# HG changeset patch # User Gregory Szorc # Date 2016-07-13 05:26:04 # Node ID 9d02bed8477bec7f679d6aeb5b1dd8bcdb80f64d # Parent d8f2c718deec0f1402cee82532379e36f9183c1b tests: regenerate x509 test certificates The old x509 test certificates were using cryptographic settings that are ancient by today's standards, namely 512 bit RSA keys. To put things in perspective, browsers have been dropping support for 1024 bit RSA keys. I think it is important that tests match the realities of the times. And 2048 bit RSA keys with SHA-2 hashing are what the world is moving to. This patch replaces all the x509 certificates with new versions using modern best practices. In addition, the docs for generating the keys have been updated, as the existing docs left out a few steps, namely how to generate certs that were not active yet or expired. diff --git a/tests/sslcerts/README b/tests/sslcerts/README --- a/tests/sslcerts/README +++ b/tests/sslcerts/README @@ -1,26 +1,50 @@ -Certificates created with: - printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ - openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem -Can be dumped with: - openssl x509 -in pub.pem -text +Generate a private key (priv.pem): + + $ openssl genrsa -out priv.pem 2048 + +Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): + + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem + + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem - - priv.pem - - pub.pem - - pub-other.pem +Now generate an expired certificate by turning back the system time: + + $ date --set='2016-01-01T00:00:00Z' + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem -pub.pem patched with other notBefore / notAfter: +Generate a certificate not yet active by advancing the system time: + + $ date --set='2030-01-01T00:00:00Z' + $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ + openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem - - pub-not-yet.pem - - pub-expired.pem +Note: When adjusting system time, verify the time change sticks. If running +systemd, you may want to use `timedatectl set-ntp false` and e.g. +`timedatectl set-time '2016-01-01 00:00:00'` to set system time. + +Generate a passphrase protected client certificate private key: + + $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 + +Create a copy of the private key without a passphrase: + + $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem -Client certificates created with: - openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512 - openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem - printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ - openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem - openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ - -set_serial 01 -out client-cert.pem +Create a CSR and sign the key using the server keypair: + + $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ + openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem + $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ + -set_serial 01 -out client-cert.pem - - client-key.pem - - client-key-decrypted.pem - - client-cert.pem +When replacing the certificates, references to certificate fingerprints will +need to be updated in test files. + +Fingerprints for certs can be obtained by running: + + $ openssl x509 -in pub.pem -noout -sha1 -fingerprint + $ openssl x509 -in pub.pem -noout -sha256 -fingerprint diff --git a/tests/sslcerts/client-cert.pem b/tests/sslcerts/client-cert.pem --- a/tests/sslcerts/client-cert.pem +++ b/tests/sslcerts/client-cert.pem @@ -1,9 +1,17 @@ -----BEGIN CERTIFICATE----- -MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx -GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z -OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv -c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH -R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB -MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/ -NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A== +MIICyTCCAbECAQEwDQYJKoZIhvcNAQELBQAwMTESMBAGA1UEAwwJbG9jYWxob3N0 +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwHhcNMTYwNzEzMDQ0NzIxWhcN +NDEwMzA0MDQ0NzIxWjAkMSIwIAYJKoZIhvcNAQkBFhNoZy1jbGllbnRAbG9jYWxo +b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6upuVmEs1dTpBWRe +4LLM1ARhnMQpI6jaQ8JKzQghMU/3T3n6Qkimt2HmxuiczvsawAbUPpBAxZbBnKmX +bKMiXjtQaO4o4gnyNZVuBgkq2Grc2BREOf0vtUvnPumlnjyAcMNRm6iVbbOerPzV +Dn1nH7Ljf9UKyGl/Qj6eOAgez/TDui2fo5FUfaqUzF8B7FoaRmsErZZU9pJ+etKX +M2DlLGofYNbOi+K0RbPypKNzeInNUnvh9JXKntmLQHRwXDSvcGveKepfVlmz/qme +DqhQSonIXTektdyZ5g9dOvxEjQSYHp+7exIKvrpXLfou3s9nCUTs6ekQLi1Tb4Pn +gbhauwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDVgUHJlu4quQCfeHPoemj+6Jp+ +M140lY7DGFyiGfHP7KcxXiJHagbUC5D1IPYARwhh7Rdssy0FsmWQKYl8LXKvstz4 +zCgz9gxb7vydkZLF49lP1I13Pekoz99381RrXUYomHbx6jKPiOha7ikfAUefop0n +uwfeQ5f6mfr0AcXmu6W7PHYMcPTK0ZyzoZwobRktKZ+OiwjW/nyolbdXxwU+kRQs +r0224+GBuwPWmXAobHgPhtClHXYa2ltL1qFFQJETJt0HjhH89jl5HWJl8g3rqccn +AkyiRIGDAWJsiQTOK7iOy0JSbmT1ePrhAyUoZO8GPbBsOdSdBMM32Y3HAKQz -----END CERTIFICATE----- diff --git a/tests/sslcerts/client-key-decrypted.pem b/tests/sslcerts/client-key-decrypted.pem --- a/tests/sslcerts/client-key-decrypted.pem +++ b/tests/sslcerts/client-key-decrypted.pem @@ -1,9 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb -FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6 -AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT -AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop -4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5 -+MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01 -mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY +MIIEpQIBAAKCAQEA6upuVmEs1dTpBWRe4LLM1ARhnMQpI6jaQ8JKzQghMU/3T3n6 +Qkimt2HmxuiczvsawAbUPpBAxZbBnKmXbKMiXjtQaO4o4gnyNZVuBgkq2Grc2BRE +Of0vtUvnPumlnjyAcMNRm6iVbbOerPzVDn1nH7Ljf9UKyGl/Qj6eOAgez/TDui2f +o5FUfaqUzF8B7FoaRmsErZZU9pJ+etKXM2DlLGofYNbOi+K0RbPypKNzeInNUnvh +9JXKntmLQHRwXDSvcGveKepfVlmz/qmeDqhQSonIXTektdyZ5g9dOvxEjQSYHp+7 +exIKvrpXLfou3s9nCUTs6ekQLi1Tb4PngbhauwIDAQABAoIBABATjQuCSPQ1RuEk +lk2gTt4vkpKM5hfXpWA/uqi/Zq4eP9mDinngyPAB1i5Emv6bNqBvlzTU4GnlQEi9 +XmyD2YVDX+RecBPQBHBgUpA9Ll5zKbvr3yNszUgF8sRebwQeNdgBteMGLXu9cB18 +jAQa1uTXdDQ6WyuN9LSO3nsNKzal8uucnZxdfFDIHx0MahPlrPfAkqzeKxxfyyRE +jzia24oE+ewE8GHX/TvYnPybCPmBtRwbldA32vx8HbDCvlJanw3dyL98isBa5prr +DsFaDltWzTKdJOIntdTJXRUDwYp7526bUEdGo/1FddbjW6Th8sXiJu91nL3BD/Qk +mW102bECgYEA/zEtKgXjPeV9e3/vvAYU2Bsq8TkmhU6ZiZOQCdPWUNOsyfxibJBk +XXsldtZ111vX/+fdGVPFJRoL1Qf4Xjf3MILVhAAcmfTpnWkdbveOrdCjbACE/ReQ +xkExZdXhBd9YTS8IelL/Hv45FUo7UWWitgtvTG6caN3LaBTx1o2DiTkCgYEA66jS +RQrsjRNT+cf7HBmKrKd7EknAH2v83ZyPd49BSBiNnmWaqPG2NxCLWpKks20xvRo2 +j8nftCsu9vSXv+KLnSb2CfOefvNoui7wQyiiWxrMBEPn8DS5E7ctqAiIhQsWEK+e +n9E0PW/wyKI1Gk5U1nHwEJt196kYPzD8QgnwB5MCgYEAloVrHl5aqyex3CaaQU1U +/iMIMUCEeBzkc0GWtDU/NG2mfX1gkKiaiokYj//vgheqUEdzIn1Gy5uRXxZUaT6Z +jwOc7T8jn6vWIALgWZOrlNp7ijjEOISt4EKT4H1HPS9/5gbX+U77LEzHXsdqNZi9 +YKNeArc7ip9IWxv/iY3vCAECgYEAgMjOuGqC4Ynpf3x5T17p+PbB/DmPo9xY4ScZ +BEamb2bzpddy0NbfNHJ3JXU0StXms6gqnyO8e/KJhO4gK/37PFO5a7DWMhyFZBIY +vSrspwsa6U3O5+d4KT0W11hqewKW+WFwN3iVqumM1ahHiuu500OK5RiAPGsNVCNK +CDD0Gr8CgYEAzwTt62ke3zCFOZ2E6EIR6eM+0Q9+B5zceU8DAZaTTxP4532HnT6/ +iHMQvUh0KBE4Rxw3MeSgpe7gKIcMKXubrcDIsEz8vhhOM1xsYIzVEWLtoCLPTaSF +OWQsk98VDt3SgEjb25nOjJ24zZzUVk45OiGUoxfn1Bp6BbJH7IDihCk= -----END RSA PRIVATE KEY----- diff --git a/tests/sslcerts/client-key.pem b/tests/sslcerts/client-key.pem --- a/tests/sslcerts/client-key.pem +++ b/tests/sslcerts/client-key.pem @@ -1,12 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8 +DEK-Info: AES-256-CBC,ADE9D82AA8D8023CD4E9B67FECD9FE08 -JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF -BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS -jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7 -Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2 -u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/ -CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl -bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0= +tjMPfTx/dFicleUbh4pH4f5RUtgZwamcU/uy246wk+f2EBG7pVKEEmoXm8rWW2tW +xlp9BjL6yCBxoB/GGPjFAoqjQmnUQMxy/P0OWqur3t0+GrB4Fw9hB82fxgnAaydF +10fw+bRMCfxJMRfa2nEkLzL9za6TF0IOvAYYza/rCxgOQiLg/py9V29wjVnIW9Dt +B/GxfblTv9K2JBEVdKNWIGT1ZGxem8qiXctbufIXDr+dEEoFUKh+wvkmwVhBaSXi +gw6fAoATz0Lpd+9d0bqEC1wC3NFdxABYUjZMQ7+xtNzaSCdXiWgv4ix1kzoY8rIi +mnaSH1VdO27fzA0aOgi6/FAYCT0H3bEQIPgcA47kpty8a27OCylHZGa+vnmBnEtv +qZeO9kX3Dmoi7vzXL8vjf41ZY7eTU6kYWktdBw/gM65goGINPFx85gli3k5I7+TR +DQ1shyAmmMU9rH+YamZ9Hs4SLfAe7xPI/7i/upMsz56c57/HlvUwHr0as+L7WDZP +iX/oW2DQmwN/C5owMPttM7dg2PvSw/Blte5lvloLbmhQTzzw0MDkPHkGt+5Hhjcl +NwoaVCzT4Kg3E7fcXrKr80vYP9fOQIbCT5qtZ2/cTNLk8XYmLJm8Q7e1XqvuY9sQ +K7xQ5iLz0PjWDtgbculcb3tQIIUcf/Ss9nCakWr6r4pPIQjDVJh07L7ou76n2PVs +zJh6cJBgTEUaRWTQgGVH9euyQU3pXHLR0nk5zN4uAOVWdR7eiiskYwT3pM6HiER8 +ZYTs+fJtQD9gJPhBAa3LX5L7kWADxGFdAH5qoTn1SSJY4RIVFVfRfxXmQuTGlRQB +UEh5Q3bdYKeauw3E9kBaYMYu19223XsAyuvs7/nB02DV6dFjTCGLsrv3JEgf+Wx6 +biCfoOrR1Kt2ez8QR9/6TIbz36kc2Jo3m2jKqUrNx1/gLj+coklSET09IwRZ0voi +7ype+4mHFEzwiSxmugLfdnU8d9PkzFzUiu3qSYeD2DR9hBgnZtgu0fFnSCmqFDXG +H1yWy6X6Wiqx6abPVq1ODZgeTmsjJsMLDB6PUbQyESp9ICRJyPPCrMi6UpLrWMto +A764n5w8B2g/GPJfz1sPePZYi6sumd9UqTQ8UhM644oOlxPWufiBeTiPm1W73PSZ +6DmLyVEh+kcfID6xq3tWVAuiPO1jMpQGoLKXO7oxGvmTNY/Va++j22DpzNoj1hTJ +cnFOQZARKrSooAnngwUP68tGVo/+fxzWG95t7IZy8BvszP09VT1jcHOfFIZqHa/V +rI/JrWSK+tu75Ot63QQpm1x7xSctMZg71w7riVipA+8F1FBdmp+lhOQkEMytngIA +jKovkuwo8AiQvYCDspEcGSroQmOh1d5TraRyhTuRdiefLVSh05kVGCd6/UsVqdZs +j+HEyepn4/A9xpHRBTWfCwBFFktAgSdCUOLh5xsT2MbbT/0wDoneD/uay0NakWXB +zuVsaasx0Yl2cqvXKVUMphmbqMa859BNVqEK3l3tYZdvHiwT8J1LnEEK4KiBa2zZ ++8FcFvD8x1NZBcCBArYP59MbCQOC2QBPJe/oCiUVhN8kRIwlwOhytbW+QIuLZHi4 -----END RSA PRIVATE KEY----- diff --git a/tests/sslcerts/priv.pem b/tests/sslcerts/priv.pem --- a/tests/sslcerts/priv.pem +++ b/tests/sslcerts/priv.pem @@ -1,10 +1,27 @@ ------BEGIN PRIVATE KEY----- -MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH -aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8 -j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc -EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG -MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR -+wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy -aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh -HY8gUVkVRVs= ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA2Ugt7jQrD+u+JtIfXZpVepzOAufcX4CMoHV95qZXZml2juGp +x3T7wjQPB/IPoOpRG9CoCaekKK+bIqQX1qNuiUa2CsqchNQcua2js5DTttmRYC+f +wHaQc0UY1QKe/0r8NFX1XoeIWfuL+0UAERoI1zmhu9px5326C7PoyBPIubT0ejLV +LfciFgyHDmqvYGu6cUBpNFrAi8csPNGcyie1Axh0wZ/9jvHdN+iGmaV9GZObGv0G +ZpbWlJm8fG+mH1qMFYA6mnknJbEBBTnV0IWdGJalGnz+5GfCvhxzYcEWmLDeO/7F +NrWMVT9L8Ky65cygCeJ4lEW1XB1w/6rQYjaSnwIDAQABAoIBAAwDAH8FpUfJCYcN +4KwFByqzFnR0qusgqSWJuT8R/QztUZ+OfBtJrU1MIXSX/iMwMPGvtEpsWRfitVnR +5nt4J3kxTokEMGjrbPca0Uzw+bNHDdFacKNsKookzL2h2nZUh+LAycLDDVekH1Xx +t5I6dTiot/cxmVBp0+ontPuylEsnyrQio6eljBfPzxBdRp2lkiymKf3jvbGXRnZ4 +jSFTRuUlbnVbZ3CKnFPU+d5tvn2nEwU/DVbGpJNZAPl99Q0XUcNF3AtGlwGMvi0X +azcIIOn+swLjn+U2S6i3K234ItYS5I+c9Xi+9DO4fuVko+CQ8PWXP2HdAze7DENc +zADmd0kCgYEA7nN+qUFAmMOcRE8nSNLt7mcwq6fYQ1MVGikCIXn/PI/wfEqY0lws +ZhwykBXog0S7PzYkR3LcDOqN0wDcdJ3K4c/a6Z6IqbXMgxaosYfHCCMtdhy0g0F2 +ek0SaY3WQhpFRIG19hvB+ZJSc7JQt+TaXeb8HM1452kmOLpfQGiqqTsCgYEA6UXZ +bI7c2jO1X+rWF2tZfZdtdeVrIVcm8BunF7ETC4iK/iH2phRQQAh4TFZm6wkX57Tv +LKDGxmohFlEK7FOtSCeSSVfkvZYRBuHOYcwBgBr1XzXXjHcMoyr0+LflZysht151 +9F0hJwdGQZrivZnv9clJ632RlgE4XlPGskQhRe0CgYEAxVGdhsIQilmUfpJhl8m0 +SovpoqKKO2wNElDNCpbBt4QFJVU1kR3lP7olvUXj2nyN1okfDGDn52hRZEJaK8ZH +lQVDyf7+aDGgwvmFLyOEeB9kB1FJrzQErsAIdICCxMCogUA1KytdIQEMaeEtGn+u +k/YIumztl9FTZ64SFGKIlvECgYEA25Kb7csrp1g0yWxKyRCK0+TNa8Pe6ysVw7zD +s1FCFAEak8t0Vy+Xui4+zdwmU+XjUn7FAsTzVaBgNJlkJr88xEY7ND4/WRUAQfIa +SYO1hdfaTxxnIBiPFKdCnzq5/DplKi0H6lQe+JWoU+hutPlJHZmysq8ncoMDhAZn +aTUn/KECgYEAvxGaWt4Fn2tRrHeaG0qT+nMBxd8cTiFInOcYDeS/FlQo3DTDK2Ai +qLBa4DinnGN2hSKwnN3R5R2VRxk4I6+ljG0yuNBhJBcAgAFpnHfkuY1maQJB+1xY +A07WcM4J3yuPfjcDkipNFQa4Y8oJCaS2yiOPvlUfNQrCLAV+YqHZiiQ= +-----END RSA PRIVATE KEY----- diff --git a/tests/sslcerts/pub-expired.pem b/tests/sslcerts/pub-expired.pem --- a/tests/sslcerts/pub-expired.pem +++ b/tests/sslcerts/pub-expired.pem @@ -1,10 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs -aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx -NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv -c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK -EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA -+ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T -BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt -2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ= +MIIDNTCCAh2gAwIBAgIJANRJCnkBtkkOMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV +BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2 +MDEwMTA4MDAzMFoXDTE2MDEwMjA4MDAzMFowMTESMBAGA1UEAwwJbG9jYWxob3N0 +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO +4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg +L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6 +MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa +/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47 +/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW +BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p +575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBnY2r60iGg +0BqR5vOj//XjS1FZKNG6+n3MKgxBY3pqFbqsCJfX5GfWD3GHJRXzv3p1MXIP3BWj +zFutg+FE2QChQFwZjJu3E1VnIZN5ytYBltGHwaCEUdGq9sAZ9R2Jdf8xhQa5h+1U +NZJvYbhCyecnUh2/Dkj2pFoF7wv7BtWFJV20WzHesN/Dik51cr6yFSn4nJb6YAMw +t4/Vnf24v36WwnBoO5VqO+ntISTD6CS3EE5Gqv2ZMQtFaMoRfKIBaDIKHvbYeXdX +2gDTKWnS5KJYWmsl6N2CPjrHJJphaFGSKFAivmT24Q+JSKcC9hww7gvnGcVmsFan +H5xwzFQW2cna -----END CERTIFICATE----- diff --git a/tests/sslcerts/pub-not-yet.pem b/tests/sslcerts/pub-not-yet.pem --- a/tests/sslcerts/pub-not-yet.pem +++ b/tests/sslcerts/pub-not-yet.pem @@ -1,10 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs -aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw -NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv -c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK -EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA -+ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T -BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb -/12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0= +MIIDNTCCAh2gAwIBAgIJAJvD5nejIHr2MA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV +BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTMw +MDEwMTA4MDAwOFoXDTMwMDEwMjA4MDAwOFowMTESMBAGA1UEAwwJbG9jYWxob3N0 +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO +4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg +L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6 +MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa +/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47 +/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW +BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p +575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC0VDzAqPiL +6U8yqaQqXdS6iK49yDQe9qzxzNnAZnj4YCsa5+qYSf+jl49Rak+pGw3AmN9gl6xq +aaP5xAlS8F0lnfZ5NcXmmp4Lt25qdu9J9qIPEAL4/ucirDr/cphCbDtzaWsrfi9j +YjVzSqoSEdnV1x9GkkLVwQRmA+D/2+95pgx6UNchqMbXuEQkAv9kVOzSG62OOAzO +z2Wct6b+DFbfFI0xcvKeJRGogjkd5QrF1XxU7e5u17DAN7/nhahv43ol3eC/fUiH +ITZpEc+/WdVtUwZQtoEQuBLB1Mc8QvYUUksUv9+KVjZ4o2oqApup7k7oMSPYNPTf +2O99CXjOCl9k -----END CERTIFICATE----- diff --git a/tests/sslcerts/pub-other.pem b/tests/sslcerts/pub-other.pem --- a/tests/sslcerts/pub-other.pem +++ b/tests/sslcerts/pub-other.pem @@ -1,11 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV -BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw -MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0 -MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL -ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo -K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN -y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6 -bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig= +MIIDNTCCAh2gAwIBAgIJAMXBgtbkFDfwMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV +BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2 +MDcxMzA0MTcyOFoXDTQxMDMwNDA0MTcyOFowMTESMBAGA1UEAwwJbG9jYWxob3N0 +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO +4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg +L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6 +MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa +/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47 +/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW +BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p +575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDLxD+Q90Ue +zrkmq964pzl+9zd0Y1ODSBnwaZfJxaoyFwRpYva1GYyz2CnJZEDjh8nUbo/jmEU1 +9D91YT8e3plgcpsuxp0YhCUJbTz56k2OOq/MyrX+KgrC2VAdGbhr/C3hNkGKBzdu ++8p+z3jBUkiQFRb8xc485v1zkOX1lPN3tSAEOcja/lslmHV1UQhEYI/Ne2z/i/rQ +uVtC28dTHoPnJykIhXBwgxuAL3G3eFpCRemHOyTlzNDQQxkgMNAYenutWpYXjM2Z +paplLANjV+X91wyAXZ1XZ+5m7yLA7463MwOPU3Ko+HcyKKjPO+wJwVJbEpXr3rPR +getT2CfPFLMe -----END CERTIFICATE----- diff --git a/tests/sslcerts/pub.pem b/tests/sslcerts/pub.pem --- a/tests/sslcerts/pub.pem +++ b/tests/sslcerts/pub.pem @@ -1,11 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV -BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw -MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0 -MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL -ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX -6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm -r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl -t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c= +MIIDNTCCAh2gAwIBAgIJAJ12yUL2zGhzMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV +BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2 +MDcxMzA0MTcxMloXDTQxMDMwNDA0MTcxMlowMTESMBAGA1UEAwwJbG9jYWxob3N0 +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO +4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg +L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6 +MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa +/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47 +/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW +BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p +575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCzJhM/OBoS +JXnjfLhZqi6hTmx1XC7MR05z4fWdyBhZx8PwSDEjxAj/omAm2RMEx/Fv1a7FO6hd +ClYsxxSfWJO7NQ3V4YLn9AvNr5gcxuXV/4bTtEFNebuzhV06u5nH7pGbHbkxCI+u +QekmRTvKIojr8F44cyszEk+MZQ5bFBElByjVzgXNvAaDP0ryUL5eQhLrkuwbNFLQ +mFf7EaerMuM28x1knhiH/39s7t92CJgm9+D60TmJ4XXwue1gZ0v9MVS18iOuWyio +BklppJsdtDLxHTHGNlBeHdam5VejbXRo7s0y5OfuATwlgcaCMYC/68hVJYwl/GZ7 +3YpdNpMshSaE -----END CERTIFICATE----- diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -72,7 +72,7 @@ we are able to load CA certs. $ hg clone https://localhost:$HGPORT/ copy-pull (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) abort: localhost certificate error: no certificate received - (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) + (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) [255] #endif @@ -87,7 +87,7 @@ we are able to load CA certs. $ hg clone https://localhost:$HGPORT/ copy-pull (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) abort: localhost certificate error: no certificate received - (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) + (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) [255] #endif @@ -146,7 +146,7 @@ A per-host certificate with multiple cer Defining both per-host certificate and a fingerprint will print a warning - $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning + $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) requesting all changes adding changesets @@ -160,7 +160,7 @@ Inability to verify peer certificate wil $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect - (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server) + (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) [255] $ hg clone --insecure https://localhost:$HGPORT/ copy-pull @@ -192,7 +192,7 @@ pull without cacert $ hg pull $DISABLECACERTS pulling from https://localhost:$HGPORT/ abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect - (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server) + (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) [255] $ hg pull --insecure @@ -256,7 +256,7 @@ cacert mismatch > https://127.0.0.1:$HGPORT/ pulling from https://127.0.0.1:$HGPORT/ (glob) abort: 127.0.0.1 certificate error: certificate is for localhost (glob) - (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) + (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) (glob) [255] $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ > https://127.0.0.1:$HGPORT/ --insecure @@ -298,51 +298,51 @@ Test server cert which no longer is vali Fingerprints - works without cacerts (hostkeyfingerprints) - $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca + $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 5fed3813f7f5 - works without cacerts (hostsecurity) - $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca + $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 5fed3813f7f5 - $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 + $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e 5fed3813f7f5 - multiple fingerprints specified and first matches - $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure + $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure 5fed3813f7f5 - $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ + $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ 5fed3813f7f5 - multiple fingerprints specified and last matches - $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure + $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure 5fed3813f7f5 - $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ + $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ 5fed3813f7f5 - multiple fingerprints specified and none match $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure - abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca + abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 (check hostfingerprint configuration) [255] $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ - abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca + abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 (check hostsecurity configuration) [255] - fails when cert doesn't match hostname (port is ignored) - $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca - abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b + $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 + abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 (check hostfingerprint configuration) [255] - ignores that certificate doesn't match hostname - $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca + $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 5fed3813f7f5 HGPORT1 is reused below for tinyproxy tests. Kill that server. @@ -374,7 +374,7 @@ Test https with cacert and fingerprint t pulling from https://localhost:$HGPORT/ searching for changes no changes found - $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca + $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 pulling from https://127.0.0.1:$HGPORT/ (glob) searching for changes no changes found diff --git a/tests/test-patchbomb-tls.t b/tests/test-patchbomb-tls.t --- a/tests/test-patchbomb-tls.t +++ b/tests/test-patchbomb-tls.t @@ -97,7 +97,7 @@ Without certificates: sending mail: smtp host localhost, port * (glob) (verifying remote certificate) abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect - (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server) + (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) [255] With global certificates: