upstream/mercurial-mirror Commit - r24289:07fafcd4

test-https: enable dummycert test only if Apple python is used (issue4500)...

Yuya Nishihara -

r24289:07fafcd4 default

parent child

tests/hghave.py

0 +5 0

             import os, stat
             import re
             import socket
             import sys
             import tempfile
             tempprefix = 'hg-hghave-'
             checks = {
                 "true": (lambda: True, "yak shaving"),
                 "false": (lambda: False, "nail clipper"),
             }
             def check(name, desc):
                 def decorator(func):
                     checks[name] = (func, desc)
                     return func
                 return decorator
             def matchoutput(cmd, regexp, ignorestatus=False):
                 """Return True if cmd executes successfully and its output
                 is matched by the supplied regular expression.
                 """
                 r = re.compile(regexp)
                 fh = os.popen(cmd)
                 s = fh.read()
                 try:
                     ret = fh.close()
                 except IOError:
                     # Happen in Windows test environment
                     ret = 1
                 return (ignorestatus or ret is None) and r.search(s)
             @check("baz", "GNU Arch baz client")
             def has_baz():
                 return matchoutput('baz --version 2>&1', r'baz Bazaar version')
             @check("bzr", "Canonical's Bazaar client")
             def has_bzr():
                 try:
                     import bzrlib
                     return bzrlib.__doc__ is not None
                 except ImportError:
                     return False
             @check("bzr114", "Canonical's Bazaar client >= 1.14")
             def has_bzr114():
                 try:
                     import bzrlib
                     return (bzrlib.__doc__ is not None
                             and bzrlib.version_info[:2] >= (1, 14))
                 except ImportError:
                     return False
             @check("cvs", "cvs client/server")
             def has_cvs():
                 re = r'Concurrent Versions System.*?server'
                 return matchoutput('cvs --version 2>&1', re) and not has_msys()
             @check("cvs112", "cvs client/server >= 1.12")
             def has_cvs112():
                 re = r'Concurrent Versions System \(CVS\) 1.12.*?server'
                 return matchoutput('cvs --version 2>&1', re) and not has_msys()
             @check("darcs", "darcs client")
             def has_darcs():
                 return matchoutput('darcs --version', r'2\.[2-9]', True)
             @check("mtn", "monotone client (>= 1.0)")
             def has_mtn():
                 return matchoutput('mtn --version', r'monotone', True) and not matchoutput(
                     'mtn --version', r'monotone 0\.', True)
             @check("eol-in-paths", "end-of-lines in paths")
             def has_eol_in_paths():
                 try:
                     fd, path = tempfile.mkstemp(dir='.', prefix=tempprefix, suffix='\n\r')
                     os.close(fd)
                     os.remove(path)
                     return True
                 except (IOError, OSError):
                     return False
             @check("execbit", "executable bit")
             def has_executablebit():
                 try:
                     EXECFLAGS = stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH
                     fh, fn = tempfile.mkstemp(dir='.', prefix=tempprefix)
                     try:
                         os.close(fh)
                         m = os.stat(fn).st_mode & 0777
                         new_file_has_exec = m & EXECFLAGS
                         os.chmod(fn, m ^ EXECFLAGS)
                         exec_flags_cannot_flip = ((os.stat(fn).st_mode & 0777) == m)
                     finally:
                         os.unlink(fn)
                 except (IOError, OSError):
                     # we don't care, the user probably won't be able to commit anyway
                     return False
                 return not (new_file_has_exec or exec_flags_cannot_flip)
             @check("icasefs", "case insensitive file system")
             def has_icasefs():
                 # Stolen from mercurial.util
                 fd, path = tempfile.mkstemp(dir='.', prefix=tempprefix)
                 os.close(fd)
                 try:
                     s1 = os.stat(path)
                     d, b = os.path.split(path)
                     p2 = os.path.join(d, b.upper())
                     if path == p2:
                         p2 = os.path.join(d, b.lower())
                     try:
                         s2 = os.stat(p2)
                         return s2 == s1
                     except OSError:
                         return False
                 finally:
                     os.remove(path)
             @check("fifo", "named pipes")
             def has_fifo():
                 if getattr(os, "mkfifo", None) is None:
                     return False
                 name = tempfile.mktemp(dir='.', prefix=tempprefix)
                 try:
                     os.mkfifo(name)
                     os.unlink(name)
                     return True
                 except OSError:
                     return False
             @check("killdaemons", 'killdaemons.py support')
             def has_killdaemons():
                 return True
             @check("cacheable", "cacheable filesystem")
             def has_cacheable_fs():
                 from mercurial import util
                 fd, path = tempfile.mkstemp(dir='.', prefix=tempprefix)
                 os.close(fd)
                 try:
                     return util.cachestat(path).cacheable()
                 finally:
                     os.remove(path)
             @check("lsprof", "python lsprof module")
             def has_lsprof():
                 try:
                     import _lsprof
                     _lsprof.Profiler # silence unused import warning
                     return True
                 except ImportError:
                     return False
             @check("gettext", "GNU Gettext (msgfmt)")
             def has_gettext():
                 return matchoutput('msgfmt --version', 'GNU gettext-tools')
             @check("git", "git command line client")
             def has_git():
                 return matchoutput('git --version 2>&1', r'^git version')
             @check("docutils", "Docutils text processing library")
             def has_docutils():
                 try:
                     from docutils.core import publish_cmdline
                     publish_cmdline # silence unused import
                     return True
                 except ImportError:
                     return False
             def getsvnversion():
                 m = matchoutput('svn --version --quiet 2>&1', r'^(\d+)\.(\d+)')
                 if not m:
                     return (0, 0)
                 return (int(m.group(1)), int(m.group(2)))
             @check("svn15", "subversion client and admin tools >= 1.5")
             def has_svn15():
                 return getsvnversion() >= (1, 5)
             @check("svn13", "subversion client and admin tools >= 1.3")
             def has_svn13():
                 return getsvnversion() >= (1, 3)
             @check("svn", "subversion client and admin tools")
             def has_svn():
                 return matchoutput('svn --version 2>&1', r'^svn, version') and \
                     matchoutput('svnadmin --version 2>&1', r'^svnadmin, version')
             @check("svn-bindings", "subversion python bindings")
             def has_svn_bindings():
                 try:
                     import svn.core
                     version = svn.core.SVN_VER_MAJOR, svn.core.SVN_VER_MINOR
                     if version < (1, 4):
                         return False
                     return True
                 except ImportError:
                     return False
             @check("p4", "Perforce server and client")
             def has_p4():
                 return (matchoutput('p4 -V', r'Rev\. P4/') and
                         matchoutput('p4d -V', r'Rev\. P4D/'))
             @check("symlink", "symbolic links")
             def has_symlink():
                 if getattr(os, "symlink", None) is None:
                     return False
                 name = tempfile.mktemp(dir='.', prefix=tempprefix)
                 try:
                     os.symlink(".", name)
                     os.unlink(name)
                     return True
                 except (OSError, AttributeError):
                     return False
             @check("hardlink", "hardlinks")
             def has_hardlink():
                 from mercurial import util
                 fh, fn = tempfile.mkstemp(dir='.', prefix=tempprefix)
                 os.close(fh)
                 name = tempfile.mktemp(dir='.', prefix=tempprefix)
                 try:
                     try:
                         util.oslink(fn, name)
                         os.unlink(name)
                         return True
                     except OSError:
                         return False
                 finally:
                     os.unlink(fn)
             @check("tla", "GNU Arch tla client")
             def has_tla():
                 return matchoutput('tla --version 2>&1', r'The GNU Arch Revision')
             @check("gpg", "gpg client")
             def has_gpg():
                 return matchoutput('gpg --version 2>&1', r'GnuPG')
             @check("unix-permissions", "unix-style permissions")
             def has_unix_permissions():
                 d = tempfile.mkdtemp(dir='.', prefix=tempprefix)
                 try:
                     fname = os.path.join(d, 'foo')
                     for umask in (077, 007, 022):
                         os.umask(umask)
                         f = open(fname, 'w')
                         f.close()
                         mode = os.stat(fname).st_mode
                         os.unlink(fname)
                         if mode & 0777 != ~umask & 0666:
                             return False
                     return True
                 finally:
                     os.rmdir(d)
             @check("unix-socket", "AF_UNIX socket family")
             def has_unix_socket():
                 return getattr(socket, 'AF_UNIX', None) is not None
             @check("root", "root permissions")
             def has_root():
                 return getattr(os, 'geteuid', None) and os.geteuid() == 0
             @check("pyflakes", "Pyflakes python linter")
             def has_pyflakes():
                 return matchoutput("sh -c \"echo 'import re' 2>&1 | pyflakes\"",
                                    r"<stdin>:1: 're' imported but unused",
                                    True)
             @check("pygments", "Pygments source highlighting library")
             def has_pygments():
                 try:
                     import pygments
                     pygments.highlight # silence unused import warning
                     return True
                 except ImportError:
                     return False
             @check("python243", "python >= 2.4.3")
             def has_python243():
                 return sys.version_info >= (2, 4, 3)
             @check("json", "some json module available")
             def has_json():
                 try:
                     import json
                     json.dumps
                     return True
                 except ImportError:
                     try:
                         import simplejson as json
                         json.dumps
                         return True
                     except ImportError:
                         pass
                 return False
             @check("outer-repo", "outer repo")
             def has_outer_repo():
                 # failing for other reasons than 'no repo' imply that there is a repo
                 return not matchoutput('hg root 2>&1',
                                        r'abort: no repository found', True)
             @check("ssl", ("(python >= 2.6 ssl module and python OpenSSL) "
                            "OR python >= 2.7.9 ssl"))
             def has_ssl():
                 try:
                     import ssl
                     if getattr(ssl, 'create_default_context', False):
                         return True
                     import OpenSSL
                     OpenSSL.SSL.Context
                     return True
                 except ImportError:
                     return False
+            @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
+            def has_defaultcacerts():
+                from mercurial import sslutil
+                return sslutil._defaultcacerts()
             @check("windows", "Windows")
             def has_windows():
                 return os.name == 'nt'
             @check("system-sh", "system() uses sh")
             def has_system_sh():
                 return os.name != 'nt'
             @check("serve", "platform and python can manage 'hg serve -d'")
             def has_serve():
                 return os.name != 'nt' # gross approximation
             @check("test-repo", "running tests from repository")
             def has_test_repo():
                 t = os.environ["TESTDIR"]
                 return os.path.isdir(os.path.join(t, "..", ".hg"))
             @check("tic", "terminfo compiler and curses module")
             def has_tic():
                 try:
                     import curses
                     curses.COLOR_BLUE
                     return matchoutput('test -x "`which tic`"', '')
                 except ImportError:
                     return False
             @check("msys", "Windows with MSYS")
             def has_msys():
                 return os.getenv('MSYSTEM')
             @check("aix", "AIX")
             def has_aix():
                 return sys.platform.startswith("aix")
             @check("osx", "OS X")
             def has_osx():
                 return sys.platform == 'darwin'
             @check("absimport", "absolute_import in __future__")
             def has_absimport():
                 import __future__
                 from mercurial import util
                 return util.safehasattr(__future__, "absolute_import")
             @check("py3k", "running with Python 3.x")
             def has_py3k():
                 return 3 == sys.version_info[0]

tests/test-https.t

0 +1 -1

             #require serve ssl
             Proper https client requires the built-in ssl from Python 2.6.
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat << EOT > pub-other.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
               > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
               > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
               > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
               > -----END CERTIFICATE-----
               > EOT
             pub.pem patched with other notBefore / notAfter:
               $ cat << EOT > pub-not-yet.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
               > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
               > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
               $ cat << EOT > pub-expired.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
               > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
               > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-expired.pem > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
             #if windows
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT':
               [255]
             #else
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
             #endif
               $ cd ..
             OS X has a dummy CA cert that enables use of the system CA store when using
             Apple's OpenSSL. This trick do not work with plain OpenSSL.
               $ DISABLEOSXDUMMYCERT=
-            #if osx
+            #if defaultcacerts
               $ hg clone https://localhost:$HGPORT/ copy-pull
               abort: error: *certificate verify failed* (glob)
               [255]
               $ DISABLEOSXDUMMYCERT="--config=web.cacerts="
             #endif
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc
               $ hg pull $DISABLEOSXDUMMYCERT
               pulling from https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P=`pwd` hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P=`pwd` hg -R copy-pull pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost
               (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
               pulling from https://127.0.0.1:$HGPORT/
               warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
               pulling from https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
               pulling from https://localhost:$HGPORT1/
               abort: error: *certificate verify failed* (glob)
               [255]
             Test server cert which no longer is valid
               $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
             Fingerprints
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
               $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
             - works without cacerts
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
 fed3813f7f5
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/
               abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
               (check hostfingerprint configuration)
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/
 fed3813f7f5
             HGPORT1 is reused below for tinyproxy tests. Kill that server.
               $ "$TESTDIR/killdaemons.py" hg1.pid
             Prepare for connecting through proxy
               $ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
               $ while [ ! -f proxy.pid ]; do sleep 0; done
               $ cat proxy.pid >> $DAEMON_PIDS
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
               pulling from https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages