upstream/mercurial-mirror Files · tests/test-https.t

i18n: use UTF-8 string to lower filename for case collision check...

i18n: use UTF-8 string to lower filename for case collision check Some character sets, cp932 (known as Shift-JIS for Japanese) for example, use 0x41('A') - 0x5A('Z') and 0x61('a') - 0x7A('z') as second or later character. In such character set, case collision checking recognizes different files as CASEFOLDED same file, if filenames are treated as byte sequence. win32mbcs extension is not appropriate to handle this problem, because this problem can occur on other than Windows platform only if problematic character set is used. Callers of util.checkcase() use known ASCII filenames as last component of path, and string.lower() is not applied to directory part of path. So, util.checkcase() is kept intact, even though it applies string.lower() to filenames.

Augie Fackler - - Load All Authors

File last commit:

r14193:c4de1664 default


                r14980:28e98a8b

stable

Download file

             test-https.t
        
                    275 lines
            
             | 11.3 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-https.t
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Mads Kiilerich
    
hgweb: use Pythons ssl module for HTTPS serve when using Python 2.6 or later...

              r12784
            
      Proper https client requires the built-in ssl from Python 2.6.

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ "$TESTDIR/hghave" ssl || exit 80

      Certificates created with:

       printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

       openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

      Can be dumped with:

       openssl x509 -in pub.pem -text

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > priv.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        > -----BEGIN PRIVATE KEY-----

        > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

        > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

        > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

        > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

        > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

        > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

        > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

        > HY8gUVkVRVs=

        > -----END PRIVATE KEY-----

        > EOT

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

        > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

        > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

        > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

        > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

        > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

        > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

        > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

        > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub.pem >> server.pem

        $ PRIV=`pwd`/server.pem

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-other.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

        > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

        > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

        > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

        > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

        > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

        > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

        > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

        > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

        > -----END CERTIFICATE-----

        > EOT

      pub.pem patched with other notBefore / notAfter:

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-not-yet.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

        > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

        > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

        > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

        > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

        > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

        > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

        > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub-not-yet.pem > server-not-yet.pem

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-expired.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

        > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

        > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

        > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

        > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

        > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

        > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

        > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub-expired.pem > server-expired.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ hg init test

        $ cd test

        $ echo foo>foo

        $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

        $ echo foo>foo.d/foo

        $ echo bar>foo.d/bAr.hg.d/BaR

        $ echo bar>foo.d/baR.d.hg/bAR

        $ hg commit -A -m 1

        adding foo

        adding foo.d/bAr.hg.d/BaR

        adding foo.d/baR.d.hg/bAR

        adding foo.d/foo

        $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

        $ cat ../hg0.pid >> $DAEMON_PIDS

        timeless
    
cacert: improve error report when web.cacert file does not exist

              r13544
            
      cacert not found

        $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

        abort: could not find web.cacerts: no-such.pem

        [255]

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
      Test server address cannot be reused

        $ hg serve -p $HGPORT --certificate=$PRIV 2>&1

        abort: cannot start server at ':$HGPORT': Address already in use

        [255]

        $ cd ..

      clone via pull

        $ hg clone https://localhost:$HGPORT/ copy-pull

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        requesting all changes

        adding changesets

        adding manifests

        adding file changes

        added 1 changesets with 4 changes to 4 files

        updating to branch default

        4 files updated, 0 files merged, 0 files removed, 0 files unresolved

        Martin Geisler
    
test-https: update to match output from 3f6a4579f803

              r13629
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ hg verify -R copy-pull

        checking changesets

        checking manifests

        crosschecking files in changesets and manifests

        checking files

        4 files, 1 changesets, 4 total revisions

        $ cd test

        $ echo bar > bar

        $ hg commit -A -d '1 0' -m 2

        adding bar

        $ cd ..

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      pull without cacert

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ cd copy-pull

        $ echo '[hooks]' >> .hg/hgrc

        $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc

        $ hg pull

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        adding changesets

        adding manifests

        adding file changes

        added 1 changesets with 1 changes to 1 files

        Mads Kiilerich
    
util: flush stdout before calling external processes...

              r13439
            
        changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/ 

        Matt Mackall
    
bookmarks: fix up test-https

              r13401
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        (run 'hg update' to get a working copy)

        $ cd ..

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      cacert configured in local repo

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

        $ echo "[web]" >> copy-pull/.hg/hgrc

        $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

        $ hg -R copy-pull pull --traceback

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

        Eduard-Cristian Stefan
    
url: expand path for web.cacerts

              r13231
            
      cacert configured globally, also testing expansion of environment

      variables in the filename

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ echo "[web]" >> $HGRCPATH

        Eduard-Cristian Stefan
    
url: expand path for web.cacerts

              r13231
            
        $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

        $ P=`pwd` hg -R copy-pull pull

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ P=`pwd` hg -R copy-pull pull --insecure

        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      cacert mismatch

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        [255]

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

        warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://127.0.0.1:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ hg -R copy-pull pull --config web.cacerts=pub-other.pem

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
      Test server cert which isn't valid yet

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ cat hg1.pid >> $DAEMON_PIDS

        $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

      Test server cert which no longer is valid

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ cat hg2.pid >> $DAEMON_PIDS

        $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
      Fingerprints

        $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

        $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

        $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

      - works without cacerts

        $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=

        5fed3813f7f5

      - fails when cert doesn't match hostname (port is ignored)

        $ hg -R copy-pull id https://localhost:$HGPORT1/

        abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

        [255]

      - ignores that certificate doesn't match hostname

        $ hg -R copy-pull id https://127.0.0.1:$HGPORT/

        5fed3813f7f5

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
      Prepare for connecting through proxy

        $ kill `cat hg1.pid`

        $ sleep 1

        $ ("$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log 2>&1 </dev/null &

        $ echo $! > proxy.pid)

        $ cat proxy.pid >> $DAEMON_PIDS

        $ sleep 2

        $ echo "[http_proxy]" >> copy-pull/.hg/hgrc

        $ echo "always=True" >> copy-pull/.hg/hgrc

        $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

        $ echo "localhost =" >> copy-pull/.hg/hgrc

      Test unvalidated https through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

      Test https with cacert and fingerprint through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

        pulling from https://127.0.0.1:$HGPORT/

        searching for changes

        no changes found

      Test https with cert problems through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        Mads Kiilerich
    
url: merge BetterHTTPS with httpsconnection to get some proxy https validation

              r13424
            
        [255]

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        Mads Kiilerich
    
url: merge BetterHTTPS with httpsconnection to get some proxy https validation

              r13424
            
        [255]

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Mads Kiilerich hgweb: use Pythons ssl module for HTTPS serve when using Python 2.6 or later...	r12784	Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich serve: fix https mode and add test...	r12740
		$ "$TESTDIR/hghave" ssl \|\| exit 80

		Certificates created with:
		printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' \| \
		openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
		Can be dumped with:
		openssl x509 -in pub.pem -text

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > priv.pem
Mads Kiilerich serve: fix https mode and add test...	r12740	> -----BEGIN PRIVATE KEY-----
		> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
		> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
		> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
		> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
		> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
		> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
		> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
		> HY8gUVkVRVs=
		> -----END PRIVATE KEY-----
		> EOT

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub.pem
Mads Kiilerich serve: fix https mode and add test...	r12740	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
		> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
		> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
		> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
		> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
		> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
		> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
		> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
		> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub.pem >> server.pem
		$ PRIV=`pwd`/server.pem

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-other.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
		> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
		> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
		> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
		> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
		> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
		> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
		> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
		> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
		> -----END CERTIFICATE-----
		> EOT

		pub.pem patched with other notBefore / notAfter:

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-not-yet.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
		> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
		> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
		> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
		> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
		> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
		> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
		> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-expired.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
		> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
		> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
		> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
		> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
		> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
		> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
		> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub-expired.pem > server-expired.pem

Mads Kiilerich serve: fix https mode and add test...	r12740	$ hg init test
		$ cd test
		$ echo foo>foo
		$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
		$ echo foo>foo.d/foo
		$ echo bar>foo.d/bAr.hg.d/BaR
		$ echo bar>foo.d/baR.d.hg/bAR
		$ hg commit -A -m 1
		adding foo
		adding foo.d/bAr.hg.d/BaR
		adding foo.d/baR.d.hg/bAR
		adding foo.d/foo
		$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
		$ cat ../hg0.pid >> $DAEMON_PIDS

timeless cacert: improve error report when web.cacert file does not exist	r13544	cacert not found

		$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
		abort: could not find web.cacerts: no-such.pem
		[255]

Mads Kiilerich serve: fix https mode and add test...	r12740	Test server address cannot be reused

		$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
		abort: cannot start server at ':$HGPORT': Address already in use
		[255]
		$ cd ..

		clone via pull

		$ hg clone https://localhost:$HGPORT/ copy-pull
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	requesting all changes
		adding changesets
		adding manifests
		adding file changes
		added 1 changesets with 4 changes to 4 files
		updating to branch default
		4 files updated, 0 files merged, 0 files removed, 0 files unresolved
Martin Geisler test-https: update to match output from 3f6a4579f803	r13629	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	$ hg verify -R copy-pull
		checking changesets
		checking manifests
		crosschecking files in changesets and manifests
		checking files
		4 files, 1 changesets, 4 total revisions
		$ cd test
		$ echo bar > bar
		$ hg commit -A -d '1 0' -m 2
		adding bar
		$ cd ..

Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	pull without cacert
Mads Kiilerich serve: fix https mode and add test...	r12740
		$ cd copy-pull
		$ echo '[hooks]' >> .hg/hgrc
		$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
		$ hg pull
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	pulling from https://localhost:$HGPORT/
		searching for changes
		adding changesets
		adding manifests
		adding file changes
		added 1 changesets with 1 changes to 1 files
Mads Kiilerich util: flush stdout before calling external processes...	r13439	changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
Matt Mackall bookmarks: fix up test-https	r13401	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	(run 'hg update' to get a working copy)
		$ cd ..
Mads Kiilerich test-https: test web.cacerts functionality	r12741
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	cacert configured in local repo
Mads Kiilerich test-https: test web.cacerts functionality	r12741
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
		$ echo "[web]" >> copy-pull/.hg/hgrc
		$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
		$ hg -R copy-pull pull --traceback
Mads Kiilerich test-https: test web.cacerts functionality	r12741	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

Eduard-Cristian Stefan url: expand path for web.cacerts	r13231	cacert configured globally, also testing expansion of environment
		variables in the filename
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192
		$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan url: expand path for web.cacerts	r13231	$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
		$ P=`pwd` hg -R copy-pull pull
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ P=`pwd` hg -R copy-pull pull --insecure
		warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192
		cacert mismatch

Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
Mads Kiilerich test-https: test web.cacerts functionality	r12741	[255]
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
		warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://127.0.0.1:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ hg -R copy-pull pull --config web.cacerts=pub-other.pem
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
		warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich test-https: test web.cacerts functionality	r12741
		Test server cert which isn't valid yet

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ cat hg1.pid >> $DAEMON_PIDS
		$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]

		Test server cert which no longer is valid

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ cat hg2.pid >> $DAEMON_PIDS
		$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314
		Fingerprints

		$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
		$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
		$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

		- works without cacerts
		$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
		5fed3813f7f5

		- fails when cert doesn't match hostname (port is ignored)
		$ hg -R copy-pull id https://localhost:$HGPORT1/
		abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
		[255]

		- ignores that certificate doesn't match hostname
		$ hg -R copy-pull id https://127.0.0.1:$HGPORT/
		5fed3813f7f5
Mads Kiilerich tests: test https through http proxy...	r13423
		Prepare for connecting through proxy

		$ kill `cat hg1.pid`
		$ sleep 1

		$ ("$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log 2>&1 </dev/null &
		$ echo $! > proxy.pid)
		$ cat proxy.pid >> $DAEMON_PIDS
		$ sleep 2

		$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
		$ echo "always=True" >> copy-pull/.hg/hgrc
		$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
		$ echo "localhost =" >> copy-pull/.hg/hgrc

		Test unvalidated https through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
Mads Kiilerich tests: update test-https.t output...	r13438	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich tests: test https through http proxy...	r13423	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found

		Test https with cacert and fingerprint through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
		pulling from https://127.0.0.1:$HGPORT/
		searching for changes
		no changes found

		Test https with cert problems through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
Mads Kiilerich tests: update test-https.t output...	r13438	abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
Mads Kiilerich url: merge BetterHTTPS with httpsconnection to get some proxy https validation	r13424	[255]
Mads Kiilerich tests: test https through http proxy...	r13423	$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
Mads Kiilerich tests: update test-https.t output...	r13438	abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
Mads Kiilerich url: merge BetterHTTPS with httpsconnection to get some proxy https validation	r13424	[255]