upstream/mercurial-mirror Files · tests/test-https.t

check-code: put grouping around regexps generated from testpats...

check-code: put grouping around regexps generated from testpats This removes the pitfall that would make the testpath r'a|b' match 'b' on all lines in .t tests.

Matt Mackall - - Load All Authors

File last commit:

r16300:74e114ac stable


                r16495:5f9835ed

stable

Download file

             test-https.t
        
                    275 lines
            
             | 11.5 KiB
            
                | text/troff
            
             |
                Tads3Lexer
            
             / tests / test-https.t
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Mads Kiilerich
    
hgweb: use Pythons ssl module for HTTPS serve when using Python 2.6 or later...

              r12784
            
      Proper https client requires the built-in ssl from Python 2.6.

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        Mads Kiilerich
    
tests: use 'hghave serve' to guard tests that requires serve daemon management

              r15446
            
        $ "$TESTDIR/hghave" serve ssl || exit 80

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
      Certificates created with:

       printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

       openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

      Can be dumped with:

       openssl x509 -in pub.pem -text

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > priv.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        > -----BEGIN PRIVATE KEY-----

        > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

        > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

        > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

        > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

        > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

        > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

        > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

        > HY8gUVkVRVs=

        > -----END PRIVATE KEY-----

        > EOT

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

        > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

        > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

        > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

        > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

        > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

        > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

        > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

        > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub.pem >> server.pem

        $ PRIV=`pwd`/server.pem

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-other.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

        > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

        > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

        > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

        > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

        > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

        > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

        > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

        > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

        > -----END CERTIFICATE-----

        > EOT

      pub.pem patched with other notBefore / notAfter:

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-not-yet.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

        > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

        > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

        > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

        > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

        > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

        > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

        > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub-not-yet.pem > server-not-yet.pem

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ cat << EOT > pub-expired.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        > -----BEGIN CERTIFICATE-----

        > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

        > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

        > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

        > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

        > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

        > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

        > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

        > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

        > -----END CERTIFICATE-----

        > EOT

        $ cat priv.pem pub-expired.pem > server-expired.pem

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ hg init test

        $ cd test

        $ echo foo>foo

        $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

        $ echo foo>foo.d/foo

        $ echo bar>foo.d/bAr.hg.d/BaR

        $ echo bar>foo.d/baR.d.hg/bAR

        $ hg commit -A -m 1

        adding foo

        adding foo.d/bAr.hg.d/BaR

        adding foo.d/baR.d.hg/bAR

        adding foo.d/foo

        $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

        $ cat ../hg0.pid >> $DAEMON_PIDS

        timeless
    
cacert: improve error report when web.cacert file does not exist

              r13544
            
      cacert not found

        $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

        abort: could not find web.cacerts: no-such.pem

        [255]

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
      Test server address cannot be reused

        $ hg serve -p $HGPORT --certificate=$PRIV 2>&1

        abort: cannot start server at ':$HGPORT': Address already in use

        [255]

        $ cd ..

      clone via pull

        $ hg clone https://localhost:$HGPORT/ copy-pull

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        requesting all changes

        adding changesets

        adding manifests

        adding file changes

        added 1 changesets with 4 changes to 4 files

        Arne Babenhauserheide
    
clone: get all bookmarks before updating

              r15590
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        updating to branch default

        4 files updated, 0 files merged, 0 files removed, 0 files unresolved

        $ hg verify -R copy-pull

        checking changesets

        checking manifests

        crosschecking files in changesets and manifests

        checking files

        4 files, 1 changesets, 4 total revisions

        $ cd test

        $ echo bar > bar

        $ hg commit -A -d '1 0' -m 2

        adding bar

        $ cd ..

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      pull without cacert

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        $ cd copy-pull

        $ echo '[hooks]' >> .hg/hgrc

        $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc

        $ hg pull

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        adding changesets

        adding manifests

        adding file changes

        added 1 changesets with 1 changes to 1 files

        Pierre-Yves David
    
phases: exchange phase boundaries on pull...

              r15650
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
util: flush stdout before calling external processes...

              r13439
            
        changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/ 

        Mads Kiilerich
    
serve: fix https mode and add test...

              r12740
            
        (run 'hg update' to get a working copy)

        $ cd ..

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      cacert configured in local repo

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

        $ echo "[web]" >> copy-pull/.hg/hgrc

        $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

        $ hg -R copy-pull pull --traceback

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

        Eduard-Cristian Stefan
    
url: expand path for web.cacerts

              r13231
            
      cacert configured globally, also testing expansion of environment

      variables in the filename

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        $ echo "[web]" >> $HGRCPATH

        Eduard-Cristian Stefan
    
url: expand path for web.cacerts

              r13231
            
        $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

        $ P=`pwd` hg -R copy-pull pull

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ P=`pwd` hg -R copy-pull pull --insecure

        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
https: use web.cacerts configuration from local repo to validate remote repo

              r13192
            
      cacert mismatch

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

        Mads Kiilerich
    
sslutil: show fingerprint when cacerts validation fails

              r15814
            
        abort: 127.0.0.1 certificate error: certificate is for localhost

        (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        [255]

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

        warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://127.0.0.1:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ hg -R copy-pull pull --config web.cacerts=pub-other.pem

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

        Yuya Nishihara
    
url: add --insecure option to bypass verification of ssl certificates...

              r13328
            
        $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
      Test server cert which isn't valid yet

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ cat hg1.pid >> $DAEMON_PIDS

        $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

      Test server cert which no longer is valid

        Augie Fackler
    
test-https.t: clean up superfluous trailing whitespace

              r14193
            
        $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

        Mads Kiilerich
    
test-https: test web.cacerts functionality

              r12741
            
        $ cat hg2.pid >> $DAEMON_PIDS

        $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        [255]

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
      Fingerprints

        $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

        $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

        $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

      - works without cacerts

        $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=

        5fed3813f7f5

      - fails when cert doesn't match hostname (port is ignored)

        $ hg -R copy-pull id https://localhost:$HGPORT1/

        Matt Mackall
    
sslutil: more helpful fingerprint mismatch message...

              r15997
            
        abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

        (check hostfingerprint configuration)

        Mads Kiilerich
    
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

              r13314
            
        [255]

      - ignores that certificate doesn't match hostname

        $ hg -R copy-pull id https://127.0.0.1:$HGPORT/

        5fed3813f7f5

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        Matt Mackall
    
tests: fix startup/shutdown races in test-https...

              r16300
            
        $ while kill `cat hg1.pid` 2>/dev/null; do true; done

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
      Prepare for connecting through proxy

        Matt Mackall
    
tests: fix startup/shutdown races in test-https...

              r16300
            
        $ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

        $ while [ ! -f proxy.pid ]; do true; done

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        $ cat proxy.pid >> $DAEMON_PIDS

        $ echo "[http_proxy]" >> copy-pull/.hg/hgrc

        $ echo "always=True" >> copy-pull/.hg/hgrc

        $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

        $ echo "localhost =" >> copy-pull/.hg/hgrc

      Test unvalidated https through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

      Test https with cacert and fingerprint through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

        pulling from https://localhost:$HGPORT/

        searching for changes

        no changes found

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

        pulling from https://127.0.0.1:$HGPORT/

        searching for changes

        no changes found

      Test https with cert problems through proxy

        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        Mads Kiilerich
    
url: merge BetterHTTPS with httpsconnection to get some proxy https validation

              r13424
            
        [255]

        Mads Kiilerich
    
tests: test https through http proxy...

              r13423
            
        $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

        Mads Kiilerich
    
tests: update test-https.t output...

              r13438
            
        abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

        Mads Kiilerich
    
url: merge BetterHTTPS with httpsconnection to get some proxy https validation

              r13424
            
        [255]

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Mads Kiilerich hgweb: use Pythons ssl module for HTTPS serve when using Python 2.6 or later...	r12784	Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich serve: fix https mode and add test...	r12740
Mads Kiilerich tests: use 'hghave serve' to guard tests that requires serve daemon management	r15446	$ "$TESTDIR/hghave" serve ssl \|\| exit 80
Mads Kiilerich serve: fix https mode and add test...	r12740
		Certificates created with:
		printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' \| \
		openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
		Can be dumped with:
		openssl x509 -in pub.pem -text

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > priv.pem
Mads Kiilerich serve: fix https mode and add test...	r12740	> -----BEGIN PRIVATE KEY-----
		> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
		> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
		> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
		> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
		> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
		> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
		> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
		> HY8gUVkVRVs=
		> -----END PRIVATE KEY-----
		> EOT

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub.pem
Mads Kiilerich serve: fix https mode and add test...	r12740	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
		> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
		> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
		> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
		> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
		> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
		> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
		> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
		> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub.pem >> server.pem
		$ PRIV=`pwd`/server.pem

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-other.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
		> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
		> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
		> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
		> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
		> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
		> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
		> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
		> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
		> -----END CERTIFICATE-----
		> EOT

		pub.pem patched with other notBefore / notAfter:

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-not-yet.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
		> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
		> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
		> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
		> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
		> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
		> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
		> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ cat << EOT > pub-expired.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	> -----BEGIN CERTIFICATE-----
		> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
		> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
		> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
		> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
		> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
		> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
		> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
		> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
		> -----END CERTIFICATE-----
		> EOT
		$ cat priv.pem pub-expired.pem > server-expired.pem

Mads Kiilerich serve: fix https mode and add test...	r12740	$ hg init test
		$ cd test
		$ echo foo>foo
		$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
		$ echo foo>foo.d/foo
		$ echo bar>foo.d/bAr.hg.d/BaR
		$ echo bar>foo.d/baR.d.hg/bAR
		$ hg commit -A -m 1
		adding foo
		adding foo.d/bAr.hg.d/BaR
		adding foo.d/baR.d.hg/bAR
		adding foo.d/foo
		$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
		$ cat ../hg0.pid >> $DAEMON_PIDS

timeless cacert: improve error report when web.cacert file does not exist	r13544	cacert not found

		$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
		abort: could not find web.cacerts: no-such.pem
		[255]

Mads Kiilerich serve: fix https mode and add test...	r12740	Test server address cannot be reused

		$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
		abort: cannot start server at ':$HGPORT': Address already in use
		[255]
		$ cd ..

		clone via pull

		$ hg clone https://localhost:$HGPORT/ copy-pull
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	requesting all changes
		adding changesets
		adding manifests
		adding file changes
		added 1 changesets with 4 changes to 4 files
Arne Babenhauserheide clone: get all bookmarks before updating	r15590	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	updating to branch default
		4 files updated, 0 files merged, 0 files removed, 0 files unresolved
		$ hg verify -R copy-pull
		checking changesets
		checking manifests
		crosschecking files in changesets and manifests
		checking files
		4 files, 1 changesets, 4 total revisions
		$ cd test
		$ echo bar > bar
		$ hg commit -A -d '1 0' -m 2
		adding bar
		$ cd ..

Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	pull without cacert
Mads Kiilerich serve: fix https mode and add test...	r12740
		$ cd copy-pull
		$ echo '[hooks]' >> .hg/hgrc
		$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
		$ hg pull
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich serve: fix https mode and add test...	r12740	pulling from https://localhost:$HGPORT/
		searching for changes
		adding changesets
		adding manifests
		adding file changes
		added 1 changesets with 1 changes to 1 files
Pierre-Yves David phases: exchange phase boundaries on pull...	r15650	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich util: flush stdout before calling external processes...	r13439	changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
Mads Kiilerich serve: fix https mode and add test...	r12740	(run 'hg update' to get a working copy)
		$ cd ..
Mads Kiilerich test-https: test web.cacerts functionality	r12741
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	cacert configured in local repo
Mads Kiilerich test-https: test web.cacerts functionality	r12741
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
		$ echo "[web]" >> copy-pull/.hg/hgrc
		$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
		$ hg -R copy-pull pull --traceback
Mads Kiilerich test-https: test web.cacerts functionality	r12741	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

Eduard-Cristian Stefan url: expand path for web.cacerts	r13231	cacert configured globally, also testing expansion of environment
		variables in the filename
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192
		$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan url: expand path for web.cacerts	r13231	$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
		$ P=`pwd` hg -R copy-pull pull
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ P=`pwd` hg -R copy-pull pull --insecure
		warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich https: use web.cacerts configuration from local repo to validate remote repo	r13192
		cacert mismatch

Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
Mads Kiilerich sslutil: show fingerprint when cacerts validation fails	r15814	abort: 127.0.0.1 certificate error: certificate is for localhost
		(configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
Mads Kiilerich test-https: test web.cacerts functionality	r12741	[255]
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
		warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://127.0.0.1:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ hg -R copy-pull pull --config web.cacerts=pub-other.pem
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]
Yuya Nishihara url: add --insecure option to bypass verification of ssl certificates...	r13328	$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
		warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
Mads Kiilerich test-https: test web.cacerts functionality	r12741
		Test server cert which isn't valid yet

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ cat hg1.pid >> $DAEMON_PIDS
		$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]

		Test server cert which no longer is valid

Augie Fackler test-https.t: clean up superfluous trailing whitespace	r14193	$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich test-https: test web.cacerts functionality	r12741	$ cat hg2.pid >> $DAEMON_PIDS
		$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
		abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
		[255]
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314
		Fingerprints

		$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
		$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
		$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

		- works without cacerts
		$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
		5fed3813f7f5

		- fails when cert doesn't match hostname (port is ignored)
		$ hg -R copy-pull id https://localhost:$HGPORT1/
Matt Mackall sslutil: more helpful fingerprint mismatch message...	r15997	abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
		(check hostfingerprint configuration)
Mads Kiilerich url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...	r13314	[255]

		- ignores that certificate doesn't match hostname
		$ hg -R copy-pull id https://127.0.0.1:$HGPORT/
		5fed3813f7f5
Mads Kiilerich tests: test https through http proxy...	r13423
Matt Mackall tests: fix startup/shutdown races in test-https...	r16300	$ while kill `cat hg1.pid` 2>/dev/null; do true; done

Mads Kiilerich tests: test https through http proxy...	r13423	Prepare for connecting through proxy

Matt Mackall tests: fix startup/shutdown races in test-https...	r16300	$ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
		$ while [ ! -f proxy.pid ]; do true; done
Mads Kiilerich tests: test https through http proxy...	r13423	$ cat proxy.pid >> $DAEMON_PIDS

		$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
		$ echo "always=True" >> copy-pull/.hg/hgrc
		$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
		$ echo "localhost =" >> copy-pull/.hg/hgrc

		Test unvalidated https through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
Mads Kiilerich tests: update test-https.t output...	r13438	warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich tests: test https through http proxy...	r13423	pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found

		Test https with cacert and fingerprint through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
		pulling from https://localhost:$HGPORT/
		searching for changes
		no changes found
		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
		pulling from https://127.0.0.1:$HGPORT/
		searching for changes
		no changes found

		Test https with cert problems through proxy

		$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
Mads Kiilerich tests: update test-https.t output...	r13438	abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
Mads Kiilerich url: merge BetterHTTPS with httpsconnection to get some proxy https validation	r13424	[255]
Mads Kiilerich tests: test https through http proxy...	r13423	$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
Mads Kiilerich tests: update test-https.t output...	r13438	abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
Mads Kiilerich url: merge BetterHTTPS with httpsconnection to get some proxy https validation	r13424	[255]