##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: allow TLS 1.0 when --insecure is used...
sslutil: allow TLS 1.0 when --insecure is used --insecure is our psuedo-supported footgun for disabling connection security. The flag already disables CA verification. I think allowing the use of TLS 1.0 when specified is appropriate.
Gregory Szorc - - Load All Authors

File last commit:

r29617:2960ceee stable
r29617:2960ceee stable
Show More
test-https.t
625 lines | 31.1 KiB | text/troff | Tads3Lexer
/ tests / test-https.t
History | Source | Raw |Copy content |Copy permalink
Matt Mackall
tests: replace exit 80 with #require
 r22046 #require serve ssl
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Matt Mackall
tests: replace exit 80 with #require
 r22046 Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 Make server certificates:
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ CERTSDIR="$TESTDIR/sslcerts"
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
$ PRIV=`pwd`/server.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg init test
$ cd test
$ echo foo>foo
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
$ echo foo>foo.d/foo
$ echo bar>foo.d/bAr.hg.d/BaR
$ echo bar>foo.d/baR.d.hg/bAR
$ hg commit -A -m 1
adding foo
adding foo.d/bAr.hg.d/BaR
adding foo.d/baR.d.hg/bAR
adding foo.d/foo
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
$ cat ../hg0.pid >> $DAEMON_PIDS
timeless
cacert: improve error report when web.cacert file does not exist
 r13544 cacert not found
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
timeless
cacert: improve error report when web.cacert file does not exist
 r13544 abort: could not find web.cacerts: no-such.pem
[255]
Mads Kiilerich
serve: fix https mode and add test...
 r12740 Test server address cannot be reused
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 #if windows
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Simon Heimberg
tests: remove glob from output lines containing no glob character
 r18682 abort: cannot start server at ':$HGPORT':
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 [255]
#else
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
abort: cannot start server at ':$HGPORT': Address already in use
[255]
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 #endif
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ cd ..
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 #if sslcontext defaultcacerts no-defaultcacertsloaded
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 $ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 [255]
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 #endif
#if no-sslcontext defaultcacerts
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: try to find CA certficates in well-known locations...
 r29500 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 abort: error: *certificate verify failed* (glob)
[255]
#endif
Gregory Szorc
sslutil: handle default CA certificate loading on Windows...
 r29489 #if no-sslcontext windows
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
Gregory Szorc
sslutil: handle default CA certificate loading on Windows...
 r29489 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
abort: error: *certificate verify failed* (glob)
[255]
#endif
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
 r29499 #if no-sslcontext osx
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
 r29499 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
abort: localhost certificate error: no certificate received
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
 r29499 [255]
#endif
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 #if defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: try to find CA certficates in well-known locations...
 r29500 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Gregory Szorc
tests: better testing of loaded certificates...
 r29481 abort: error: *certificate verify failed* (glob)
[255]
#endif
#if no-defaultcacerts
Gregory Szorc
tests: test case where default ca certs not available...
 r29448 $ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
 r29499 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Gregory Szorc
tests: test case where default ca certs not available...
 r29448 abort: localhost certificate error: no certificate received
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
Gregory Szorc
tests: test case where default ca certs not available...
 r29448 [255]
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 #endif
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 Specifying a per-host certificate file that doesn't exist will abort
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
[255]
A malformed per-host certificate file will raise an error
$ echo baddata > badca.pem
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 #if sslcontext
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 abort: error loading CA file badca.pem: * (glob)
(file is empty or malformed?)
[255]
#else
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Durham Goode
tests: increase test-https malform error glob...
 r29356 abort: error: * (glob)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 [255]
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 #endif
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
A per-host certificate mismatching the server will fail verification
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 (modern ssl is able to discern whether the loaded cert is a CA cert)
#if sslcontext
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: *certificate verify failed* (glob)
[255]
#else
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 abort: error: *certificate verify failed* (glob)
[255]
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
 r29449 #endif
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334
A per-host certificate matching the server's cert will be accepted
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
A per-host certificate with multiple certs and one matching will be accepted
$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Defining both per-host certificate and a fingerprint will print a warning
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 Inability to verify peer certificate will result in abort
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 [255]
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
 r12740 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg verify -R copy-pull
checking changesets
checking manifests
crosschecking files in changesets and manifests
checking files
4 files, 1 changesets, 4 total revisions
$ cd test
$ echo bar > bar
$ hg commit -A -d '1 0' -m 2
adding bar
$ cd ..
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pull without cacert
Mads Kiilerich
serve: fix https mode and add test...
 r12740
$ cd copy-pull
$ echo '[hooks]' >> .hg/hgrc
Matt Mackall
tests: simplify printenv calls...
 r25478 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg pull $DISABLECACERTS
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 [255]
$ hg pull --insecure
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
 r12740 searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
Mateusz Kwapich
hooks: add HG_NODE_LAST to txnclose and changegroup hook environments...
 r27739 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
Mads Kiilerich
serve: fix https mode and add test...
 r12740 (run 'hg update' to get a working copy)
$ cd ..
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert configured in local repo
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
$ echo "[web]" >> copy-pull/.hg/hgrc
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ hg -R copy-pull pull --traceback
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 cacert configured globally, also testing expansion of environment
variables in the filename
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
Gregory Szorc
tests: add test for empty CA certs file...
 r29445 empty cacert file
$ touch emptycafile
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446
#if sslcontext
$ hg --config web.cacerts=emptycafile -R copy-pull pull
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 abort: error loading CA file emptycafile: * (glob)
(file is empty or malformed?)
[255]
#else
Gregory Szorc
tests: add test for empty CA certs file...
 r29445 $ hg --config web.cacerts=emptycafile -R copy-pull pull
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: add test for empty CA certs file...
 r29445 abort: error: * (glob)
[255]
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
 r29446 #endif
Gregory Szorc
tests: add test for empty CA certs file...
 r29445
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert mismatch
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
> https://127.0.0.1:$HGPORT/
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
 r29519 pulling from https://127.0.0.1:$HGPORT/ (glob)
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
 r29519 abort: 127.0.0.1 certificate error: certificate is for localhost (glob)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
> https://127.0.0.1:$HGPORT/ --insecure
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
 r29519 pulling from https://127.0.0.1:$HGPORT/ (glob)
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
 r29519 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
> --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Test server cert which isn't valid yet
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg1.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
> https://localhost:$HGPORT1/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT1/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Test server cert which no longer is valid
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg2.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
> https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 Disabling the TLS 1.0 warning works
$ hg -R copy-pull id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
> --config hostsecurity.disabletls10warning=true
5fed3813f7f5
Gregory Szorc
sslutil: support defining cipher list...
 r29577 #if no-sslcontext no-py27+
Setting ciphers doesn't work in Python 2.6
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
abort: setting ciphers in [hostsecurity] is not supported by this version of Python
(remove the config option or run Mercurial with a modern Python version (preferred))
[255]
#endif
Setting ciphers works in Python 2.7+ but the error message is different on
legacy ssl. We test legacy once and do more feature checking on modern
configs.
#if py27+ no-sslcontext
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
abort: *No cipher can be selected. (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
5fed3813f7f5
#endif
#if sslcontext
Setting ciphers to an invalid value aborts
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
 r29577 abort: could not set ciphers: No cipher can be selected.
(change cipher string (invalid) in config)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
 r29577 abort: could not set ciphers: No cipher can be selected.
(change cipher string (invalid) in config)
[255]
Changing the cipher string works
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
 r29577 5fed3813f7f5
#endif
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 Fingerprints
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 - works without cacerts (hostkeyfingerprints)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 - works without cacerts (hostsecurity)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and first matches
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and last matches
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and none match
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 (check hostfingerprint configuration)
[255]
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: reference appropriate config section in messaging...
 r29268 (check hostsecurity configuration)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - fails when cert doesn't match hostname (port is ignored)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
 r15997 (check hostfingerprint configuration)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 [255]
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - ignores that certificate doesn't match hostname
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Mads Kiilerich
tests: test https through http proxy...
 r13423
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 Ports used by next test. Kill servers.
$ killdaemons.py hg0.pid
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg1.pid
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ killdaemons.py hg2.pid
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 #if sslcontext tls1.2
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 Start servers running supported TLS versions
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.0
$ cat ../hg0.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.1
$ cat ../hg1.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.2
$ cat ../hg2.pid >> $DAEMON_PIDS
$ cd ..
Clients talking same TLS versions work
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
5fed3813f7f5
Clients requiring newer TLS version than what server supports fail
Gregory Szorc
sslutil: require TLS 1.1+ when supported...
 r29560 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
(could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
(could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: *unsupported protocol* (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
(could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: *unsupported protocol* (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
(could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
sslutil: allow TLS 1.0 when --insecure is used...
 r29617 --insecure will allow TLS 1.0 connections and override configs
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
5fed3813f7f5
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 The per-host config option overrides the default
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.minimumprotocol=tls1.2 \
> --config hostsecurity.localhost:minimumprotocol=tls1.0
5fed3813f7f5
The per-host config option by itself works
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:minimumprotocol=tls1.2
(could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
hg: copy [hostsecurity] options to remote ui instances (issue5305)...
 r29616 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
$ cat >> copy-pull/.hg/hgrc << EOF
> [hostsecurity]
> localhost:minimumprotocol=tls1.2
> EOF
$ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
(could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590)
[255]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ killdaemons.py hg0.pid
$ killdaemons.py hg1.pid
$ killdaemons.py hg2.pid
#endif
Matt Mackall
tests: fix startup/shutdown races in test-https...
 r16300
Mads Kiilerich
tests: test https through http proxy...
 r13423 Prepare for connecting through proxy
Gregory Szorc
sslutil: config option to specify TLS protocol version...
 r29559 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
$ cat hg0.pid >> $DAEMON_PIDS
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
$ cat hg2.pid >> $DAEMON_PIDS
tinyproxy.py doesn't fully detach, so killing it may result in extra output
from the shell. So don't kill it.
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich
tests: use 'do sleep 0' instead of 'do true', also on first line of command...
 r16496 $ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich
tests: test https through http proxy...
 r13423 $ cat proxy.pid >> $DAEMON_PIDS
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
$ echo "always=True" >> copy-pull/.hg/hgrc
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost =" >> copy-pull/.hg/hgrc
Test unvalidated https through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cacert and fingerprint through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub.pem"
Mads Kiilerich
tests: test https through http proxy...
 r13423 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Gregory Szorc
tests: regenerate x509 test certificates...
 r29526 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
 r29519 pulling from https://127.0.0.1:$HGPORT/ (glob)
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cert problems through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
 r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg0.pid
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
#if sslcontext
Gregory Szorc
hgweb: use sslutil.wrapserversocket()...
 r29555 Start hgweb that requires client certificates:
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
Gregory Szorc
hgweb: use sslutil.wrapserversocket()...
 r29555 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 $ cat ../hg0.pid >> $DAEMON_PIDS
$ cd ..
without client certificate:
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 abort: error: *handshake failure* (glob)
[255]
with client certificate:
$ cat << EOT >> $HGRCPATH
> [auth]
> l.prefix = localhost
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 > l.cert = $CERTSDIR/client-cert.pem
> l.key = $CERTSDIR/client-key.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 > EOT
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 5fed3813f7f5
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 > --config ui.interactive=True --config ui.nontty=True
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
 r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 abort: error: * (glob)
[255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 #endif