##// END OF EJS Templates
sslutil: synchronize hostname matching logic with CPython...
sslutil: synchronize hostname matching logic with CPython sslutil contains its own hostname matching logic. CPython has code for the same intent. However, it is only available to Python 2.7.9+ (or distributions that have backported 2.7.9's ssl module improvements). This patch effectively imports CPython's hostname matching code from its ssl.py into sslutil.py. The hostname matching code itself is pretty similar. However, the DNS name matching code is much more robust and spec conformant. As the test changes show, this changes some behavior around wildcard handling and IDNA matching. The new behavior allows wildcards in the middle of words (e.g. 'f*.com' matches 'foo.com') This is spec compliant according to RFC 6125 Section 6.5.3 item 3. There is one test where the matcher is more strict. Before, '*.a.com' matched '.a.com'. Now it doesn't match. Strictly speaking this is a security vulnerability.

File last commit:

r29449:5b71a8d7 default
r29452:26a5d605 3.8.4 stable
Show More
test-https.t
418 lines | 16.5 KiB | text/troff | Tads3Lexer
Matt Mackall
tests: replace exit 80 with #require
r22046 #require serve ssl
Mads Kiilerich
serve: fix https mode and add test...
r12740
Matt Mackall
tests: replace exit 80 with #require
r22046 Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich
serve: fix https mode and add test...
r12740
Certificates created with:
printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
Can be dumped with:
openssl x509 -in pub.pem -text
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
r14193 $ cat << EOT > priv.pem
Mads Kiilerich
serve: fix https mode and add test...
r12740 > -----BEGIN PRIVATE KEY-----
> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
> HY8gUVkVRVs=
> -----END PRIVATE KEY-----
> EOT
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
r14193 $ cat << EOT > pub.pem
Mads Kiilerich
serve: fix https mode and add test...
r12740 > -----BEGIN CERTIFICATE-----
> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
> -----END CERTIFICATE-----
> EOT
$ cat priv.pem pub.pem >> server.pem
$ PRIV=`pwd`/server.pem
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
r14193 $ cat << EOT > pub-other.pem
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 > -----BEGIN CERTIFICATE-----
> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
> -----END CERTIFICATE-----
> EOT
pub.pem patched with other notBefore / notAfter:
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
r14193 $ cat << EOT > pub-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 > -----BEGIN CERTIFICATE-----
> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
> -----END CERTIFICATE-----
> EOT
$ cat priv.pem pub-not-yet.pem > server-not-yet.pem
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
r14193 $ cat << EOT > pub-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 > -----BEGIN CERTIFICATE-----
> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
> -----END CERTIFICATE-----
> EOT
$ cat priv.pem pub-expired.pem > server-expired.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413 Client certificates created with:
openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
-set_serial 01 -out client-cert.pem
$ cat << EOT > client-key.pem
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8
>
> JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF
> BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS
> jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7
> Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2
> u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/
> CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl
> bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=
> -----END RSA PRIVATE KEY-----
> EOT
$ cat << EOT > client-key-decrypted.pem
> -----BEGIN RSA PRIVATE KEY-----
> MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb
> FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6
> AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT
> AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop
> 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5
> +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01
> mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY
> -----END RSA PRIVATE KEY-----
> EOT
$ cat << EOT > client-cert.pem
> -----BEGIN CERTIFICATE-----
> MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
> GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z
> OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv
> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH
> R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB
> MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/
> NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==
> -----END CERTIFICATE-----
> EOT
Mads Kiilerich
serve: fix https mode and add test...
r12740 $ hg init test
$ cd test
$ echo foo>foo
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
$ echo foo>foo.d/foo
$ echo bar>foo.d/bAr.hg.d/BaR
$ echo bar>foo.d/baR.d.hg/bAR
$ hg commit -A -m 1
adding foo
adding foo.d/bAr.hg.d/BaR
adding foo.d/baR.d.hg/bAR
adding foo.d/foo
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
$ cat ../hg0.pid >> $DAEMON_PIDS
timeless
cacert: improve error report when web.cacert file does not exist
r13544 cacert not found
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
abort: could not find web.cacerts: no-such.pem
[255]
Mads Kiilerich
serve: fix https mode and add test...
r12740 Test server address cannot be reused
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
r17023 #if windows
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Simon Heimberg
tests: remove glob from output lines containing no glob character
r18682 abort: cannot start server at ':$HGPORT':
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
r17023 [255]
#else
Mads Kiilerich
serve: fix https mode and add test...
r12740 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
abort: cannot start server at ':$HGPORT': Address already in use
[255]
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
r17023 #endif
Mads Kiilerich
serve: fix https mode and add test...
r12740 $ cd ..
Mads Kiilerich
ssl: only use the dummy cert hack if using an Apple Python (issue4410)...
r23042 OS X has a dummy CA cert that enables use of the system CA store when using
Apple's OpenSSL. This trick do not work with plain OpenSSL.
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575
$ DISABLEOSXDUMMYCERT=
Yuya Nishihara
test-https: enable dummycert test only if Apple python is used (issue4500)...
r24289 #if defaultcacerts
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575 $ hg clone https://localhost:$HGPORT/ copy-pull
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575 [255]
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
r28847 $ DISABLEOSXDUMMYCERT="--insecure"
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575 #endif
Mads Kiilerich
serve: fix https mode and add test...
r12740 clone via pull
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich
serve: fix https mode and add test...
r12740 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg verify -R copy-pull
checking changesets
checking manifests
crosschecking files in changesets and manifests
checking files
4 files, 1 changesets, 4 total revisions
$ cd test
$ echo bar > bar
$ hg commit -A -d '1 0' -m 2
adding bar
$ cd ..
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 pull without cacert
Mads Kiilerich
serve: fix https mode and add test...
r12740
$ cd copy-pull
$ echo '[hooks]' >> .hg/hgrc
Matt Mackall
tests: simplify printenv calls...
r25478 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575 $ hg pull $DISABLEOSXDUMMYCERT
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich
serve: fix https mode and add test...
r12740 searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
Mateusz Kwapich
hooks: add HG_NODE_LAST to txnclose and changegroup hook environments...
r27739 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
Mads Kiilerich
serve: fix https mode and add test...
r12740 (run 'hg update' to get a working copy)
$ cd ..
Mads Kiilerich
test-https: test web.cacerts functionality
r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 cacert configured in local repo
Mads Kiilerich
test-https: test web.cacerts functionality
r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
$ echo "[web]" >> copy-pull/.hg/hgrc
$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
$ hg -R copy-pull pull --traceback
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
Eduard-Cristian Stefan
url: expand path for web.cacerts
r13231 cacert configured globally, also testing expansion of environment
variables in the filename
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192
$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan
url: expand path for web.cacerts
r13231 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
$ P=`pwd` hg -R copy-pull pull
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 $ P=`pwd` hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192
cacert mismatch
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://127.0.0.1:$HGPORT/
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
r15814 abort: 127.0.0.1 certificate error: certificate is for localhost
(configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 [255]
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://127.0.0.1:$HGPORT/
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 [255]
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
r12741
Test server cert which isn't valid yet
Jun Wu
tests: reorder hg serve commands...
r28549 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 $ cat hg1.pid >> $DAEMON_PIDS
$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT1/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 [255]
Test server cert which no longer is valid
Jun Wu
tests: reorder hg serve commands...
r28549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 $ cat hg2.pid >> $DAEMON_PIDS
$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT2/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314
Fingerprints
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
- works without cacerts
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
r28847 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 - multiple fingerprints specified and first matches
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
r28847 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 5fed3813f7f5
- multiple fingerprints specified and last matches
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 5fed3813f7f5
- multiple fingerprints specified and none match
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
(check hostfingerprint configuration)
[255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 - fails when cert doesn't match hostname (port is ignored)
$ hg -R copy-pull id https://localhost:$HGPORT1/
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
r15997 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
(check hostfingerprint configuration)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 [255]
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
r18588
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 - ignores that certificate doesn't match hostname
$ hg -R copy-pull id https://127.0.0.1:$HGPORT/
5fed3813f7f5
Mads Kiilerich
tests: test https through http proxy...
r13423
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
r18588 HGPORT1 is reused below for tinyproxy tests. Kill that server.
Matt Mackall
tests: drop explicit $TESTDIR from executables...
r25472 $ killdaemons.py hg1.pid
Matt Mackall
tests: fix startup/shutdown races in test-https...
r16300
Mads Kiilerich
tests: test https through http proxy...
r13423 Prepare for connecting through proxy
Matt Mackall
tests: drop explicit $TESTDIR from executables...
r25472 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich
tests: use 'do sleep 0' instead of 'do true', also on first line of command...
r16496 $ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich
tests: test https through http proxy...
r13423 $ cat proxy.pid >> $DAEMON_PIDS
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
$ echo "always=True" >> copy-pull/.hg/hgrc
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost =" >> copy-pull/.hg/hgrc
Test unvalidated https through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Mads Kiilerich
tests: update test-https.t output...
r13438 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich
tests: test https through http proxy...
r13423 searching for changes
no changes found
Test https with cacert and fingerprint through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
pulling from https://localhost:$HGPORT/
searching for changes
no changes found
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
pulling from https://127.0.0.1:$HGPORT/
searching for changes
no changes found
Test https with cert problems through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
r13424 [255]
Mads Kiilerich
tests: test https through http proxy...
r13423 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT2/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
r13424 [255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413
Matt Mackall
tests: drop explicit $TESTDIR from executables...
r25472 $ killdaemons.py hg0.pid
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413
#if sslcontext
Start patched hgweb that requires client certificates:
$ cat << EOT > reqclientcert.py
> import ssl
> from mercurial.hgweb import server
> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
> @staticmethod
> def preparehttpserver(httpserver, ssl_cert):
> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
> sslcontext.verify_mode = ssl.CERT_REQUIRED
> sslcontext.load_cert_chain(ssl_cert)
> # verify clients by server certificate
> sslcontext.load_verify_locations(ssl_cert)
> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
> server_side=True)
> server._httprequesthandlerssl = _httprequesthandlersslclientcert
> EOT
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
> --config extensions.reqclientcert=../reqclientcert.py
$ cat ../hg0.pid >> $DAEMON_PIDS
$ cd ..
without client certificate:
$ P=`pwd` hg id https://localhost:$HGPORT/
abort: error: *handshake failure* (glob)
[255]
with client certificate:
$ cat << EOT >> $HGRCPATH
> [auth]
> l.prefix = localhost
> l.cert = client-cert.pem
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
r25415 > l.key = client-key.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413 > EOT
$ P=`pwd` hg id https://localhost:$HGPORT/ \
> --config auth.l.key=client-key-decrypted.pem
5fed3813f7f5
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
r25415 $ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \
> --config ui.interactive=True --config ui.nontty=True
passphrase for client-key.pem: 5fed3813f7f5
$ env P=`pwd` hg id https://localhost:$HGPORT/
abort: error: * (glob)
[255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413 #endif