##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

convert: test for shell injection in git calls (SEC)...
convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.
Jun Wu - - Load All Authors

File last commit:

r28549:e01bd738 default
r28663:ae279d4a 3.7.3 stable
Show More
test-https.t
403 lines | 15.6 KiB | text/troff | Tads3Lexer
/ tests / test-https.t
History | Source | Raw |Copy content |Copy permalink
Matt Mackall
tests: replace exit 80 with #require
 r22046 #require serve ssl
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Matt Mackall
tests: replace exit 80 with #require
 r22046 Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Certificates created with:
printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
Can be dumped with:
openssl x509 -in pub.pem -text
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
 r14193 $ cat << EOT > priv.pem
Mads Kiilerich
serve: fix https mode and add test...
 r12740 > -----BEGIN PRIVATE KEY-----
> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
> HY8gUVkVRVs=
> -----END PRIVATE KEY-----
> EOT
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
 r14193 $ cat << EOT > pub.pem
Mads Kiilerich
serve: fix https mode and add test...
 r12740 > -----BEGIN CERTIFICATE-----
> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
> -----END CERTIFICATE-----
> EOT
$ cat priv.pem pub.pem >> server.pem
$ PRIV=`pwd`/server.pem
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
 r14193 $ cat << EOT > pub-other.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 > -----BEGIN CERTIFICATE-----
> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
> -----END CERTIFICATE-----
> EOT
pub.pem patched with other notBefore / notAfter:
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
 r14193 $ cat << EOT > pub-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 > -----BEGIN CERTIFICATE-----
> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
> -----END CERTIFICATE-----
> EOT
$ cat priv.pem pub-not-yet.pem > server-not-yet.pem
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
 r14193 $ cat << EOT > pub-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 > -----BEGIN CERTIFICATE-----
> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
> -----END CERTIFICATE-----
> EOT
$ cat priv.pem pub-expired.pem > server-expired.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 Client certificates created with:
openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
-set_serial 01 -out client-cert.pem
$ cat << EOT > client-key.pem
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8
>
> JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF
> BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS
> jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7
> Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2
> u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/
> CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl
> bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=
> -----END RSA PRIVATE KEY-----
> EOT
$ cat << EOT > client-key-decrypted.pem
> -----BEGIN RSA PRIVATE KEY-----
> MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb
> FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6
> AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT
> AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop
> 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5
> +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01
> mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY
> -----END RSA PRIVATE KEY-----
> EOT
$ cat << EOT > client-cert.pem
> -----BEGIN CERTIFICATE-----
> MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
> GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z
> OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv
> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH
> R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB
> MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/
> NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==
> -----END CERTIFICATE-----
> EOT
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg init test
$ cd test
$ echo foo>foo
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
$ echo foo>foo.d/foo
$ echo bar>foo.d/bAr.hg.d/BaR
$ echo bar>foo.d/baR.d.hg/bAR
$ hg commit -A -m 1
adding foo
adding foo.d/bAr.hg.d/BaR
adding foo.d/baR.d.hg/bAR
adding foo.d/foo
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
$ cat ../hg0.pid >> $DAEMON_PIDS
timeless
cacert: improve error report when web.cacert file does not exist
 r13544 cacert not found
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
abort: could not find web.cacerts: no-such.pem
[255]
Mads Kiilerich
serve: fix https mode and add test...
 r12740 Test server address cannot be reused
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 #if windows
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Simon Heimberg
tests: remove glob from output lines containing no glob character
 r18682 abort: cannot start server at ':$HGPORT':
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 [255]
#else
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
abort: cannot start server at ':$HGPORT': Address already in use
[255]
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 #endif
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ cd ..
Mads Kiilerich
ssl: only use the dummy cert hack if using an Apple Python (issue4410)...
 r23042 OS X has a dummy CA cert that enables use of the system CA store when using
Apple's OpenSSL. This trick do not work with plain OpenSSL.
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
$ DISABLEOSXDUMMYCERT=
Yuya Nishihara
test-https: enable dummycert test only if Apple python is used (issue4500)...
 r24289 #if defaultcacerts
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 $ hg clone https://localhost:$HGPORT/ copy-pull
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 [255]
Yuya Nishihara
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)...
 r24290 $ DISABLEOSXDUMMYCERT="--config=web.cacerts=!"
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 #endif
Mads Kiilerich
serve: fix https mode and add test...
 r12740 clone via pull
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich
serve: fix https mode and add test...
 r12740 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg verify -R copy-pull
checking changesets
checking manifests
crosschecking files in changesets and manifests
checking files
4 files, 1 changesets, 4 total revisions
$ cd test
$ echo bar > bar
$ hg commit -A -d '1 0' -m 2
adding bar
$ cd ..
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pull without cacert
Mads Kiilerich
serve: fix https mode and add test...
 r12740
$ cd copy-pull
$ echo '[hooks]' >> .hg/hgrc
Matt Mackall
tests: simplify printenv calls...
 r25478 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 $ hg pull $DISABLEOSXDUMMYCERT
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich
serve: fix https mode and add test...
 r12740 searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
Mateusz Kwapich
hooks: add HG_NODE_LAST to txnclose and changegroup hook environments...
 r27739 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
Mads Kiilerich
serve: fix https mode and add test...
 r12740 (run 'hg update' to get a working copy)
$ cd ..
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert configured in local repo
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
$ echo "[web]" >> copy-pull/.hg/hgrc
$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
$ hg -R copy-pull pull --traceback
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 cacert configured globally, also testing expansion of environment
variables in the filename
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
$ P=`pwd` hg -R copy-pull pull
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 $ P=`pwd` hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
cacert mismatch
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://127.0.0.1:$HGPORT/
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
 r15814 abort: 127.0.0.1 certificate error: certificate is for localhost
(configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://127.0.0.1:$HGPORT/
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Test server cert which isn't valid yet
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
 r14193 $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg1.pid >> $DAEMON_PIDS
$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT1/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Test server cert which no longer is valid
Augie Fackler
test-https.t: clean up superfluous trailing whitespace
 r14193 $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg2.pid >> $DAEMON_PIDS
$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314
Fingerprints
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
- works without cacerts
Yuya Nishihara
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)...
 r24290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
- fails when cert doesn't match hostname (port is ignored)
$ hg -R copy-pull id https://localhost:$HGPORT1/
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
 r15997 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
(check hostfingerprint configuration)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 [255]
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - ignores that certificate doesn't match hostname
$ hg -R copy-pull id https://127.0.0.1:$HGPORT/
5fed3813f7f5
Mads Kiilerich
tests: test https through http proxy...
 r13423
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588 HGPORT1 is reused below for tinyproxy tests. Kill that server.
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg1.pid
Matt Mackall
tests: fix startup/shutdown races in test-https...
 r16300
Mads Kiilerich
tests: test https through http proxy...
 r13423 Prepare for connecting through proxy
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich
tests: use 'do sleep 0' instead of 'do true', also on first line of command...
 r16496 $ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich
tests: test https through http proxy...
 r13423 $ cat proxy.pid >> $DAEMON_PIDS
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
$ echo "always=True" >> copy-pull/.hg/hgrc
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost =" >> copy-pull/.hg/hgrc
Test unvalidated https through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Mads Kiilerich
tests: update test-https.t output...
 r13438 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cacert and fingerprint through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
pulling from https://localhost:$HGPORT/
searching for changes
no changes found
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
pulling from https://127.0.0.1:$HGPORT/
searching for changes
no changes found
Test https with cert problems through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Mads Kiilerich
tests: test https through http proxy...
 r13423 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg0.pid
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
#if sslcontext
Start patched hgweb that requires client certificates:
$ cat << EOT > reqclientcert.py
> import ssl
> from mercurial.hgweb import server
> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
> @staticmethod
> def preparehttpserver(httpserver, ssl_cert):
> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
> sslcontext.verify_mode = ssl.CERT_REQUIRED
> sslcontext.load_cert_chain(ssl_cert)
> # verify clients by server certificate
> sslcontext.load_verify_locations(ssl_cert)
> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
> server_side=True)
> server._httprequesthandlerssl = _httprequesthandlersslclientcert
> EOT
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
> --config extensions.reqclientcert=../reqclientcert.py
$ cat ../hg0.pid >> $DAEMON_PIDS
$ cd ..
without client certificate:
$ P=`pwd` hg id https://localhost:$HGPORT/
abort: error: *handshake failure* (glob)
[255]
with client certificate:
$ cat << EOT >> $HGRCPATH
> [auth]
> l.prefix = localhost
> l.cert = client-cert.pem
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 > l.key = client-key.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 > EOT
$ P=`pwd` hg id https://localhost:$HGPORT/ \
> --config auth.l.key=client-key-decrypted.pem
5fed3813f7f5
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 $ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \
> --config ui.interactive=True --config ui.nontty=True
passphrase for client-key.pem: 5fed3813f7f5
$ env P=`pwd` hg id https://localhost:$HGPORT/
abort: error: * (glob)
[255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 #endif