Show More
| @@ -161,6 +161,16 b' def _hostsettings(ui, hostname):' | |||||
| 161 | if modernssl: |
|
161 | if modernssl: | |
| 162 | defaultprotocol = 'tls1.1' |
|
162 | defaultprotocol = 'tls1.1' | |
| 163 | else: |
|
163 | else: | |
|
|
164 | # Let people on legacy Python versions know they are borderline | |||
|
|
165 | # secure. | |||
|
|
166 | # We don't document this config option because we want people to see | |||
|
|
167 | # the bold warnings on the web site. | |||
|
|
168 | # internal config: hostsecurity.disabletls10warning | |||
|
|
169 | if not ui.configbool('hostsecurity', 'disabletls10warning'): | |||
|
|
170 | ui.warn(_('warning: connecting to %s using legacy security ' | |||
|
|
171 | 'technology (TLS 1.0); see ' | |||
|
|
172 | 'https://mercurial-scm.org/wiki/SecureConnections for ' | |||
|
|
173 | 'more info\n') % hostname) | |||
| 164 | defaultprotocol = 'tls1.0' |
|
174 | defaultprotocol = 'tls1.0' | |
| 165 |
|
175 | |||
| 166 | key = 'minimumprotocol' |
|
176 | key = 'minimumprotocol' | |
| @@ -28,6 +28,7 b' Make server certificates:' | |||||
| 28 | cacert not found |
|
28 | cacert not found | |
| 29 |
|
29 | |||
| 30 | $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ |
|
30 | $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ | |
|
|
31 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 31 | abort: could not find web.cacerts: no-such.pem |
|
32 | abort: could not find web.cacerts: no-such.pem | |
| 32 | [255] |
|
33 | [255] | |
| 33 |
|
34 | |||
| @@ -56,6 +57,7 b' we are able to load CA certs.' | |||||
| 56 |
|
57 | |||
| 57 | #if no-sslcontext defaultcacerts |
|
58 | #if no-sslcontext defaultcacerts | |
| 58 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
59 | $ hg clone https://localhost:$HGPORT/ copy-pull | |
|
|
60 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 59 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
|
61 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | |
| 60 | abort: error: *certificate verify failed* (glob) |
|
62 | abort: error: *certificate verify failed* (glob) | |
| 61 | [255] |
|
63 | [255] | |
| @@ -63,6 +65,7 b' we are able to load CA certs.' | |||||
| 63 |
|
65 | |||
| 64 | #if no-sslcontext windows |
|
66 | #if no-sslcontext windows | |
| 65 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
67 | $ hg clone https://localhost:$HGPORT/ copy-pull | |
|
|
68 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | |||
| 66 | (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
|
69 | (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) | |
| 67 | abort: error: *certificate verify failed* (glob) |
|
70 | abort: error: *certificate verify failed* (glob) | |
| 68 | [255] |
|
71 | [255] | |
| @@ -70,6 +73,7 b' we are able to load CA certs.' | |||||
| 70 |
|
73 | |||
| 71 | #if no-sslcontext osx |
|
74 | #if no-sslcontext osx | |
| 72 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
75 | $ hg clone https://localhost:$HGPORT/ copy-pull | |
|
|
76 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | |||
| 73 | (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
|
77 | (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) | |
| 74 | abort: localhost certificate error: no certificate received |
|
78 | abort: localhost certificate error: no certificate received | |
| 75 | (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
|
79 | (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) | |
| @@ -85,6 +89,7 b' we are able to load CA certs.' | |||||
| 85 |
|
89 | |||
| 86 | #if no-defaultcacerts |
|
90 | #if no-defaultcacerts | |
| 87 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
91 | $ hg clone https://localhost:$HGPORT/ copy-pull | |
|
|
92 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 88 | (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
|
93 | (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | |
| 89 | abort: localhost certificate error: no certificate received |
|
94 | abort: localhost certificate error: no certificate received | |
| 90 | (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
|
95 | (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) | |
| @@ -94,6 +99,7 b' we are able to load CA certs.' | |||||
| 94 | Specifying a per-host certificate file that doesn't exist will abort |
|
99 | Specifying a per-host certificate file that doesn't exist will abort | |
| 95 |
|
100 | |||
| 96 | $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ |
|
101 | $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ | |
|
|
102 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 97 | abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist |
|
103 | abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist | |
| 98 | [255] |
|
104 | [255] | |
| 99 |
|
105 | |||
| @@ -107,6 +113,7 b' A malformed per-host certificate file wi' | |||||
| 107 | [255] |
|
113 | [255] | |
| 108 | #else |
|
114 | #else | |
| 109 | $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
|
115 | $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ | |
|
|
116 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 110 | abort: error: * (glob) |
|
117 | abort: error: * (glob) | |
| 111 | [255] |
|
118 | [255] | |
| 112 | #endif |
|
119 | #endif | |
| @@ -121,6 +128,7 b' A per-host certificate mismatching the s' | |||||
| 121 | [255] |
|
128 | [255] | |
| 122 | #else |
|
129 | #else | |
| 123 | $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
|
130 | $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ | |
|
|
131 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 124 | abort: error: *certificate verify failed* (glob) |
|
132 | abort: error: *certificate verify failed* (glob) | |
| 125 | [255] |
|
133 | [255] | |
| 126 | #endif |
|
134 | #endif | |
| @@ -128,6 +136,7 b' A per-host certificate mismatching the s' | |||||
| 128 | A per-host certificate matching the server's cert will be accepted |
|
136 | A per-host certificate matching the server's cert will be accepted | |
| 129 |
|
137 | |||
| 130 | $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
|
138 | $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 | |
|
|
139 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 131 | requesting all changes |
|
140 | requesting all changes | |
| 132 | adding changesets |
|
141 | adding changesets | |
| 133 | adding manifests |
|
142 | adding manifests | |
| @@ -138,6 +147,7 b' A per-host certificate with multiple cer' | |||||
| 138 |
|
147 | |||
| 139 | $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem |
|
148 | $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem | |
| 140 | $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 |
|
149 | $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 | |
|
|
150 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 141 | requesting all changes |
|
151 | requesting all changes | |
| 142 | adding changesets |
|
152 | adding changesets | |
| 143 | adding manifests |
|
153 | adding manifests | |
| @@ -147,6 +157,7 b' A per-host certificate with multiple cer' | |||||
| 147 | Defining both per-host certificate and a fingerprint will print a warning |
|
157 | Defining both per-host certificate and a fingerprint will print a warning | |
| 148 |
|
158 | |||
| 149 | $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning |
|
159 | $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning | |
|
|
160 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 150 | (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) |
|
161 | (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) | |
| 151 | requesting all changes |
|
162 | requesting all changes | |
| 152 | adding changesets |
|
163 | adding changesets | |
| @@ -159,11 +170,13 b' Defining both per-host certificate and a' | |||||
| 159 | Inability to verify peer certificate will result in abort |
|
170 | Inability to verify peer certificate will result in abort | |
| 160 |
|
171 | |||
| 161 | $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
|
172 | $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS | |
|
|
173 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 162 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
174 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect | |
| 163 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
|
175 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) | |
| 164 | [255] |
|
176 | [255] | |
| 165 |
|
177 | |||
| 166 | $ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
|
178 | $ hg clone --insecure https://localhost:$HGPORT/ copy-pull | |
|
|
179 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 167 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
180 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 168 | requesting all changes |
|
181 | requesting all changes | |
| 169 | adding changesets |
|
182 | adding changesets | |
| @@ -191,12 +204,14 b' pull without cacert' | |||||
| 191 | $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc |
|
204 | $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc | |
| 192 | $ hg pull $DISABLECACERTS |
|
205 | $ hg pull $DISABLECACERTS | |
| 193 | pulling from https://localhost:$HGPORT/ |
|
206 | pulling from https://localhost:$HGPORT/ | |
|
|
207 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 194 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
208 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect | |
| 195 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
|
209 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) | |
| 196 | [255] |
|
210 | [255] | |
| 197 |
|
211 | |||
| 198 | $ hg pull --insecure |
|
212 | $ hg pull --insecure | |
| 199 | pulling from https://localhost:$HGPORT/ |
|
213 | pulling from https://localhost:$HGPORT/ | |
|
|
214 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 200 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
215 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 201 | searching for changes |
|
216 | searching for changes | |
| 202 | adding changesets |
|
217 | adding changesets | |
| @@ -214,6 +229,7 b' cacert configured in local repo' | |||||
| 214 | $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc |
|
229 | $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc | |
| 215 | $ hg -R copy-pull pull --traceback |
|
230 | $ hg -R copy-pull pull --traceback | |
| 216 | pulling from https://localhost:$HGPORT/ |
|
231 | pulling from https://localhost:$HGPORT/ | |
|
|
232 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 217 | searching for changes |
|
233 | searching for changes | |
| 218 | no changes found |
|
234 | no changes found | |
| 219 | $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc |
|
235 | $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc | |
| @@ -225,10 +241,12 b' variables in the filename' | |||||
| 225 | $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH |
|
241 | $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH | |
| 226 | $ P="$CERTSDIR" hg -R copy-pull pull |
|
242 | $ P="$CERTSDIR" hg -R copy-pull pull | |
| 227 | pulling from https://localhost:$HGPORT/ |
|
243 | pulling from https://localhost:$HGPORT/ | |
|
|
244 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 228 | searching for changes |
|
245 | searching for changes | |
| 229 | no changes found |
|
246 | no changes found | |
| 230 | $ P="$CERTSDIR" hg -R copy-pull pull --insecure |
|
247 | $ P="$CERTSDIR" hg -R copy-pull pull --insecure | |
| 231 | pulling from https://localhost:$HGPORT/ |
|
248 | pulling from https://localhost:$HGPORT/ | |
|
|
249 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 232 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
250 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 233 | searching for changes |
|
251 | searching for changes | |
| 234 | no changes found |
|
252 | no changes found | |
| @@ -246,6 +264,7 b' empty cacert file' | |||||
| 246 | #else |
|
264 | #else | |
| 247 | $ hg --config web.cacerts=emptycafile -R copy-pull pull |
|
265 | $ hg --config web.cacerts=emptycafile -R copy-pull pull | |
| 248 | pulling from https://localhost:$HGPORT/ |
|
266 | pulling from https://localhost:$HGPORT/ | |
|
|
267 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 249 | abort: error: * (glob) |
|
268 | abort: error: * (glob) | |
| 250 | [255] |
|
269 | [255] | |
| 251 | #endif |
|
270 | #endif | |
| @@ -255,22 +274,26 b' cacert mismatch' | |||||
| 255 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
|
274 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ | |
| 256 | > https://127.0.0.1:$HGPORT/ |
|
275 | > https://127.0.0.1:$HGPORT/ | |
| 257 | pulling from https://127.0.0.1:$HGPORT/ (glob) |
|
276 | pulling from https://127.0.0.1:$HGPORT/ (glob) | |
|
|
277 | warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 258 | abort: 127.0.0.1 certificate error: certificate is for localhost (glob) |
|
278 | abort: 127.0.0.1 certificate error: certificate is for localhost (glob) | |
| 259 | (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) (glob) |
|
279 | (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) (glob) | |
| 260 | [255] |
|
280 | [255] | |
| 261 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
|
281 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ | |
| 262 | > https://127.0.0.1:$HGPORT/ --insecure |
|
282 | > https://127.0.0.1:$HGPORT/ --insecure | |
| 263 | pulling from https://127.0.0.1:$HGPORT/ (glob) |
|
283 | pulling from https://127.0.0.1:$HGPORT/ (glob) | |
|
|
284 | warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 264 | warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) |
|
285 | warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) | |
| 265 | searching for changes |
|
286 | searching for changes | |
| 266 | no changes found |
|
287 | no changes found | |
| 267 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
|
288 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" | |
| 268 | pulling from https://localhost:$HGPORT/ |
|
289 | pulling from https://localhost:$HGPORT/ | |
|
|
290 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 269 | abort: error: *certificate verify failed* (glob) |
|
291 | abort: error: *certificate verify failed* (glob) | |
| 270 | [255] |
|
292 | [255] | |
| 271 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
|
293 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ | |
| 272 | > --insecure |
|
294 | > --insecure | |
| 273 | pulling from https://localhost:$HGPORT/ |
|
295 | pulling from https://localhost:$HGPORT/ | |
|
|
296 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 274 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
297 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 275 | searching for changes |
|
298 | searching for changes | |
| 276 | no changes found |
|
299 | no changes found | |
| @@ -282,6 +305,7 b" Test server cert which isn't valid yet" | |||||
| 282 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
|
305 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ | |
| 283 | > https://localhost:$HGPORT1/ |
|
306 | > https://localhost:$HGPORT1/ | |
| 284 | pulling from https://localhost:$HGPORT1/ |
|
307 | pulling from https://localhost:$HGPORT1/ | |
|
|
308 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 285 | abort: error: *certificate verify failed* (glob) |
|
309 | abort: error: *certificate verify failed* (glob) | |
| 286 | [255] |
|
310 | [255] | |
| 287 |
|
311 | |||
| @@ -292,50 +316,67 b' Test server cert which no longer is vali' | |||||
| 292 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
|
316 | $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ | |
| 293 | > https://localhost:$HGPORT2/ |
|
317 | > https://localhost:$HGPORT2/ | |
| 294 | pulling from https://localhost:$HGPORT2/ |
|
318 | pulling from https://localhost:$HGPORT2/ | |
|
|
319 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 295 | abort: error: *certificate verify failed* (glob) |
|
320 | abort: error: *certificate verify failed* (glob) | |
| 296 | [255] |
|
321 | [255] | |
| 297 |
|
322 | |||
|
|
323 | Disabling the TLS 1.0 warning works | |||
|
|
324 | $ hg -R copy-pull id https://localhost:$HGPORT/ \ | |||
|
|
325 | > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \ | |||
|
|
326 | > --config hostsecurity.disabletls10warning=true | |||
|
|
327 | 5fed3813f7f5 | |||
|
|
328 | ||||
| 298 | Fingerprints |
|
329 | Fingerprints | |
| 299 |
|
330 | |||
| 300 | - works without cacerts (hostkeyfingerprints) |
|
331 | - works without cacerts (hostkeyfingerprints) | |
| 301 | $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
|
332 | $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 | |
|
|
333 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 302 | 5fed3813f7f5 |
|
334 | 5fed3813f7f5 | |
| 303 |
|
335 | |||
| 304 | - works without cacerts (hostsecurity) |
|
336 | - works without cacerts (hostsecurity) | |
| 305 | $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
|
337 | $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | |
|
|
338 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 306 | 5fed3813f7f5 |
|
339 | 5fed3813f7f5 | |
| 307 |
|
340 | |||
| 308 | $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e |
|
341 | $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e | |
|
|
342 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 309 | 5fed3813f7f5 |
|
343 | 5fed3813f7f5 | |
| 310 |
|
344 | |||
| 311 | - multiple fingerprints specified and first matches |
|
345 | - multiple fingerprints specified and first matches | |
| 312 | $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
346 | $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | |
|
|
347 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 313 | 5fed3813f7f5 |
|
348 | 5fed3813f7f5 | |
| 314 |
|
349 | |||
| 315 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
|
350 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | |
|
|
351 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 316 | 5fed3813f7f5 |
|
352 | 5fed3813f7f5 | |
| 317 |
|
353 | |||
| 318 | - multiple fingerprints specified and last matches |
|
354 | - multiple fingerprints specified and last matches | |
| 319 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
355 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure | |
|
|
356 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 320 | 5fed3813f7f5 |
|
357 | 5fed3813f7f5 | |
| 321 |
|
358 | |||
| 322 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ |
|
359 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ | |
|
|
360 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 323 | 5fed3813f7f5 |
|
361 | 5fed3813f7f5 | |
| 324 |
|
362 | |||
| 325 | - multiple fingerprints specified and none match |
|
363 | - multiple fingerprints specified and none match | |
| 326 |
|
364 | |||
| 327 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
365 | $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | |
|
|
366 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 328 | abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
|
367 | abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 | |
| 329 | (check hostfingerprint configuration) |
|
368 | (check hostfingerprint configuration) | |
| 330 | [255] |
|
369 | [255] | |
| 331 |
|
370 | |||
| 332 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
|
371 | $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | |
|
|
372 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 333 | abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
|
373 | abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 | |
| 334 | (check hostsecurity configuration) |
|
374 | (check hostsecurity configuration) | |
| 335 | [255] |
|
375 | [255] | |
| 336 |
|
376 | |||
| 337 | - fails when cert doesn't match hostname (port is ignored) |
|
377 | - fails when cert doesn't match hostname (port is ignored) | |
| 338 | $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
|
378 | $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | |
|
|
379 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 339 | abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
|
380 | abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 | |
| 340 | (check hostfingerprint configuration) |
|
381 | (check hostfingerprint configuration) | |
| 341 | [255] |
|
382 | [255] | |
| @@ -343,6 +384,7 b' Fingerprints' | |||||
| 343 |
|
384 | |||
| 344 | - ignores that certificate doesn't match hostname |
|
385 | - ignores that certificate doesn't match hostname | |
| 345 | $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
|
386 | $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | |
|
|
387 | warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 346 | 5fed3813f7f5 |
|
388 | 5fed3813f7f5 | |
| 347 |
|
389 | |||
| 348 | Ports used by next test. Kill servers. |
|
390 | Ports used by next test. Kill servers. | |
| @@ -436,6 +478,7 b' Test unvalidated https through proxy' | |||||
| 436 |
|
478 | |||
| 437 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback |
|
479 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback | |
| 438 | pulling from https://localhost:$HGPORT/ |
|
480 | pulling from https://localhost:$HGPORT/ | |
|
|
481 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 439 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
482 | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | |
| 440 | searching for changes |
|
483 | searching for changes | |
| 441 | no changes found |
|
484 | no changes found | |
| @@ -445,10 +488,12 b' Test https with cacert and fingerprint t' | |||||
| 445 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
488 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ | |
| 446 | > --config web.cacerts="$CERTSDIR/pub.pem" |
|
489 | > --config web.cacerts="$CERTSDIR/pub.pem" | |
| 447 | pulling from https://localhost:$HGPORT/ |
|
490 | pulling from https://localhost:$HGPORT/ | |
|
|
491 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 448 | searching for changes |
|
492 | searching for changes | |
| 449 | no changes found |
|
493 | no changes found | |
| 450 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
|
494 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | |
| 451 | pulling from https://127.0.0.1:$HGPORT/ (glob) |
|
495 | pulling from https://127.0.0.1:$HGPORT/ (glob) | |
|
|
496 | warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 452 | searching for changes |
|
497 | searching for changes | |
| 453 | no changes found |
|
498 | no changes found | |
| 454 |
|
499 | |||
| @@ -457,11 +502,13 b' Test https with cert problems through pr' | |||||
| 457 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
502 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ | |
| 458 | > --config web.cacerts="$CERTSDIR/pub-other.pem" |
|
503 | > --config web.cacerts="$CERTSDIR/pub-other.pem" | |
| 459 | pulling from https://localhost:$HGPORT/ |
|
504 | pulling from https://localhost:$HGPORT/ | |
|
|
505 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 460 | abort: error: *certificate verify failed* (glob) |
|
506 | abort: error: *certificate verify failed* (glob) | |
| 461 | [255] |
|
507 | [255] | |
| 462 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
508 | $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ | |
| 463 | > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
|
509 | > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ | |
| 464 | pulling from https://localhost:$HGPORT2/ |
|
510 | pulling from https://localhost:$HGPORT2/ | |
|
|
511 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 465 | abort: error: *certificate verify failed* (glob) |
|
512 | abort: error: *certificate verify failed* (glob) | |
| 466 | [255] |
|
513 | [255] | |
| 467 |
|
514 | |||
| @@ -58,6 +58,7 b' we are able to load CA certs:' | |||||
| 58 | this patch series consists of 1 patches. |
|
58 | this patch series consists of 1 patches. | |
| 59 |
|
59 | |||
| 60 |
|
60 | |||
|
|
61 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info | |||
| 61 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
|
62 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | |
| 62 | (?i)abort: .*?certificate.verify.failed.* (re) |
|
63 | (?i)abort: .*?certificate.verify.failed.* (re) | |
| 63 | [255] |
|
64 | [255] | |
| @@ -95,6 +96,7 b' Without certificates:' | |||||
| 95 |
|
96 | |||
| 96 | (using smtps) |
|
97 | (using smtps) | |
| 97 | sending mail: smtp host localhost, port * (glob) |
|
98 | sending mail: smtp host localhost, port * (glob) | |
|
|
99 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 98 | (verifying remote certificate) |
|
100 | (verifying remote certificate) | |
| 99 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
101 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect | |
| 100 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
|
102 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) | |
| @@ -108,6 +110,7 b' With global certificates:' | |||||
| 108 |
|
110 | |||
| 109 | (using smtps) |
|
111 | (using smtps) | |
| 110 | sending mail: smtp host localhost, port * (glob) |
|
112 | sending mail: smtp host localhost, port * (glob) | |
|
|
113 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 111 | (verifying remote certificate) |
|
114 | (verifying remote certificate) | |
| 112 | sending [PATCH] a ... |
|
115 | sending [PATCH] a ... | |
| 113 |
|
116 | |||
| @@ -117,6 +120,7 b' With invalid certificates:' | |||||
| 117 | this patch series consists of 1 patches. |
|
120 | this patch series consists of 1 patches. | |
| 118 |
|
121 | |||
| 119 |
|
122 | |||
|
|
123 | warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |||
| 120 | (?i)abort: .*?certificate.verify.failed.* (re) |
|
124 | (?i)abort: .*?certificate.verify.failed.* (re) | |
| 121 | [255] |
|
125 | [255] | |
| 122 |
|
126 | |||
General Comments 0
You need to be logged in to leave comments.
Login now