##// END OF EJS Templates
merge with stable
merge with stable

File last commit:

r30234:34a5f6c6 stable
r30252:bb586966 merge default
Show More
test-https.t
639 lines | 33.0 KiB | text/troff | Tads3Lexer
Matt Mackall
tests: replace exit 80 with #require
r22046 #require serve ssl
Mads Kiilerich
serve: fix https mode and add test...
r12740
Matt Mackall
tests: replace exit 80 with #require
r22046 Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich
serve: fix https mode and add test...
r12740
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 Make server certificates:
Mads Kiilerich
test-https: test web.cacerts functionality
r12741
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ CERTSDIR="$TESTDIR/sslcerts"
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
$ PRIV=`pwd`/server.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413
Mads Kiilerich
serve: fix https mode and add test...
r12740 $ hg init test
$ cd test
$ echo foo>foo
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
$ echo foo>foo.d/foo
$ echo bar>foo.d/bAr.hg.d/BaR
$ echo bar>foo.d/baR.d.hg/bAR
$ hg commit -A -m 1
adding foo
adding foo.d/bAr.hg.d/BaR
adding foo.d/baR.d.hg/bAR
adding foo.d/foo
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
$ cat ../hg0.pid >> $DAEMON_PIDS
timeless
cacert: improve error report when web.cacert file does not exist
r13544 cacert not found
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
timeless
cacert: improve error report when web.cacert file does not exist
r13544 abort: could not find web.cacerts: no-such.pem
[255]
Mads Kiilerich
serve: fix https mode and add test...
r12740 Test server address cannot be reused
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
r17023 #if windows
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Simon Heimberg
tests: remove glob from output lines containing no glob character
r18682 abort: cannot start server at ':$HGPORT':
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
r17023 [255]
#else
Mads Kiilerich
serve: fix https mode and add test...
r12740 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
abort: cannot start server at ':$HGPORT': Address already in use
[255]
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
r17023 #endif
Mads Kiilerich
serve: fix https mode and add test...
r12740 $ cd ..
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
r29288 Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575
Gregory Szorc
tests: better testing of loaded certificates...
r29481 #if sslcontext defaultcacerts no-defaultcacertsloaded
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575 $ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
r29449 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575 [255]
Gregory Szorc
tests: better testing of loaded certificates...
r29481 #endif
#if no-sslcontext defaultcacerts
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: try to find CA certficates in well-known locations...
r29500 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Gregory Szorc
tests: better testing of loaded certificates...
r29481 abort: error: *certificate verify failed* (glob)
[255]
#endif
Gregory Szorc
sslutil: handle default CA certificate loading on Windows...
r29489 #if no-sslcontext windows
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
Gregory Szorc
sslutil: handle default CA certificate loading on Windows...
r29489 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
abort: error: *certificate verify failed* (glob)
[255]
#endif
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
r29499 #if no-sslcontext osx
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
r29499 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
abort: localhost certificate error: no certificate received
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
r29499 [255]
#endif
Gregory Szorc
tests: better testing of loaded certificates...
r29481 #if defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: try to find CA certficates in well-known locations...
r29500 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Gregory Szorc
tests: better testing of loaded certificates...
r29481 abort: error: *certificate verify failed* (glob)
[255]
#endif
#if no-defaultcacerts
Gregory Szorc
tests: test case where default ca certs not available...
r29448 $ hg clone https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: issue warning when unable to load certificates on OS X...
r29499 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
Gregory Szorc
tests: test case where default ca certs not available...
r29448 abort: localhost certificate error: no certificate received
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
Gregory Szorc
tests: test case where default ca certs not available...
r29448 [255]
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
r29288 #endif
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 Specifying a per-host certificate file that doesn't exist will abort
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
[255]
A malformed per-host certificate file will raise an error
$ echo baddata > badca.pem
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
r29446 #if sslcontext
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
r29446 abort: error loading CA file badca.pem: * (glob)
(file is empty or malformed?)
[255]
#else
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Durham Goode
tests: increase test-https malform error glob...
r29356 abort: error: * (glob)
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 [255]
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
r29446 #endif
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334
A per-host certificate mismatching the server will fail verification
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
r29449 (modern ssl is able to discern whether the loaded cert is a CA cert)
#if sslcontext
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
r29449 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: *certificate verify failed* (glob)
[255]
#else
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 abort: error: *certificate verify failed* (glob)
[255]
Gregory Szorc
sslutil: emit warning when no CA certificates loaded...
r29449 #endif
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334
A per-host certificate matching the server's cert will be accepted
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
A per-host certificate with multiple certs and one matching will be accepted
$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Defining both per-host certificate and a fingerprint will print a warning
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: per-host config option to define certificates...
r29334 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
r29288 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
r22575
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 Inability to verify peer certificate will result in abort
Mads Kiilerich
serve: fix https mode and add test...
r12740
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
r29288 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 [255]
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
r12740 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg verify -R copy-pull
checking changesets
checking manifests
crosschecking files in changesets and manifests
checking files
4 files, 1 changesets, 4 total revisions
$ cd test
$ echo bar > bar
$ hg commit -A -d '1 0' -m 2
adding bar
$ cd ..
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 pull without cacert
Mads Kiilerich
serve: fix https mode and add test...
r12740
$ cd copy-pull
FUJIWARA Katsunori
tests: invoke printenv.py via sh -c for test portability...
r30234 $ cat >> .hg/hgrc <<EOF
> [hooks]
> changegroup = sh -c "printenv.py changegroup"
> EOF
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
r29288 $ hg pull $DISABLECACERTS
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 [255]
$ hg pull --insecure
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
r29411 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
r12740 searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
Mateusz Kwapich
hooks: add HG_NODE_LAST to txnclose and changegroup hook environments...
r27739 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
Mads Kiilerich
serve: fix https mode and add test...
r12740 (run 'hg update' to get a working copy)
$ cd ..
Mads Kiilerich
test-https: test web.cacerts functionality
r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 cacert configured in local repo
Mads Kiilerich
test-https: test web.cacerts functionality
r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
$ echo "[web]" >> copy-pull/.hg/hgrc
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
Augie Fackler
test-https: drop two spurious --traceback flags...
r29842 $ hg -R copy-pull pull
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
Eduard-Cristian Stefan
url: expand path for web.cacerts
r13231 cacert configured globally, also testing expansion of environment
variables in the filename
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192
$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan
url: expand path for web.cacerts
r13231 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ P="$CERTSDIR" hg -R copy-pull pull
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192
Gregory Szorc
tests: add test for empty CA certs file...
r29445 empty cacert file
$ touch emptycafile
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
r29446
#if sslcontext
$ hg --config web.cacerts=emptycafile -R copy-pull pull
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
r29446 abort: error loading CA file emptycafile: * (glob)
(file is empty or malformed?)
[255]
#else
Gregory Szorc
tests: add test for empty CA certs file...
r29445 $ hg --config web.cacerts=emptycafile -R copy-pull pull
pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: add test for empty CA certs file...
r29445 abort: error: * (glob)
[255]
Gregory Szorc
sslutil: display a better error message when CA file loading fails...
r29446 #endif
Gregory Szorc
tests: add test for empty CA certs file...
r29445
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
r13192 cacert mismatch
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
> https://127.0.0.1:$HGPORT/
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
r29519 pulling from https://127.0.0.1:$HGPORT/ (glob)
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
r29519 abort: 127.0.0.1 certificate error: certificate is for localhost (glob)
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
> https://127.0.0.1:$HGPORT/ --insecure
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
r29519 pulling from https://127.0.0.1:$HGPORT/ (glob)
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
r29519 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
> --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
r13328 searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
r12741
Test server cert which isn't valid yet
Jun Wu
tests: reorder hg serve commands...
r28549 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 $ cat hg1.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
> https://localhost:$HGPORT1/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT1/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 [255]
Test server cert which no longer is valid
Jun Wu
tests: reorder hg serve commands...
r28549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 $ cat hg2.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
> https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT2/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
r12741 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 Disabling the TLS 1.0 warning works
$ hg -R copy-pull id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
> --config hostsecurity.disabletls10warning=true
5fed3813f7f5
Gregory Szorc
sslutil: support defining cipher list...
r29577 #if no-sslcontext no-py27+
Setting ciphers doesn't work in Python 2.6
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
abort: setting ciphers in [hostsecurity] is not supported by this version of Python
(remove the config option or run Mercurial with a modern Python version (preferred))
[255]
#endif
Setting ciphers works in Python 2.7+ but the error message is different on
legacy ssl. We test legacy once and do more feature checking on modern
configs.
#if py27+ no-sslcontext
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
abort: *No cipher can be selected. (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
5fed3813f7f5
#endif
#if sslcontext
Setting ciphers to an invalid value aborts
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
r29577 abort: could not set ciphers: No cipher can be selected.
(change cipher string (invalid) in config)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
r29577 abort: could not set ciphers: No cipher can be selected.
(change cipher string (invalid) in config)
[255]
Changing the cipher string works
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: support defining cipher list...
r29577 5fed3813f7f5
#endif
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 Fingerprints
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 - works without cacerts (hostkeyfingerprints)
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 - works without cacerts (hostsecurity)
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 - multiple fingerprints specified and first matches
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 - multiple fingerprints specified and last matches
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 5fed3813f7f5
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 - multiple fingerprints specified and none match
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: allow multiple fingerprints per host...
r28525 (check hostfingerprint configuration)
[255]
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
Gregory Szorc
sslutil: reference appropriate config section in messaging...
r29268 (check hostsecurity configuration)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
r29267 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 - fails when cert doesn't match hostname (port is ignored)
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
r15997 (check hostfingerprint configuration)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 [255]
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
r18588
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 - ignores that certificate doesn't match hostname
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
r13314 5fed3813f7f5
Mads Kiilerich
tests: test https through http proxy...
r13423
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 Ports used by next test. Kill servers.
$ killdaemons.py hg0.pid
Matt Mackall
tests: drop explicit $TESTDIR from executables...
r25472 $ killdaemons.py hg1.pid
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 $ killdaemons.py hg2.pid
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 #if sslcontext tls1.2
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 Start servers running supported TLS versions
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.0
$ cat ../hg0.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.1
$ cat ../hg1.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.2
$ cat ../hg2.pid >> $DAEMON_PIDS
$ cd ..
Clients talking same TLS versions work
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
5fed3813f7f5
Clients requiring newer TLS version than what server supports fail
Gregory Szorc
sslutil: require TLS 1.1+ when supported...
r29560 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: require TLS 1.1+ when supported...
r29560 abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 abort: error: *unsupported protocol* (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 abort: error: *unsupported protocol* (glob)
[255]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
sslutil: allow TLS 1.0 when --insecure is used...
r29617 --insecure will allow TLS 1.0 connections and override configs
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
5fed3813f7f5
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 The per-host config option overrides the default
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.minimumprotocol=tls1.2 \
> --config hostsecurity.localhost:minimumprotocol=tls1.0
5fed3813f7f5
The per-host config option by itself works
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:minimumprotocol=tls1.2
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 abort: error: *unsupported protocol* (glob)
[255]
Gregory Szorc
hg: copy [hostsecurity] options to remote ui instances (issue5305)...
r29616 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
$ cat >> copy-pull/.hg/hgrc << EOF
> [hostsecurity]
> localhost:minimumprotocol=tls1.2
> EOF
$ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: improve messaging around unsupported protocols (issue5303)...
r29619 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
Gregory Szorc
tests: glob over ssl error...
r29635 abort: error: *unsupported protocol* (glob)
Gregory Szorc
hg: copy [hostsecurity] options to remote ui instances (issue5305)...
r29616 [255]
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 $ killdaemons.py hg0.pid
$ killdaemons.py hg1.pid
$ killdaemons.py hg2.pid
#endif
Matt Mackall
tests: fix startup/shutdown races in test-https...
r16300
Mads Kiilerich
tests: test https through http proxy...
r13423 Prepare for connecting through proxy
Gregory Szorc
sslutil: config option to specify TLS protocol version...
r29559 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
$ cat hg0.pid >> $DAEMON_PIDS
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
$ cat hg2.pid >> $DAEMON_PIDS
tinyproxy.py doesn't fully detach, so killing it may result in extra output
from the shell. So don't kill it.
Matt Mackall
tests: drop explicit $TESTDIR from executables...
r25472 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich
tests: use 'do sleep 0' instead of 'do true', also on first line of command...
r16496 $ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich
tests: test https through http proxy...
r13423 $ cat proxy.pid >> $DAEMON_PIDS
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
$ echo "always=True" >> copy-pull/.hg/hgrc
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost =" >> copy-pull/.hg/hgrc
Test unvalidated https through proxy
Augie Fackler
test-https: drop two spurious --traceback flags...
r29842 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
tests: test https through http proxy...
r13423 searching for changes
no changes found
Test https with cacert and fingerprint through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub.pem"
Mads Kiilerich
tests: test https through http proxy...
r13423 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
tests: test https through http proxy...
r13423 searching for changes
no changes found
Gregory Szorc
tests: regenerate x509 test certificates...
r29526 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
Augie Fackler
tests: add (glob) annotations to output lines with 127.0.0.1
r29519 pulling from https://127.0.0.1:$HGPORT/ (glob)
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Mads Kiilerich
tests: test https through http proxy...
r13423 searching for changes
no changes found
Test https with cert problems through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
r13424 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
r24138 pulling from https://localhost:$HGPORT2/
Gregory Szorc
sslutil: print a warning when using TLS 1.0 on legacy Python...
r29561 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
r13424 [255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413
Matt Mackall
tests: drop explicit $TESTDIR from executables...
r25472 $ killdaemons.py hg0.pid
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413
#if sslcontext
Gregory Szorc
hgweb: use sslutil.wrapserversocket()...
r29555 Start hgweb that requires client certificates:
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
Gregory Szorc
hgweb: use sslutil.wrapserversocket()...
r29555 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413 $ cat ../hg0.pid >> $DAEMON_PIDS
$ cd ..
without client certificate:
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413 abort: error: *handshake failure* (glob)
[255]
with client certificate:
$ cat << EOT >> $HGRCPATH
> [auth]
> l.prefix = localhost
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 > l.cert = $CERTSDIR/client-cert.pem
> l.key = $CERTSDIR/client-key.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413 > EOT
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413 5fed3813f7f5
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
r25415 > --config ui.interactive=True --config ui.nontty=True
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
r25415
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
r29331 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
Gregory Szorc
sslutil: more robustly detect protocol support...
r29601 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
r25415 abort: error: * (glob)
[255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
r25413 #endif