abort: error loading CA file badca.pem: * (glob)
(file is empty or malformed?)
[255]
#else
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Durham Goode
tests: increase test-https malform error glob...
 r29356 abort: error: * (glob)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 [255]
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 #endif
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
A per-host certificate mismatching the server will fail verification
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 (modern ssl is able to discern whether the loaded cert is a CA cert)
#if sslcontext
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 abort: error: *certificate verify failed* (glob)
[255]
#else
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 abort: error: *certificate verify failed* (glob)
[255]
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 #endif
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
A per-host certificate matching the server's cert will be accepted
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 8b6053c928fe
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
A per-host certificate with multiple certs and one matching will be accepted
$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 8b6053c928fe
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
Defining both per-host certificate and a fingerprint will print a warning
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 8b6053c928fe
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 Inability to verify peer certificate will result in abort
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 [255]
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
 r12740 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 8b6053c928fe
Mads Kiilerich
serve: fix https mode and add test...
 r12740 updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg verify -R copy-pull
checking changesets
checking manifests
crosschecking files in changesets and manifests
checking files
4 files, 1 changesets, 4 total revisions
$ cd test
$ echo bar > bar
$ hg commit -A -d '1 0' -m 2
adding bar
$ cd ..
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pull without cacert
Mads Kiilerich
serve: fix https mode and add test...
 r12740
$ cd copy-pull
FUJIWARA Katsunori
tests: invoke printenv.py via sh -c for test portability...
 r30234 $ cat >> .hg/hgrc <<EOF
> [hooks]
> changegroup = sh -c "printenv.py changegroup"
> EOF
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg pull $DISABLECACERTS
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 [255]
$ hg pull --insecure
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
 r12740 searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
Denis Laxalde
transaction-summary: show the range of new revisions upon pull/unbundle (BC)...
 r34662 new changesets 5fed3813f7f5
Pierre-Yves David
hook: add hook name information to external hook...
 r31747 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
Mads Kiilerich
serve: fix https mode and add test...
 r12740 (run 'hg update' to get a working copy)
$ cd ..
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert configured in local repo
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
$ echo "[web]" >> copy-pull/.hg/hgrc
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
Augie Fackler
test-https: drop two spurious --traceback flags...
 r29842 $ hg -R copy-pull pull
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 cacert configured globally, also testing expansion of environment
variables in the filename
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
Gregory Szorc
tests: add test for empty CA certs file...
 r29445 empty cacert file
$ touch emptycafile
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446
#if sslcontext
$ hg --config web.cacerts=emptycafile -R copy-pull pull
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 abort: error loading CA file emptycafile: * (glob)
(file is empty or malformed?)
[255]
#else
Gregory Szorc
tests: add test for empty CA certs file...
 r29445 $ hg --config web.cacerts=emptycafile -R copy-pull pull
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: add test for empty CA certs file...
 r29445 abort: error: * (glob)
[255]
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 #endif
Gregory Szorc
tests: add test for empty CA certs file...
 r29445
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert mismatch
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
Jun Wu
tests: use LOCALIP...
 r31008 > https://$LOCALIP:$HGPORT/
pulling from https://*:$HGPORT/ (glob)
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
tests: fix missing (glob) annotations in test-https.t
 r31813 abort: $LOCALIP certificate error: certificate is for localhost (glob)
Jun Wu
tests: use LOCALIP...
 r31008 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
Jun Wu
tests: use LOCALIP...
 r31008 > https://$LOCALIP:$HGPORT/ --insecure
pulling from https://*:$HGPORT/ (glob)
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
tests: fix missing (glob) annotations in test-https.t
 r31813 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
> --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Test server cert which isn't valid yet
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg1.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
> https://localhost:$HGPORT1/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT1/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Test server cert which no longer is valid
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg2.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
> https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 Disabling the TLS 1.0 warning works
$ hg -R copy-pull id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
> --config hostsecurity.disabletls10warning=true
5fed3813f7f5
Gregory Szorc
tests: remove test targeting Python 2.6...
 r32230 Error message for setting ciphers is different depending on SSLContext support
Gregory Szorc
sslutil: support defining cipher list...
 r29577
Gregory Szorc
tests: remove test targeting Python 2.6...
 r32230 #if no-sslcontext
Gregory Szorc
sslutil: support defining cipher list...
 r29577 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
abort: *No cipher can be selected. (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
5fed3813f7f5
#endif
#if sslcontext
Setting ciphers to an invalid value aborts
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
 r29577 abort: could not set ciphers: No cipher can be selected.
(change cipher string (invalid) in config)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
 r29577 abort: could not set ciphers: No cipher can be selected.
(change cipher string (invalid) in config)
[255]
Changing the cipher string works
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
 r29577 5fed3813f7f5
#endif
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 Fingerprints
Mads Kiilerich
spelling: fixes of non-dictionary words
 r30332 - works without cacerts (hostfingerprints)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 - works without cacerts (hostsecurity)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and first matches
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and last matches
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and none match
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 (check hostfingerprint configuration)
[255]
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: reference appropriate config section in messaging...
 r29268 (check hostsecurity configuration)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - fails when cert doesn't match hostname (port is ignored)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
 r15997 (check hostfingerprint configuration)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 [255]
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - ignores that certificate doesn't match hostname
Jun Wu
tests: use LOCALIP...
 r31008 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Mads Kiilerich
tests: test https through http proxy...
 r13423
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 Ports used by next test. Kill servers.
$ killdaemons.py hg0.pid
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg1.pid
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ killdaemons.py hg2.pid
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 #if sslcontext tls1.2
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 Start servers running supported TLS versions
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.0
$ cat ../hg0.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.1
$ cat ../hg1.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.2
$ cat ../hg2.pid >> $DAEMON_PIDS
$ cd ..
Clients talking same TLS versions work
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
5fed3813f7f5
Clients requiring newer TLS version than what server supports fail
Gregory Szorc
sslutil: require TLS 1.1+ when supported...
 r29560 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: require TLS 1.1+ when supported...
 r29560 abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 abort: error: *unsupported protocol* (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 abort: error: *unsupported protocol* (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
sslutil: allow TLS 1.0 when --insecure is used...
 r29617 --insecure will allow TLS 1.0 connections and override configs
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
5fed3813f7f5
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 The per-host config option overrides the default
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.minimumprotocol=tls1.2 \
> --config hostsecurity.localhost:minimumprotocol=tls1.0
5fed3813f7f5
The per-host config option by itself works
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:minimumprotocol=tls1.2
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
hg: copy [hostsecurity] options to remote ui instances (issue5305)...
 r29616 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
$ cat >> copy-pull/.hg/hgrc << EOF
> [hostsecurity]
> localhost:minimumprotocol=tls1.2
> EOF
$ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
 r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
tests: glob over ssl error...
 r29635 abort: error: *unsupported protocol* (glob)
Gregory Szorc
hg: copy [hostsecurity] options to remote ui instances (issue5305)...
 r29616 [255]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ killdaemons.py hg0.pid
$ killdaemons.py hg1.pid
$ killdaemons.py hg2.pid
#endif
Matt Mackall
tests: fix startup/shutdown races in test-https...
 r16300
Mads Kiilerich
tests: test https through http proxy...
 r13423 Prepare for connecting through proxy
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
$ cat hg0.pid >> $DAEMON_PIDS
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
$ cat hg2.pid >> $DAEMON_PIDS
tinyproxy.py doesn't fully detach, so killing it may result in extra output
from the shell. So don't kill it.
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich
tests: use 'do sleep 0' instead of 'do true', also on first line of command...
 r16496 $ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich
tests: test https through http proxy...
 r13423 $ cat proxy.pid >> $DAEMON_PIDS
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
$ echo "always=True" >> copy-pull/.hg/hgrc
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost =" >> copy-pull/.hg/hgrc
Test unvalidated https through proxy
Augie Fackler
test-https: drop two spurious --traceback flags...
 r29842 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cacert and fingerprint through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub.pem"
Mads Kiilerich
tests: test https through http proxy...
 r13423 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Jun Wu
tests: use LOCALIP...
 r31008 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
pulling from https://*:$HGPORT/ (glob)
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: tweak the legacy [hostfingerprints] warning message...
 r32273 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cert problems through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Matt Harbison
sslutil: inform the user about how to fix an incomplete certificate chain...
 r33494 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg0.pid
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
#if sslcontext
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 $ cd test
Missing certificate file(s) are detected
$ hg serve -p $HGPORT --certificate=/missing/certificate \
> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
Matt Harbison
test-https: properly conditionalize Windows vs non-Windows output...
 r33576 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 [255]
$ hg serve -p $HGPORT --certificate=$PRIV \
> --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
Matt Harbison
test-https: properly conditionalize Windows vs non-Windows output...
 r33576 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 [255]
Gregory Szorc
hgweb: use sslutil.wrapserversocket()...
 r29555 Start hgweb that requires client certificates:
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
Gregory Szorc
hgweb: use sslutil.wrapserversocket()...
 r29555 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 $ cat ../hg0.pid >> $DAEMON_PIDS
$ cd ..
without client certificate:
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 abort: error: *handshake failure* (glob)
[255]
with client certificate:
$ cat << EOT >> $HGRCPATH
> [auth]
> l.prefix = localhost
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 > l.cert = $CERTSDIR/client-cert.pem
> l.key = $CERTSDIR/client-key.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 > EOT
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 5fed3813f7f5
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 > --config ui.interactive=True --config ui.nontty=True
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 abort: error: * (glob)
[255]
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 Missing certficate and key files result in error
$ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
Matt Harbison
test-https: properly conditionalize Windows vs non-Windows output...
 r33576 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 (restore missing file or fix references in Mercurial config)
[255]
$ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
Matt Harbison
test-https: properly conditionalize Windows vs non-Windows output...
 r33576 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
Gregory Szorc
sslutil: check for missing certificate and key files (issue5598)...
 r33381 (restore missing file or fix references in Mercurial config)
[255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 #endif