##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

test-https: add some more known failure messages of client certs (issue6030)...
Yuya Nishihara -
r42141:40651930 stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,672 +1,672 b''
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Disable the system configuration which may set stricter TLS requirements.
5 Disable the system configuration which may set stricter TLS requirements.
6 This test expects that legacy TLS versions are supported.
6 This test expects that legacy TLS versions are supported.
7
7
8 $ OPENSSL_CONF=
8 $ OPENSSL_CONF=
9 $ export OPENSSL_CONF
9 $ export OPENSSL_CONF
10
10
11 Make server certificates:
11 Make server certificates:
12
12
13 $ CERTSDIR="$TESTDIR/sslcerts"
13 $ CERTSDIR="$TESTDIR/sslcerts"
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
15 $ PRIV=`pwd`/server.pem
15 $ PRIV=`pwd`/server.pem
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
18
18
19 $ hg init test
19 $ hg init test
20 $ cd test
20 $ cd test
21 $ echo foo>foo
21 $ echo foo>foo
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
23 $ echo foo>foo.d/foo
23 $ echo foo>foo.d/foo
24 $ echo bar>foo.d/bAr.hg.d/BaR
24 $ echo bar>foo.d/bAr.hg.d/BaR
25 $ echo bar>foo.d/baR.d.hg/bAR
25 $ echo bar>foo.d/baR.d.hg/bAR
26 $ hg commit -A -m 1
26 $ hg commit -A -m 1
27 adding foo
27 adding foo
28 adding foo.d/bAr.hg.d/BaR
28 adding foo.d/bAr.hg.d/BaR
29 adding foo.d/baR.d.hg/bAR
29 adding foo.d/baR.d.hg/bAR
30 adding foo.d/foo
30 adding foo.d/foo
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
32 $ cat ../hg0.pid >> $DAEMON_PIDS
32 $ cat ../hg0.pid >> $DAEMON_PIDS
33
33
34 cacert not found
34 cacert not found
35
35
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
37 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
37 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
38 abort: could not find web.cacerts: no-such.pem
38 abort: could not find web.cacerts: no-such.pem
39 [255]
39 [255]
40
40
41 Test server address cannot be reused
41 Test server address cannot be reused
42
42
43 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
43 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
44 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
44 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
45 [255]
45 [255]
46
46
47 $ cd ..
47 $ cd ..
48
48
49 Our test cert is not signed by a trusted CA. It should fail to verify if
49 Our test cert is not signed by a trusted CA. It should fail to verify if
50 we are able to load CA certs.
50 we are able to load CA certs.
51
51
52 #if sslcontext defaultcacerts no-defaultcacertsloaded
52 #if sslcontext defaultcacerts no-defaultcacertsloaded
53 $ hg clone https://localhost:$HGPORT/ copy-pull
53 $ hg clone https://localhost:$HGPORT/ copy-pull
54 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
54 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
55 abort: error: *certificate verify failed* (glob)
55 abort: error: *certificate verify failed* (glob)
56 [255]
56 [255]
57 #endif
57 #endif
58
58
59 #if no-sslcontext defaultcacerts
59 #if no-sslcontext defaultcacerts
60 $ hg clone https://localhost:$HGPORT/ copy-pull
60 $ hg clone https://localhost:$HGPORT/ copy-pull
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
62 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
62 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
63 abort: error: *certificate verify failed* (glob)
63 abort: error: *certificate verify failed* (glob)
64 [255]
64 [255]
65 #endif
65 #endif
66
66
67 #if no-sslcontext windows
67 #if no-sslcontext windows
68 $ hg clone https://localhost:$HGPORT/ copy-pull
68 $ hg clone https://localhost:$HGPORT/ copy-pull
69 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
69 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
70 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
70 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
71 abort: error: *certificate verify failed* (glob)
71 abort: error: *certificate verify failed* (glob)
72 [255]
72 [255]
73 #endif
73 #endif
74
74
75 #if no-sslcontext osx
75 #if no-sslcontext osx
76 $ hg clone https://localhost:$HGPORT/ copy-pull
76 $ hg clone https://localhost:$HGPORT/ copy-pull
77 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
77 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
78 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
78 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
79 abort: localhost certificate error: no certificate received
79 abort: localhost certificate error: no certificate received
80 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
80 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
81 [255]
81 [255]
82 #endif
82 #endif
83
83
84 #if defaultcacertsloaded
84 #if defaultcacertsloaded
85 $ hg clone https://localhost:$HGPORT/ copy-pull
85 $ hg clone https://localhost:$HGPORT/ copy-pull
86 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
86 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
87 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
87 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
88 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
88 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
89 abort: error: *certificate verify failed* (glob)
89 abort: error: *certificate verify failed* (glob)
90 [255]
90 [255]
91 #endif
91 #endif
92
92
93 #if no-defaultcacerts
93 #if no-defaultcacerts
94 $ hg clone https://localhost:$HGPORT/ copy-pull
94 $ hg clone https://localhost:$HGPORT/ copy-pull
95 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
95 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
96 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
96 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
97 abort: localhost certificate error: no certificate received
97 abort: localhost certificate error: no certificate received
98 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
98 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
99 [255]
99 [255]
100 #endif
100 #endif
101
101
102 Specifying a per-host certificate file that doesn't exist will abort. The full
102 Specifying a per-host certificate file that doesn't exist will abort. The full
103 C:/path/to/msysroot will print on Windows.
103 C:/path/to/msysroot will print on Windows.
104
104
105 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
105 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
106 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
106 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
107 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
107 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
108 [255]
108 [255]
109
109
110 A malformed per-host certificate file will raise an error
110 A malformed per-host certificate file will raise an error
111
111
112 $ echo baddata > badca.pem
112 $ echo baddata > badca.pem
113 #if sslcontext
113 #if sslcontext
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
116 abort: error loading CA file badca.pem: * (glob)
116 abort: error loading CA file badca.pem: * (glob)
117 (file is empty or malformed?)
117 (file is empty or malformed?)
118 [255]
118 [255]
119 #else
119 #else
120 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
120 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
121 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
121 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
122 abort: error: * (glob)
122 abort: error: * (glob)
123 [255]
123 [255]
124 #endif
124 #endif
125
125
126 A per-host certificate mismatching the server will fail verification
126 A per-host certificate mismatching the server will fail verification
127
127
128 (modern ssl is able to discern whether the loaded cert is a CA cert)
128 (modern ssl is able to discern whether the loaded cert is a CA cert)
129 #if sslcontext
129 #if sslcontext
130 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
130 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
131 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
131 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
132 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
132 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
133 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
133 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
134 abort: error: *certificate verify failed* (glob)
134 abort: error: *certificate verify failed* (glob)
135 [255]
135 [255]
136 #else
136 #else
137 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
137 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
138 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
138 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
139 abort: error: *certificate verify failed* (glob)
139 abort: error: *certificate verify failed* (glob)
140 [255]
140 [255]
141 #endif
141 #endif
142
142
143 A per-host certificate matching the server's cert will be accepted
143 A per-host certificate matching the server's cert will be accepted
144
144
145 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
145 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
146 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
146 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
147 requesting all changes
147 requesting all changes
148 adding changesets
148 adding changesets
149 adding manifests
149 adding manifests
150 adding file changes
150 adding file changes
151 added 1 changesets with 4 changes to 4 files
151 added 1 changesets with 4 changes to 4 files
152 new changesets 8b6053c928fe
152 new changesets 8b6053c928fe
153
153
154 A per-host certificate with multiple certs and one matching will be accepted
154 A per-host certificate with multiple certs and one matching will be accepted
155
155
156 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
156 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
157 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
157 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
158 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
158 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
159 requesting all changes
159 requesting all changes
160 adding changesets
160 adding changesets
161 adding manifests
161 adding manifests
162 adding file changes
162 adding file changes
163 added 1 changesets with 4 changes to 4 files
163 added 1 changesets with 4 changes to 4 files
164 new changesets 8b6053c928fe
164 new changesets 8b6053c928fe
165
165
166 Defining both per-host certificate and a fingerprint will print a warning
166 Defining both per-host certificate and a fingerprint will print a warning
167
167
168 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
168 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
169 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
169 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
170 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
170 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
171 requesting all changes
171 requesting all changes
172 adding changesets
172 adding changesets
173 adding manifests
173 adding manifests
174 adding file changes
174 adding file changes
175 added 1 changesets with 4 changes to 4 files
175 added 1 changesets with 4 changes to 4 files
176 new changesets 8b6053c928fe
176 new changesets 8b6053c928fe
177
177
178 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
178 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
179
179
180 Inability to verify peer certificate will result in abort
180 Inability to verify peer certificate will result in abort
181
181
182 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
182 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
184 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
184 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
185 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
185 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
186 [255]
186 [255]
187
187
188 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
188 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
189 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
189 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
190 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
190 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
191 requesting all changes
191 requesting all changes
192 adding changesets
192 adding changesets
193 adding manifests
193 adding manifests
194 adding file changes
194 adding file changes
195 added 1 changesets with 4 changes to 4 files
195 added 1 changesets with 4 changes to 4 files
196 new changesets 8b6053c928fe
196 new changesets 8b6053c928fe
197 updating to branch default
197 updating to branch default
198 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
198 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
199 $ hg verify -R copy-pull
199 $ hg verify -R copy-pull
200 checking changesets
200 checking changesets
201 checking manifests
201 checking manifests
202 crosschecking files in changesets and manifests
202 crosschecking files in changesets and manifests
203 checking files
203 checking files
204 checked 1 changesets with 4 changes to 4 files
204 checked 1 changesets with 4 changes to 4 files
205 $ cd test
205 $ cd test
206 $ echo bar > bar
206 $ echo bar > bar
207 $ hg commit -A -d '1 0' -m 2
207 $ hg commit -A -d '1 0' -m 2
208 adding bar
208 adding bar
209 $ cd ..
209 $ cd ..
210
210
211 pull without cacert
211 pull without cacert
212
212
213 $ cd copy-pull
213 $ cd copy-pull
214 $ cat >> .hg/hgrc <<EOF
214 $ cat >> .hg/hgrc <<EOF
215 > [hooks]
215 > [hooks]
216 > changegroup = sh -c "printenv.py changegroup"
216 > changegroup = sh -c "printenv.py changegroup"
217 > EOF
217 > EOF
218 $ hg pull $DISABLECACERTS
218 $ hg pull $DISABLECACERTS
219 pulling from https://localhost:$HGPORT/
219 pulling from https://localhost:$HGPORT/
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
221 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
221 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
222 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
222 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
223 [255]
223 [255]
224
224
225 $ hg pull --insecure
225 $ hg pull --insecure
226 pulling from https://localhost:$HGPORT/
226 pulling from https://localhost:$HGPORT/
227 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
227 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
228 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
228 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
229 searching for changes
229 searching for changes
230 adding changesets
230 adding changesets
231 adding manifests
231 adding manifests
232 adding file changes
232 adding file changes
233 added 1 changesets with 1 changes to 1 files
233 added 1 changesets with 1 changes to 1 files
234 new changesets 5fed3813f7f5
234 new changesets 5fed3813f7f5
235 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
235 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
236 (run 'hg update' to get a working copy)
236 (run 'hg update' to get a working copy)
237 $ cd ..
237 $ cd ..
238
238
239 cacert configured in local repo
239 cacert configured in local repo
240
240
241 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
241 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
242 $ echo "[web]" >> copy-pull/.hg/hgrc
242 $ echo "[web]" >> copy-pull/.hg/hgrc
243 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
243 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
244 $ hg -R copy-pull pull
244 $ hg -R copy-pull pull
245 pulling from https://localhost:$HGPORT/
245 pulling from https://localhost:$HGPORT/
246 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
246 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
247 searching for changes
247 searching for changes
248 no changes found
248 no changes found
249 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
249 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
250
250
251 cacert configured globally, also testing expansion of environment
251 cacert configured globally, also testing expansion of environment
252 variables in the filename
252 variables in the filename
253
253
254 $ echo "[web]" >> $HGRCPATH
254 $ echo "[web]" >> $HGRCPATH
255 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
255 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
256 $ P="$CERTSDIR" hg -R copy-pull pull
256 $ P="$CERTSDIR" hg -R copy-pull pull
257 pulling from https://localhost:$HGPORT/
257 pulling from https://localhost:$HGPORT/
258 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
258 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
259 searching for changes
259 searching for changes
260 no changes found
260 no changes found
261 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
261 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
262 pulling from https://localhost:$HGPORT/
262 pulling from https://localhost:$HGPORT/
263 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
263 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
264 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
264 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
265 searching for changes
265 searching for changes
266 no changes found
266 no changes found
267
267
268 empty cacert file
268 empty cacert file
269
269
270 $ touch emptycafile
270 $ touch emptycafile
271
271
272 #if sslcontext
272 #if sslcontext
273 $ hg --config web.cacerts=emptycafile -R copy-pull pull
273 $ hg --config web.cacerts=emptycafile -R copy-pull pull
274 pulling from https://localhost:$HGPORT/
274 pulling from https://localhost:$HGPORT/
275 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
275 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
276 abort: error loading CA file emptycafile: * (glob)
276 abort: error loading CA file emptycafile: * (glob)
277 (file is empty or malformed?)
277 (file is empty or malformed?)
278 [255]
278 [255]
279 #else
279 #else
280 $ hg --config web.cacerts=emptycafile -R copy-pull pull
280 $ hg --config web.cacerts=emptycafile -R copy-pull pull
281 pulling from https://localhost:$HGPORT/
281 pulling from https://localhost:$HGPORT/
282 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
282 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
283 abort: error: * (glob)
283 abort: error: * (glob)
284 [255]
284 [255]
285 #endif
285 #endif
286
286
287 cacert mismatch
287 cacert mismatch
288
288
289 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
289 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
290 > https://$LOCALIP:$HGPORT/
290 > https://$LOCALIP:$HGPORT/
291 pulling from https://*:$HGPORT/ (glob)
291 pulling from https://*:$HGPORT/ (glob)
292 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
292 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
293 abort: $LOCALIP certificate error: certificate is for localhost (glob)
293 abort: $LOCALIP certificate error: certificate is for localhost (glob)
294 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
294 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
295 [255]
295 [255]
296 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
296 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
297 > https://$LOCALIP:$HGPORT/ --insecure
297 > https://$LOCALIP:$HGPORT/ --insecure
298 pulling from https://*:$HGPORT/ (glob)
298 pulling from https://*:$HGPORT/ (glob)
299 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
299 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
300 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
300 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
301 searching for changes
301 searching for changes
302 no changes found
302 no changes found
303 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
303 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
304 pulling from https://localhost:$HGPORT/
304 pulling from https://localhost:$HGPORT/
305 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
305 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
306 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
306 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
307 abort: error: *certificate verify failed* (glob)
307 abort: error: *certificate verify failed* (glob)
308 [255]
308 [255]
309 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
309 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
310 > --insecure
310 > --insecure
311 pulling from https://localhost:$HGPORT/
311 pulling from https://localhost:$HGPORT/
312 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
312 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
313 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
313 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
314 searching for changes
314 searching for changes
315 no changes found
315 no changes found
316
316
317 Test server cert which isn't valid yet
317 Test server cert which isn't valid yet
318
318
319 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
319 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
320 $ cat hg1.pid >> $DAEMON_PIDS
320 $ cat hg1.pid >> $DAEMON_PIDS
321 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
321 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
322 > https://localhost:$HGPORT1/
322 > https://localhost:$HGPORT1/
323 pulling from https://localhost:$HGPORT1/
323 pulling from https://localhost:$HGPORT1/
324 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
324 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
325 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
325 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
326 abort: error: *certificate verify failed* (glob)
326 abort: error: *certificate verify failed* (glob)
327 [255]
327 [255]
328
328
329 Test server cert which no longer is valid
329 Test server cert which no longer is valid
330
330
331 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
331 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
332 $ cat hg2.pid >> $DAEMON_PIDS
332 $ cat hg2.pid >> $DAEMON_PIDS
333 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
333 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
334 > https://localhost:$HGPORT2/
334 > https://localhost:$HGPORT2/
335 pulling from https://localhost:$HGPORT2/
335 pulling from https://localhost:$HGPORT2/
336 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
336 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
337 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
337 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
338 abort: error: *certificate verify failed* (glob)
338 abort: error: *certificate verify failed* (glob)
339 [255]
339 [255]
340
340
341 Disabling the TLS 1.0 warning works
341 Disabling the TLS 1.0 warning works
342 $ hg -R copy-pull id https://localhost:$HGPORT/ \
342 $ hg -R copy-pull id https://localhost:$HGPORT/ \
343 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
343 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
344 > --config hostsecurity.disabletls10warning=true
344 > --config hostsecurity.disabletls10warning=true
345 5fed3813f7f5
345 5fed3813f7f5
346
346
347 Error message for setting ciphers is different depending on SSLContext support
347 Error message for setting ciphers is different depending on SSLContext support
348
348
349 #if no-sslcontext
349 #if no-sslcontext
350 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
350 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
351 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
351 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
352 abort: *No cipher can be selected. (glob)
352 abort: *No cipher can be selected. (glob)
353 [255]
353 [255]
354
354
355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
356 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
356 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
357 5fed3813f7f5
357 5fed3813f7f5
358 #endif
358 #endif
359
359
360 #if sslcontext
360 #if sslcontext
361 Setting ciphers to an invalid value aborts
361 Setting ciphers to an invalid value aborts
362 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
362 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
364 abort: could not set ciphers: No cipher can be selected.
364 abort: could not set ciphers: No cipher can be selected.
365 (change cipher string (invalid) in config)
365 (change cipher string (invalid) in config)
366 [255]
366 [255]
367
367
368 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
368 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
369 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
369 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
370 abort: could not set ciphers: No cipher can be selected.
370 abort: could not set ciphers: No cipher can be selected.
371 (change cipher string (invalid) in config)
371 (change cipher string (invalid) in config)
372 [255]
372 [255]
373
373
374 Changing the cipher string works
374 Changing the cipher string works
375
375
376 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
376 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
377 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
377 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
378 5fed3813f7f5
378 5fed3813f7f5
379 #endif
379 #endif
380
380
381 Fingerprints
381 Fingerprints
382
382
383 - works without cacerts (hostfingerprints)
383 - works without cacerts (hostfingerprints)
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
386 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
386 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
387 5fed3813f7f5
387 5fed3813f7f5
388
388
389 - works without cacerts (hostsecurity)
389 - works without cacerts (hostsecurity)
390 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
390 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
391 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
391 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
392 5fed3813f7f5
392 5fed3813f7f5
393
393
394 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
394 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
395 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
395 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
396 5fed3813f7f5
396 5fed3813f7f5
397
397
398 - multiple fingerprints specified and first matches
398 - multiple fingerprints specified and first matches
399 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
399 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
401 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
401 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
402 5fed3813f7f5
402 5fed3813f7f5
403
403
404 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
404 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
405 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
405 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
406 5fed3813f7f5
406 5fed3813f7f5
407
407
408 - multiple fingerprints specified and last matches
408 - multiple fingerprints specified and last matches
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
411 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
411 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
412 5fed3813f7f5
412 5fed3813f7f5
413
413
414 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
414 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
416 5fed3813f7f5
416 5fed3813f7f5
417
417
418 - multiple fingerprints specified and none match
418 - multiple fingerprints specified and none match
419
419
420 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
420 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
422 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
422 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
423 (check hostfingerprint configuration)
423 (check hostfingerprint configuration)
424 [255]
424 [255]
425
425
426 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
426 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
427 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
427 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
428 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
428 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
429 (check hostsecurity configuration)
429 (check hostsecurity configuration)
430 [255]
430 [255]
431
431
432 - fails when cert doesn't match hostname (port is ignored)
432 - fails when cert doesn't match hostname (port is ignored)
433 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
433 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
434 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
434 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
435 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
435 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
436 (check hostfingerprint configuration)
436 (check hostfingerprint configuration)
437 [255]
437 [255]
438
438
439
439
440 - ignores that certificate doesn't match hostname
440 - ignores that certificate doesn't match hostname
441 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
441 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
442 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
442 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
443 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
443 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
444 5fed3813f7f5
444 5fed3813f7f5
445
445
446 Ports used by next test. Kill servers.
446 Ports used by next test. Kill servers.
447
447
448 $ killdaemons.py hg0.pid
448 $ killdaemons.py hg0.pid
449 $ killdaemons.py hg1.pid
449 $ killdaemons.py hg1.pid
450 $ killdaemons.py hg2.pid
450 $ killdaemons.py hg2.pid
451
451
452 #if sslcontext tls1.2
452 #if sslcontext tls1.2
453 Start servers running supported TLS versions
453 Start servers running supported TLS versions
454
454
455 $ cd test
455 $ cd test
456 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
456 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
457 > --config devel.serverexactprotocol=tls1.0
457 > --config devel.serverexactprotocol=tls1.0
458 $ cat ../hg0.pid >> $DAEMON_PIDS
458 $ cat ../hg0.pid >> $DAEMON_PIDS
459 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
459 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
460 > --config devel.serverexactprotocol=tls1.1
460 > --config devel.serverexactprotocol=tls1.1
461 $ cat ../hg1.pid >> $DAEMON_PIDS
461 $ cat ../hg1.pid >> $DAEMON_PIDS
462 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
462 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
463 > --config devel.serverexactprotocol=tls1.2
463 > --config devel.serverexactprotocol=tls1.2
464 $ cat ../hg2.pid >> $DAEMON_PIDS
464 $ cat ../hg2.pid >> $DAEMON_PIDS
465 $ cd ..
465 $ cd ..
466
466
467 Clients talking same TLS versions work
467 Clients talking same TLS versions work
468
468
469 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
469 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
470 5fed3813f7f5
470 5fed3813f7f5
471 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
471 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
472 5fed3813f7f5
472 5fed3813f7f5
473 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
473 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
474 5fed3813f7f5
474 5fed3813f7f5
475
475
476 Clients requiring newer TLS version than what server supports fail
476 Clients requiring newer TLS version than what server supports fail
477
477
478 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
478 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
482 abort: error: *unsupported protocol* (glob)
482 abort: error: *unsupported protocol* (glob)
483 [255]
483 [255]
484
484
485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
486 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
486 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
489 abort: error: *unsupported protocol* (glob)
489 abort: error: *unsupported protocol* (glob)
490 [255]
490 [255]
491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
495 abort: error: *unsupported protocol* (glob)
495 abort: error: *unsupported protocol* (glob)
496 [255]
496 [255]
497 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
497 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
498 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
498 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
499 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
499 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
500 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
500 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
501 abort: error: *unsupported protocol* (glob)
501 abort: error: *unsupported protocol* (glob)
502 [255]
502 [255]
503
503
504 --insecure will allow TLS 1.0 connections and override configs
504 --insecure will allow TLS 1.0 connections and override configs
505
505
506 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
506 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
507 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
507 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
508 5fed3813f7f5
508 5fed3813f7f5
509
509
510 The per-host config option overrides the default
510 The per-host config option overrides the default
511
511
512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
513 > --config hostsecurity.minimumprotocol=tls1.2 \
513 > --config hostsecurity.minimumprotocol=tls1.2 \
514 > --config hostsecurity.localhost:minimumprotocol=tls1.0
514 > --config hostsecurity.localhost:minimumprotocol=tls1.0
515 5fed3813f7f5
515 5fed3813f7f5
516
516
517 The per-host config option by itself works
517 The per-host config option by itself works
518
518
519 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
519 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
520 > --config hostsecurity.localhost:minimumprotocol=tls1.2
520 > --config hostsecurity.localhost:minimumprotocol=tls1.2
521 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
521 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
522 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
522 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
523 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
523 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
524 abort: error: *unsupported protocol* (glob)
524 abort: error: *unsupported protocol* (glob)
525 [255]
525 [255]
526
526
527 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
527 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
528
528
529 $ cat >> copy-pull/.hg/hgrc << EOF
529 $ cat >> copy-pull/.hg/hgrc << EOF
530 > [hostsecurity]
530 > [hostsecurity]
531 > localhost:minimumprotocol=tls1.2
531 > localhost:minimumprotocol=tls1.2
532 > EOF
532 > EOF
533 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
533 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
534 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
534 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
535 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
535 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
536 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
536 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
537 abort: error: *unsupported protocol* (glob)
537 abort: error: *unsupported protocol* (glob)
538 [255]
538 [255]
539
539
540 $ killdaemons.py hg0.pid
540 $ killdaemons.py hg0.pid
541 $ killdaemons.py hg1.pid
541 $ killdaemons.py hg1.pid
542 $ killdaemons.py hg2.pid
542 $ killdaemons.py hg2.pid
543 #endif
543 #endif
544
544
545 Prepare for connecting through proxy
545 Prepare for connecting through proxy
546
546
547 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
547 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
548 $ cat hg0.pid >> $DAEMON_PIDS
548 $ cat hg0.pid >> $DAEMON_PIDS
549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
550 $ cat hg2.pid >> $DAEMON_PIDS
550 $ cat hg2.pid >> $DAEMON_PIDS
551 tinyproxy.py doesn't fully detach, so killing it may result in extra output
551 tinyproxy.py doesn't fully detach, so killing it may result in extra output
552 from the shell. So don't kill it.
552 from the shell. So don't kill it.
553 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
553 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
554 $ while [ ! -f proxy.pid ]; do sleep 0; done
554 $ while [ ! -f proxy.pid ]; do sleep 0; done
555 $ cat proxy.pid >> $DAEMON_PIDS
555 $ cat proxy.pid >> $DAEMON_PIDS
556
556
557 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
557 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
558 $ echo "always=True" >> copy-pull/.hg/hgrc
558 $ echo "always=True" >> copy-pull/.hg/hgrc
559 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
559 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
560 $ echo "localhost =" >> copy-pull/.hg/hgrc
560 $ echo "localhost =" >> copy-pull/.hg/hgrc
561
561
562 Test unvalidated https through proxy
562 Test unvalidated https through proxy
563
563
564 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
564 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
565 pulling from https://localhost:$HGPORT/
565 pulling from https://localhost:$HGPORT/
566 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
566 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
567 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
567 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
568 searching for changes
568 searching for changes
569 no changes found
569 no changes found
570
570
571 Test https with cacert and fingerprint through proxy
571 Test https with cacert and fingerprint through proxy
572
572
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
574 > --config web.cacerts="$CERTSDIR/pub.pem"
574 > --config web.cacerts="$CERTSDIR/pub.pem"
575 pulling from https://localhost:$HGPORT/
575 pulling from https://localhost:$HGPORT/
576 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
576 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
577 searching for changes
577 searching for changes
578 no changes found
578 no changes found
579 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
579 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
580 pulling from https://*:$HGPORT/ (glob)
580 pulling from https://*:$HGPORT/ (glob)
581 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
581 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
582 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
582 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
583 searching for changes
583 searching for changes
584 no changes found
584 no changes found
585
585
586 Test https with cert problems through proxy
586 Test https with cert problems through proxy
587
587
588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
589 > --config web.cacerts="$CERTSDIR/pub-other.pem"
589 > --config web.cacerts="$CERTSDIR/pub-other.pem"
590 pulling from https://localhost:$HGPORT/
590 pulling from https://localhost:$HGPORT/
591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
592 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
592 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
593 abort: error: *certificate verify failed* (glob)
593 abort: error: *certificate verify failed* (glob)
594 [255]
594 [255]
595 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
595 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
596 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
596 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
597 pulling from https://localhost:$HGPORT2/
597 pulling from https://localhost:$HGPORT2/
598 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
598 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
599 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
599 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
600 abort: error: *certificate verify failed* (glob)
600 abort: error: *certificate verify failed* (glob)
601 [255]
601 [255]
602
602
603
603
604 $ killdaemons.py hg0.pid
604 $ killdaemons.py hg0.pid
605
605
606 #if sslcontext
606 #if sslcontext
607
607
608 $ cd test
608 $ cd test
609
609
610 Missing certificate file(s) are detected
610 Missing certificate file(s) are detected
611
611
612 $ hg serve -p $HGPORT --certificate=/missing/certificate \
612 $ hg serve -p $HGPORT --certificate=/missing/certificate \
613 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
613 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
614 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
614 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
615 [255]
615 [255]
616
616
617 $ hg serve -p $HGPORT --certificate=$PRIV \
617 $ hg serve -p $HGPORT --certificate=$PRIV \
618 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
618 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
619 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
619 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
620 [255]
620 [255]
621
621
622 Start hgweb that requires client certificates:
622 Start hgweb that requires client certificates:
623
623
624 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
624 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
625 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
625 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
626 $ cat ../hg0.pid >> $DAEMON_PIDS
626 $ cat ../hg0.pid >> $DAEMON_PIDS
627 $ cd ..
627 $ cd ..
628
628
629 without client certificate:
629 without client certificate:
630
630
631 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
631 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
632 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
632 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
633 abort: error: *handshake failure* (glob)
633 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)
634 [255]
634 [255]
635
635
636 with client certificate:
636 with client certificate:
637
637
638 $ cat << EOT >> $HGRCPATH
638 $ cat << EOT >> $HGRCPATH
639 > [auth]
639 > [auth]
640 > l.prefix = localhost
640 > l.prefix = localhost
641 > l.cert = $CERTSDIR/client-cert.pem
641 > l.cert = $CERTSDIR/client-cert.pem
642 > l.key = $CERTSDIR/client-key.pem
642 > l.key = $CERTSDIR/client-key.pem
643 > EOT
643 > EOT
644
644
645 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
645 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
646 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
646 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
647 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
647 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
648 5fed3813f7f5
648 5fed3813f7f5
649
649
650 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
650 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
651 > --config ui.interactive=True --config ui.nontty=True
651 > --config ui.interactive=True --config ui.nontty=True
652 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
652 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
653 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
653 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
654
654
655 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
655 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
656 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
656 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
657 abort: error: * (glob)
657 abort: error: * (glob)
658 [255]
658 [255]
659
659
660 Missing certficate and key files result in error
660 Missing certficate and key files result in error
661
661
662 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
662 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
663 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
663 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
664 (restore missing file or fix references in Mercurial config)
664 (restore missing file or fix references in Mercurial config)
665 [255]
665 [255]
666
666
667 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
667 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
668 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
668 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
669 (restore missing file or fix references in Mercurial config)
669 (restore missing file or fix references in Mercurial config)
670 [255]
670 [255]
671
671
672 #endif
672 #endif
General Comments 0
You need to be logged in to leave comments. Login now