##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: abort when unable to verify peer connection (BC)...
sslutil: abort when unable to verify peer connection (BC) Previously, when we connected to a server and were unable to verify its certificate against a trusted certificate authority we would issue a warning and continue to connect. This is obviously not great behavior because the x509 certificate model is based upon trust of specific CAs. Failure to enforce that trust erodes security. This behavior was defined several years ago when Python did not support loading the system trusted CA store (Python 2.7.9's backports of Python 3's improvements to the "ssl" module enabled this). This commit changes behavior when connecting to abort if the peer certificate can't be validated. With an empty/default Mercurial configuration, the peer certificate can be validated if Python is able to load the system trusted CA store. Environments able to load the system trusted CA store include: * Python 2.7.9+ on most platforms and installations * Python 2.7 distributions with a modern ssl module (e.g. RHEL7's patched 2.7.5 package) * Python shipped on OS X Environments unable to load the system trusted CA store include: * Python 2.6 * Python 2.7 on many existing Linux installs (because they don't ship 2.7.9+ or haven't backported modern ssl module) * Python 2.7.9+ on some installs where Python is unable to locate the system CA store (this is hopefully rare) Users of these Pythongs will need to configure Mercurial to load the system CA store using web.cacerts. This should ideally be performed by packagers (by setting web.cacerts in the global/system hgrc file). Where Mercurial packagers aren't setting this, the linked URL in the new abort message can contain instructions for users. In the future, we may want to add more code for finding the system CA store. For example, many Linux distributions have the CA store at well-known locations (such as /etc/ssl/certs/ca-certificates.crt in the case of Ubuntu). This will enable CA loading to "just work" on more Python configurations and will be best for our users since they won't have to change anything after upgrading to a Mercurial with this patch. We may also want to consider distributing a trusted CA store with Mercurial. Although we should think long and hard about that because most systems have a global CA store and Mercurial should almost certainly use the same store used by everything else on the system.
Gregory Szorc - - Load All Authors

File last commit:

r29411:e1778b9c default
r29411:e1778b9c default
Show More
test-https.t
380 lines | 14.9 KiB | text/troff | Tads3Lexer
/ tests / test-https.t
History | Source | Raw |Copy content |Copy permalink
Matt Mackall
tests: replace exit 80 with #require
 r22046 #require serve ssl
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Matt Mackall
tests: replace exit 80 with #require
 r22046 Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 Make server certificates:
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ CERTSDIR="$TESTDIR/sslcerts"
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
$ PRIV=`pwd`/server.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg init test
$ cd test
$ echo foo>foo
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
$ echo foo>foo.d/foo
$ echo bar>foo.d/bAr.hg.d/BaR
$ echo bar>foo.d/baR.d.hg/bAR
$ hg commit -A -m 1
adding foo
adding foo.d/bAr.hg.d/BaR
adding foo.d/baR.d.hg/bAR
adding foo.d/foo
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
$ cat ../hg0.pid >> $DAEMON_PIDS
timeless
cacert: improve error report when web.cacert file does not exist
 r13544 cacert not found
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
abort: could not find web.cacerts: no-such.pem
[255]
Mads Kiilerich
serve: fix https mode and add test...
 r12740 Test server address cannot be reused
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 #if windows
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Simon Heimberg
tests: remove glob from output lines containing no glob character
 r18682 abort: cannot start server at ':$HGPORT':
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 [255]
#else
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
abort: cannot start server at ':$HGPORT': Address already in use
[255]
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 #endif
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ cd ..
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Yuya Nishihara
test-https: enable dummycert test only if Apple python is used (issue4500)...
 r24289 #if defaultcacerts
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 $ hg clone https://localhost:$HGPORT/ copy-pull
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 [255]
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 #endif
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 Specifying a per-host certificate file that doesn't exist will abort
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
[255]
A malformed per-host certificate file will raise an error
$ echo baddata > badca.pem
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
Durham Goode
tests: increase test-https malform error glob...
 r29356 abort: error: * (glob)
Gregory Szorc
sslutil: per-host config option to define certificates...
 r29334 [255]
A per-host certificate mismatching the server will fail verification
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
abort: error: *certificate verify failed* (glob)
[255]
A per-host certificate matching the server's cert will be accepted
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
A per-host certificate with multiple certs and one matching will be accepted
$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Defining both per-host certificate and a fingerprint will print a warning
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning
(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 Inability to verify peer certificate will result in abort
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)
[255]
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
 r12740 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg verify -R copy-pull
checking changesets
checking manifests
crosschecking files in changesets and manifests
checking files
4 files, 1 changesets, 4 total revisions
$ cd test
$ echo bar > bar
$ hg commit -A -d '1 0' -m 2
adding bar
$ cd ..
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pull without cacert
Mads Kiilerich
serve: fix https mode and add test...
 r12740
$ cd copy-pull
$ echo '[hooks]' >> .hg/hgrc
Matt Mackall
tests: simplify printenv calls...
 r25478 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg pull $DISABLECACERTS
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: abort when unable to verify peer connection (BC)...
 r29411 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)
[255]
$ hg pull --insecure
pulling from https://localhost:$HGPORT/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
serve: fix https mode and add test...
 r12740 searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
Mateusz Kwapich
hooks: add HG_NODE_LAST to txnclose and changegroup hook environments...
 r27739 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
Mads Kiilerich
serve: fix https mode and add test...
 r12740 (run 'hg update' to get a working copy)
$ cd ..
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert configured in local repo
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
$ echo "[web]" >> copy-pull/.hg/hgrc
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ hg -R copy-pull pull --traceback
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 cacert configured globally, also testing expansion of environment
variables in the filename
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
cacert mismatch
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
> https://127.0.0.1:$HGPORT/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://127.0.0.1:$HGPORT/
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
 r15814 abort: 127.0.0.1 certificate error: certificate is for localhost
Gregory Szorc
sslutil: make cert fingerprints messages more actionable...
 r29292 (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
> https://127.0.0.1:$HGPORT/ --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://127.0.0.1:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
> --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Test server cert which isn't valid yet
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg1.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
> https://localhost:$HGPORT1/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT1/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Test server cert which no longer is valid
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg2.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
> https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314
Fingerprints
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 - works without cacerts (hostkeyfingerprints)
Gregory Szorc
tests: don't save host fingerprints in hgrc...
 r29263 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 - works without cacerts (hostsecurity)
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
5fed3813f7f5
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and first matches
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and last matches
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and none match
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
(check hostfingerprint configuration)
[255]
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print the fingerprint from the last hash used...
 r29293 abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
Gregory Szorc
sslutil: reference appropriate config section in messaging...
 r29268 (check hostsecurity configuration)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - fails when cert doesn't match hostname (port is ignored)
Gregory Szorc
tests: don't save host fingerprints in hgrc...
 r29263 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
 r15997 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
(check hostfingerprint configuration)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 [255]
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - ignores that certificate doesn't match hostname
Gregory Szorc
tests: don't save host fingerprints in hgrc...
 r29263 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Mads Kiilerich
tests: test https through http proxy...
 r13423
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588 HGPORT1 is reused below for tinyproxy tests. Kill that server.
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg1.pid
Matt Mackall
tests: fix startup/shutdown races in test-https...
 r16300
Mads Kiilerich
tests: test https through http proxy...
 r13423 Prepare for connecting through proxy
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich
tests: use 'do sleep 0' instead of 'do true', also on first line of command...
 r16496 $ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich
tests: test https through http proxy...
 r13423 $ cat proxy.pid >> $DAEMON_PIDS
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
$ echo "always=True" >> copy-pull/.hg/hgrc
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost =" >> copy-pull/.hg/hgrc
Test unvalidated https through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cacert and fingerprint through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub.pem"
Mads Kiilerich
tests: test https through http proxy...
 r13423 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Gregory Szorc
tests: don't save host fingerprints in hgrc...
 r29263 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
Mads Kiilerich
tests: test https through http proxy...
 r13423 pulling from https://127.0.0.1:$HGPORT/
searching for changes
no changes found
Test https with cert problems through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg0.pid
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
#if sslcontext
Start patched hgweb that requires client certificates:
$ cat << EOT > reqclientcert.py
> import ssl
> from mercurial.hgweb import server
> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
> @staticmethod
> def preparehttpserver(httpserver, ssl_cert):
> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
> sslcontext.verify_mode = ssl.CERT_REQUIRED
> sslcontext.load_cert_chain(ssl_cert)
> # verify clients by server certificate
> sslcontext.load_verify_locations(ssl_cert)
> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
> server_side=True)
> server._httprequesthandlerssl = _httprequesthandlersslclientcert
> EOT
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
> --config extensions.reqclientcert=../reqclientcert.py
$ cat ../hg0.pid >> $DAEMON_PIDS
$ cd ..
without client certificate:
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 abort: error: *handshake failure* (glob)
[255]
with client certificate:
$ cat << EOT >> $HGRCPATH
> [auth]
> l.prefix = localhost
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 > l.cert = $CERTSDIR/client-cert.pem
> l.key = $CERTSDIR/client-key.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 > EOT
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 5fed3813f7f5
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 > --config ui.interactive=True --config ui.nontty=True
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 abort: error: * (glob)
[255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 #endif