##// END OF EJS Templates
test-https: turn off system OpenSSL configuration...
Yuya Nishihara -
r42140:4748938e stable
parent child Browse files
Show More
@@ -1,666 +1,672 b''
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Disable the system configuration which may set stricter TLS requirements.
6 This test expects that legacy TLS versions are supported.
7
8 $ OPENSSL_CONF=
9 $ export OPENSSL_CONF
10
5 Make server certificates:
11 Make server certificates:
6
12
7 $ CERTSDIR="$TESTDIR/sslcerts"
13 $ CERTSDIR="$TESTDIR/sslcerts"
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
9 $ PRIV=`pwd`/server.pem
15 $ PRIV=`pwd`/server.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
12
18
13 $ hg init test
19 $ hg init test
14 $ cd test
20 $ cd test
15 $ echo foo>foo
21 $ echo foo>foo
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
17 $ echo foo>foo.d/foo
23 $ echo foo>foo.d/foo
18 $ echo bar>foo.d/bAr.hg.d/BaR
24 $ echo bar>foo.d/bAr.hg.d/BaR
19 $ echo bar>foo.d/baR.d.hg/bAR
25 $ echo bar>foo.d/baR.d.hg/bAR
20 $ hg commit -A -m 1
26 $ hg commit -A -m 1
21 adding foo
27 adding foo
22 adding foo.d/bAr.hg.d/BaR
28 adding foo.d/bAr.hg.d/BaR
23 adding foo.d/baR.d.hg/bAR
29 adding foo.d/baR.d.hg/bAR
24 adding foo.d/foo
30 adding foo.d/foo
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
26 $ cat ../hg0.pid >> $DAEMON_PIDS
32 $ cat ../hg0.pid >> $DAEMON_PIDS
27
33
28 cacert not found
34 cacert not found
29
35
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
37 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32 abort: could not find web.cacerts: no-such.pem
38 abort: could not find web.cacerts: no-such.pem
33 [255]
39 [255]
34
40
35 Test server address cannot be reused
41 Test server address cannot be reused
36
42
37 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
43 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
38 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
44 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
39 [255]
45 [255]
40
46
41 $ cd ..
47 $ cd ..
42
48
43 Our test cert is not signed by a trusted CA. It should fail to verify if
49 Our test cert is not signed by a trusted CA. It should fail to verify if
44 we are able to load CA certs.
50 we are able to load CA certs.
45
51
46 #if sslcontext defaultcacerts no-defaultcacertsloaded
52 #if sslcontext defaultcacerts no-defaultcacertsloaded
47 $ hg clone https://localhost:$HGPORT/ copy-pull
53 $ hg clone https://localhost:$HGPORT/ copy-pull
48 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
54 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
49 abort: error: *certificate verify failed* (glob)
55 abort: error: *certificate verify failed* (glob)
50 [255]
56 [255]
51 #endif
57 #endif
52
58
53 #if no-sslcontext defaultcacerts
59 #if no-sslcontext defaultcacerts
54 $ hg clone https://localhost:$HGPORT/ copy-pull
60 $ hg clone https://localhost:$HGPORT/ copy-pull
55 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
56 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
62 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
57 abort: error: *certificate verify failed* (glob)
63 abort: error: *certificate verify failed* (glob)
58 [255]
64 [255]
59 #endif
65 #endif
60
66
61 #if no-sslcontext windows
67 #if no-sslcontext windows
62 $ hg clone https://localhost:$HGPORT/ copy-pull
68 $ hg clone https://localhost:$HGPORT/ copy-pull
63 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
69 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
64 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
70 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
65 abort: error: *certificate verify failed* (glob)
71 abort: error: *certificate verify failed* (glob)
66 [255]
72 [255]
67 #endif
73 #endif
68
74
69 #if no-sslcontext osx
75 #if no-sslcontext osx
70 $ hg clone https://localhost:$HGPORT/ copy-pull
76 $ hg clone https://localhost:$HGPORT/ copy-pull
71 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
77 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
72 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
78 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
73 abort: localhost certificate error: no certificate received
79 abort: localhost certificate error: no certificate received
74 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
80 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
75 [255]
81 [255]
76 #endif
82 #endif
77
83
78 #if defaultcacertsloaded
84 #if defaultcacertsloaded
79 $ hg clone https://localhost:$HGPORT/ copy-pull
85 $ hg clone https://localhost:$HGPORT/ copy-pull
80 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
86 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
81 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
87 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
82 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
88 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
83 abort: error: *certificate verify failed* (glob)
89 abort: error: *certificate verify failed* (glob)
84 [255]
90 [255]
85 #endif
91 #endif
86
92
87 #if no-defaultcacerts
93 #if no-defaultcacerts
88 $ hg clone https://localhost:$HGPORT/ copy-pull
94 $ hg clone https://localhost:$HGPORT/ copy-pull
89 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
95 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
90 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
96 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
91 abort: localhost certificate error: no certificate received
97 abort: localhost certificate error: no certificate received
92 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
98 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
93 [255]
99 [255]
94 #endif
100 #endif
95
101
96 Specifying a per-host certificate file that doesn't exist will abort. The full
102 Specifying a per-host certificate file that doesn't exist will abort. The full
97 C:/path/to/msysroot will print on Windows.
103 C:/path/to/msysroot will print on Windows.
98
104
99 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
105 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
100 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
106 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
101 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
107 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
102 [255]
108 [255]
103
109
104 A malformed per-host certificate file will raise an error
110 A malformed per-host certificate file will raise an error
105
111
106 $ echo baddata > badca.pem
112 $ echo baddata > badca.pem
107 #if sslcontext
113 #if sslcontext
108 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
109 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
110 abort: error loading CA file badca.pem: * (glob)
116 abort: error loading CA file badca.pem: * (glob)
111 (file is empty or malformed?)
117 (file is empty or malformed?)
112 [255]
118 [255]
113 #else
119 #else
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
120 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
121 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
116 abort: error: * (glob)
122 abort: error: * (glob)
117 [255]
123 [255]
118 #endif
124 #endif
119
125
120 A per-host certificate mismatching the server will fail verification
126 A per-host certificate mismatching the server will fail verification
121
127
122 (modern ssl is able to discern whether the loaded cert is a CA cert)
128 (modern ssl is able to discern whether the loaded cert is a CA cert)
123 #if sslcontext
129 #if sslcontext
124 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
130 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
125 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
131 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
126 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
132 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
127 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
133 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
128 abort: error: *certificate verify failed* (glob)
134 abort: error: *certificate verify failed* (glob)
129 [255]
135 [255]
130 #else
136 #else
131 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
137 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
132 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
138 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
133 abort: error: *certificate verify failed* (glob)
139 abort: error: *certificate verify failed* (glob)
134 [255]
140 [255]
135 #endif
141 #endif
136
142
137 A per-host certificate matching the server's cert will be accepted
143 A per-host certificate matching the server's cert will be accepted
138
144
139 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
145 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
140 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
146 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
141 requesting all changes
147 requesting all changes
142 adding changesets
148 adding changesets
143 adding manifests
149 adding manifests
144 adding file changes
150 adding file changes
145 added 1 changesets with 4 changes to 4 files
151 added 1 changesets with 4 changes to 4 files
146 new changesets 8b6053c928fe
152 new changesets 8b6053c928fe
147
153
148 A per-host certificate with multiple certs and one matching will be accepted
154 A per-host certificate with multiple certs and one matching will be accepted
149
155
150 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
156 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
151 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
157 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
152 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
158 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
153 requesting all changes
159 requesting all changes
154 adding changesets
160 adding changesets
155 adding manifests
161 adding manifests
156 adding file changes
162 adding file changes
157 added 1 changesets with 4 changes to 4 files
163 added 1 changesets with 4 changes to 4 files
158 new changesets 8b6053c928fe
164 new changesets 8b6053c928fe
159
165
160 Defining both per-host certificate and a fingerprint will print a warning
166 Defining both per-host certificate and a fingerprint will print a warning
161
167
162 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
168 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
163 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
169 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
164 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
170 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
165 requesting all changes
171 requesting all changes
166 adding changesets
172 adding changesets
167 adding manifests
173 adding manifests
168 adding file changes
174 adding file changes
169 added 1 changesets with 4 changes to 4 files
175 added 1 changesets with 4 changes to 4 files
170 new changesets 8b6053c928fe
176 new changesets 8b6053c928fe
171
177
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
178 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
173
179
174 Inability to verify peer certificate will result in abort
180 Inability to verify peer certificate will result in abort
175
181
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
182 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
184 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
185 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
180 [255]
186 [255]
181
187
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
188 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
189 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
190 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
185 requesting all changes
191 requesting all changes
186 adding changesets
192 adding changesets
187 adding manifests
193 adding manifests
188 adding file changes
194 adding file changes
189 added 1 changesets with 4 changes to 4 files
195 added 1 changesets with 4 changes to 4 files
190 new changesets 8b6053c928fe
196 new changesets 8b6053c928fe
191 updating to branch default
197 updating to branch default
192 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
198 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
193 $ hg verify -R copy-pull
199 $ hg verify -R copy-pull
194 checking changesets
200 checking changesets
195 checking manifests
201 checking manifests
196 crosschecking files in changesets and manifests
202 crosschecking files in changesets and manifests
197 checking files
203 checking files
198 checked 1 changesets with 4 changes to 4 files
204 checked 1 changesets with 4 changes to 4 files
199 $ cd test
205 $ cd test
200 $ echo bar > bar
206 $ echo bar > bar
201 $ hg commit -A -d '1 0' -m 2
207 $ hg commit -A -d '1 0' -m 2
202 adding bar
208 adding bar
203 $ cd ..
209 $ cd ..
204
210
205 pull without cacert
211 pull without cacert
206
212
207 $ cd copy-pull
213 $ cd copy-pull
208 $ cat >> .hg/hgrc <<EOF
214 $ cat >> .hg/hgrc <<EOF
209 > [hooks]
215 > [hooks]
210 > changegroup = sh -c "printenv.py changegroup"
216 > changegroup = sh -c "printenv.py changegroup"
211 > EOF
217 > EOF
212 $ hg pull $DISABLECACERTS
218 $ hg pull $DISABLECACERTS
213 pulling from https://localhost:$HGPORT/
219 pulling from https://localhost:$HGPORT/
214 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
215 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
221 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
216 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
222 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
217 [255]
223 [255]
218
224
219 $ hg pull --insecure
225 $ hg pull --insecure
220 pulling from https://localhost:$HGPORT/
226 pulling from https://localhost:$HGPORT/
221 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
227 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
222 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
228 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
223 searching for changes
229 searching for changes
224 adding changesets
230 adding changesets
225 adding manifests
231 adding manifests
226 adding file changes
232 adding file changes
227 added 1 changesets with 1 changes to 1 files
233 added 1 changesets with 1 changes to 1 files
228 new changesets 5fed3813f7f5
234 new changesets 5fed3813f7f5
229 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
235 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
230 (run 'hg update' to get a working copy)
236 (run 'hg update' to get a working copy)
231 $ cd ..
237 $ cd ..
232
238
233 cacert configured in local repo
239 cacert configured in local repo
234
240
235 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
241 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
236 $ echo "[web]" >> copy-pull/.hg/hgrc
242 $ echo "[web]" >> copy-pull/.hg/hgrc
237 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
243 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
238 $ hg -R copy-pull pull
244 $ hg -R copy-pull pull
239 pulling from https://localhost:$HGPORT/
245 pulling from https://localhost:$HGPORT/
240 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
246 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
241 searching for changes
247 searching for changes
242 no changes found
248 no changes found
243 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
249 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
244
250
245 cacert configured globally, also testing expansion of environment
251 cacert configured globally, also testing expansion of environment
246 variables in the filename
252 variables in the filename
247
253
248 $ echo "[web]" >> $HGRCPATH
254 $ echo "[web]" >> $HGRCPATH
249 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
255 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
250 $ P="$CERTSDIR" hg -R copy-pull pull
256 $ P="$CERTSDIR" hg -R copy-pull pull
251 pulling from https://localhost:$HGPORT/
257 pulling from https://localhost:$HGPORT/
252 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
258 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
253 searching for changes
259 searching for changes
254 no changes found
260 no changes found
255 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
261 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
256 pulling from https://localhost:$HGPORT/
262 pulling from https://localhost:$HGPORT/
257 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
263 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
258 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
264 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
259 searching for changes
265 searching for changes
260 no changes found
266 no changes found
261
267
262 empty cacert file
268 empty cacert file
263
269
264 $ touch emptycafile
270 $ touch emptycafile
265
271
266 #if sslcontext
272 #if sslcontext
267 $ hg --config web.cacerts=emptycafile -R copy-pull pull
273 $ hg --config web.cacerts=emptycafile -R copy-pull pull
268 pulling from https://localhost:$HGPORT/
274 pulling from https://localhost:$HGPORT/
269 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
275 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
270 abort: error loading CA file emptycafile: * (glob)
276 abort: error loading CA file emptycafile: * (glob)
271 (file is empty or malformed?)
277 (file is empty or malformed?)
272 [255]
278 [255]
273 #else
279 #else
274 $ hg --config web.cacerts=emptycafile -R copy-pull pull
280 $ hg --config web.cacerts=emptycafile -R copy-pull pull
275 pulling from https://localhost:$HGPORT/
281 pulling from https://localhost:$HGPORT/
276 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
282 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
277 abort: error: * (glob)
283 abort: error: * (glob)
278 [255]
284 [255]
279 #endif
285 #endif
280
286
281 cacert mismatch
287 cacert mismatch
282
288
283 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
289 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
284 > https://$LOCALIP:$HGPORT/
290 > https://$LOCALIP:$HGPORT/
285 pulling from https://*:$HGPORT/ (glob)
291 pulling from https://*:$HGPORT/ (glob)
286 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
292 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
287 abort: $LOCALIP certificate error: certificate is for localhost (glob)
293 abort: $LOCALIP certificate error: certificate is for localhost (glob)
288 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
294 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
289 [255]
295 [255]
290 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
296 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
291 > https://$LOCALIP:$HGPORT/ --insecure
297 > https://$LOCALIP:$HGPORT/ --insecure
292 pulling from https://*:$HGPORT/ (glob)
298 pulling from https://*:$HGPORT/ (glob)
293 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
299 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
294 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
300 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
295 searching for changes
301 searching for changes
296 no changes found
302 no changes found
297 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
303 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
298 pulling from https://localhost:$HGPORT/
304 pulling from https://localhost:$HGPORT/
299 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
305 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
300 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
306 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
301 abort: error: *certificate verify failed* (glob)
307 abort: error: *certificate verify failed* (glob)
302 [255]
308 [255]
303 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
309 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
304 > --insecure
310 > --insecure
305 pulling from https://localhost:$HGPORT/
311 pulling from https://localhost:$HGPORT/
306 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
312 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
307 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
313 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
308 searching for changes
314 searching for changes
309 no changes found
315 no changes found
310
316
311 Test server cert which isn't valid yet
317 Test server cert which isn't valid yet
312
318
313 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
319 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
314 $ cat hg1.pid >> $DAEMON_PIDS
320 $ cat hg1.pid >> $DAEMON_PIDS
315 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
321 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
316 > https://localhost:$HGPORT1/
322 > https://localhost:$HGPORT1/
317 pulling from https://localhost:$HGPORT1/
323 pulling from https://localhost:$HGPORT1/
318 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
324 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
319 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
325 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
320 abort: error: *certificate verify failed* (glob)
326 abort: error: *certificate verify failed* (glob)
321 [255]
327 [255]
322
328
323 Test server cert which no longer is valid
329 Test server cert which no longer is valid
324
330
325 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
331 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
326 $ cat hg2.pid >> $DAEMON_PIDS
332 $ cat hg2.pid >> $DAEMON_PIDS
327 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
333 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
328 > https://localhost:$HGPORT2/
334 > https://localhost:$HGPORT2/
329 pulling from https://localhost:$HGPORT2/
335 pulling from https://localhost:$HGPORT2/
330 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
336 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
331 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
337 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
332 abort: error: *certificate verify failed* (glob)
338 abort: error: *certificate verify failed* (glob)
333 [255]
339 [255]
334
340
335 Disabling the TLS 1.0 warning works
341 Disabling the TLS 1.0 warning works
336 $ hg -R copy-pull id https://localhost:$HGPORT/ \
342 $ hg -R copy-pull id https://localhost:$HGPORT/ \
337 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
343 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
338 > --config hostsecurity.disabletls10warning=true
344 > --config hostsecurity.disabletls10warning=true
339 5fed3813f7f5
345 5fed3813f7f5
340
346
341 Error message for setting ciphers is different depending on SSLContext support
347 Error message for setting ciphers is different depending on SSLContext support
342
348
343 #if no-sslcontext
349 #if no-sslcontext
344 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
350 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
351 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
346 abort: *No cipher can be selected. (glob)
352 abort: *No cipher can be selected. (glob)
347 [255]
353 [255]
348
354
349 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
350 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
356 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
351 5fed3813f7f5
357 5fed3813f7f5
352 #endif
358 #endif
353
359
354 #if sslcontext
360 #if sslcontext
355 Setting ciphers to an invalid value aborts
361 Setting ciphers to an invalid value aborts
356 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
362 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
357 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
358 abort: could not set ciphers: No cipher can be selected.
364 abort: could not set ciphers: No cipher can be selected.
359 (change cipher string (invalid) in config)
365 (change cipher string (invalid) in config)
360 [255]
366 [255]
361
367
362 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
368 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
369 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
364 abort: could not set ciphers: No cipher can be selected.
370 abort: could not set ciphers: No cipher can be selected.
365 (change cipher string (invalid) in config)
371 (change cipher string (invalid) in config)
366 [255]
372 [255]
367
373
368 Changing the cipher string works
374 Changing the cipher string works
369
375
370 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
376 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
371 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
377 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
372 5fed3813f7f5
378 5fed3813f7f5
373 #endif
379 #endif
374
380
375 Fingerprints
381 Fingerprints
376
382
377 - works without cacerts (hostfingerprints)
383 - works without cacerts (hostfingerprints)
378 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
379 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
380 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
386 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
381 5fed3813f7f5
387 5fed3813f7f5
382
388
383 - works without cacerts (hostsecurity)
389 - works without cacerts (hostsecurity)
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
390 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
391 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
386 5fed3813f7f5
392 5fed3813f7f5
387
393
388 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
394 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
389 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
395 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
390 5fed3813f7f5
396 5fed3813f7f5
391
397
392 - multiple fingerprints specified and first matches
398 - multiple fingerprints specified and first matches
393 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
399 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
395 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
401 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
396 5fed3813f7f5
402 5fed3813f7f5
397
403
398 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
404 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
405 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
400 5fed3813f7f5
406 5fed3813f7f5
401
407
402 - multiple fingerprints specified and last matches
408 - multiple fingerprints specified and last matches
403 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
405 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
411 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
406 5fed3813f7f5
412 5fed3813f7f5
407
413
408 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
414 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
409 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
410 5fed3813f7f5
416 5fed3813f7f5
411
417
412 - multiple fingerprints specified and none match
418 - multiple fingerprints specified and none match
413
419
414 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
420 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
416 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
422 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
417 (check hostfingerprint configuration)
423 (check hostfingerprint configuration)
418 [255]
424 [255]
419
425
420 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
426 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
427 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
422 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
428 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
423 (check hostsecurity configuration)
429 (check hostsecurity configuration)
424 [255]
430 [255]
425
431
426 - fails when cert doesn't match hostname (port is ignored)
432 - fails when cert doesn't match hostname (port is ignored)
427 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
433 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
428 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
434 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
429 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
435 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
430 (check hostfingerprint configuration)
436 (check hostfingerprint configuration)
431 [255]
437 [255]
432
438
433
439
434 - ignores that certificate doesn't match hostname
440 - ignores that certificate doesn't match hostname
435 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
441 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
436 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
442 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
437 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
443 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
438 5fed3813f7f5
444 5fed3813f7f5
439
445
440 Ports used by next test. Kill servers.
446 Ports used by next test. Kill servers.
441
447
442 $ killdaemons.py hg0.pid
448 $ killdaemons.py hg0.pid
443 $ killdaemons.py hg1.pid
449 $ killdaemons.py hg1.pid
444 $ killdaemons.py hg2.pid
450 $ killdaemons.py hg2.pid
445
451
446 #if sslcontext tls1.2
452 #if sslcontext tls1.2
447 Start servers running supported TLS versions
453 Start servers running supported TLS versions
448
454
449 $ cd test
455 $ cd test
450 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
456 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
451 > --config devel.serverexactprotocol=tls1.0
457 > --config devel.serverexactprotocol=tls1.0
452 $ cat ../hg0.pid >> $DAEMON_PIDS
458 $ cat ../hg0.pid >> $DAEMON_PIDS
453 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
459 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
454 > --config devel.serverexactprotocol=tls1.1
460 > --config devel.serverexactprotocol=tls1.1
455 $ cat ../hg1.pid >> $DAEMON_PIDS
461 $ cat ../hg1.pid >> $DAEMON_PIDS
456 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
462 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
457 > --config devel.serverexactprotocol=tls1.2
463 > --config devel.serverexactprotocol=tls1.2
458 $ cat ../hg2.pid >> $DAEMON_PIDS
464 $ cat ../hg2.pid >> $DAEMON_PIDS
459 $ cd ..
465 $ cd ..
460
466
461 Clients talking same TLS versions work
467 Clients talking same TLS versions work
462
468
463 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
469 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
464 5fed3813f7f5
470 5fed3813f7f5
465 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
471 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
466 5fed3813f7f5
472 5fed3813f7f5
467 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
473 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
468 5fed3813f7f5
474 5fed3813f7f5
469
475
470 Clients requiring newer TLS version than what server supports fail
476 Clients requiring newer TLS version than what server supports fail
471
477
472 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
478 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
473 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
474 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
475 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
476 abort: error: *unsupported protocol* (glob)
482 abort: error: *unsupported protocol* (glob)
477 [255]
483 [255]
478
484
479 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
480 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
486 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
481 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
482 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
483 abort: error: *unsupported protocol* (glob)
489 abort: error: *unsupported protocol* (glob)
484 [255]
490 [255]
485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
486 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
489 abort: error: *unsupported protocol* (glob)
495 abort: error: *unsupported protocol* (glob)
490 [255]
496 [255]
491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
497 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
498 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
499 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
500 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
495 abort: error: *unsupported protocol* (glob)
501 abort: error: *unsupported protocol* (glob)
496 [255]
502 [255]
497
503
498 --insecure will allow TLS 1.0 connections and override configs
504 --insecure will allow TLS 1.0 connections and override configs
499
505
500 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
506 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
501 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
507 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
502 5fed3813f7f5
508 5fed3813f7f5
503
509
504 The per-host config option overrides the default
510 The per-host config option overrides the default
505
511
506 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
507 > --config hostsecurity.minimumprotocol=tls1.2 \
513 > --config hostsecurity.minimumprotocol=tls1.2 \
508 > --config hostsecurity.localhost:minimumprotocol=tls1.0
514 > --config hostsecurity.localhost:minimumprotocol=tls1.0
509 5fed3813f7f5
515 5fed3813f7f5
510
516
511 The per-host config option by itself works
517 The per-host config option by itself works
512
518
513 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
519 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
514 > --config hostsecurity.localhost:minimumprotocol=tls1.2
520 > --config hostsecurity.localhost:minimumprotocol=tls1.2
515 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
521 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
516 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
522 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
517 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
523 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
518 abort: error: *unsupported protocol* (glob)
524 abort: error: *unsupported protocol* (glob)
519 [255]
525 [255]
520
526
521 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
527 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
522
528
523 $ cat >> copy-pull/.hg/hgrc << EOF
529 $ cat >> copy-pull/.hg/hgrc << EOF
524 > [hostsecurity]
530 > [hostsecurity]
525 > localhost:minimumprotocol=tls1.2
531 > localhost:minimumprotocol=tls1.2
526 > EOF
532 > EOF
527 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
533 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
528 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
534 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
529 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
535 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
530 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
536 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
531 abort: error: *unsupported protocol* (glob)
537 abort: error: *unsupported protocol* (glob)
532 [255]
538 [255]
533
539
534 $ killdaemons.py hg0.pid
540 $ killdaemons.py hg0.pid
535 $ killdaemons.py hg1.pid
541 $ killdaemons.py hg1.pid
536 $ killdaemons.py hg2.pid
542 $ killdaemons.py hg2.pid
537 #endif
543 #endif
538
544
539 Prepare for connecting through proxy
545 Prepare for connecting through proxy
540
546
541 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
547 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
542 $ cat hg0.pid >> $DAEMON_PIDS
548 $ cat hg0.pid >> $DAEMON_PIDS
543 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
544 $ cat hg2.pid >> $DAEMON_PIDS
550 $ cat hg2.pid >> $DAEMON_PIDS
545 tinyproxy.py doesn't fully detach, so killing it may result in extra output
551 tinyproxy.py doesn't fully detach, so killing it may result in extra output
546 from the shell. So don't kill it.
552 from the shell. So don't kill it.
547 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
553 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
548 $ while [ ! -f proxy.pid ]; do sleep 0; done
554 $ while [ ! -f proxy.pid ]; do sleep 0; done
549 $ cat proxy.pid >> $DAEMON_PIDS
555 $ cat proxy.pid >> $DAEMON_PIDS
550
556
551 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
557 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
552 $ echo "always=True" >> copy-pull/.hg/hgrc
558 $ echo "always=True" >> copy-pull/.hg/hgrc
553 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
559 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
554 $ echo "localhost =" >> copy-pull/.hg/hgrc
560 $ echo "localhost =" >> copy-pull/.hg/hgrc
555
561
556 Test unvalidated https through proxy
562 Test unvalidated https through proxy
557
563
558 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
564 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
559 pulling from https://localhost:$HGPORT/
565 pulling from https://localhost:$HGPORT/
560 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
566 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
561 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
567 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
562 searching for changes
568 searching for changes
563 no changes found
569 no changes found
564
570
565 Test https with cacert and fingerprint through proxy
571 Test https with cacert and fingerprint through proxy
566
572
567 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
568 > --config web.cacerts="$CERTSDIR/pub.pem"
574 > --config web.cacerts="$CERTSDIR/pub.pem"
569 pulling from https://localhost:$HGPORT/
575 pulling from https://localhost:$HGPORT/
570 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
576 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
571 searching for changes
577 searching for changes
572 no changes found
578 no changes found
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
579 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
574 pulling from https://*:$HGPORT/ (glob)
580 pulling from https://*:$HGPORT/ (glob)
575 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
581 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
576 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
582 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
577 searching for changes
583 searching for changes
578 no changes found
584 no changes found
579
585
580 Test https with cert problems through proxy
586 Test https with cert problems through proxy
581
587
582 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
583 > --config web.cacerts="$CERTSDIR/pub-other.pem"
589 > --config web.cacerts="$CERTSDIR/pub-other.pem"
584 pulling from https://localhost:$HGPORT/
590 pulling from https://localhost:$HGPORT/
585 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
586 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
592 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
587 abort: error: *certificate verify failed* (glob)
593 abort: error: *certificate verify failed* (glob)
588 [255]
594 [255]
589 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
595 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
590 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
596 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
591 pulling from https://localhost:$HGPORT2/
597 pulling from https://localhost:$HGPORT2/
592 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
598 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
593 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
599 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
594 abort: error: *certificate verify failed* (glob)
600 abort: error: *certificate verify failed* (glob)
595 [255]
601 [255]
596
602
597
603
598 $ killdaemons.py hg0.pid
604 $ killdaemons.py hg0.pid
599
605
600 #if sslcontext
606 #if sslcontext
601
607
602 $ cd test
608 $ cd test
603
609
604 Missing certificate file(s) are detected
610 Missing certificate file(s) are detected
605
611
606 $ hg serve -p $HGPORT --certificate=/missing/certificate \
612 $ hg serve -p $HGPORT --certificate=/missing/certificate \
607 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
613 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
608 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
614 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
609 [255]
615 [255]
610
616
611 $ hg serve -p $HGPORT --certificate=$PRIV \
617 $ hg serve -p $HGPORT --certificate=$PRIV \
612 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
618 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
613 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
619 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
614 [255]
620 [255]
615
621
616 Start hgweb that requires client certificates:
622 Start hgweb that requires client certificates:
617
623
618 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
624 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
619 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
625 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
620 $ cat ../hg0.pid >> $DAEMON_PIDS
626 $ cat ../hg0.pid >> $DAEMON_PIDS
621 $ cd ..
627 $ cd ..
622
628
623 without client certificate:
629 without client certificate:
624
630
625 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
631 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
626 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
632 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
627 abort: error: *handshake failure* (glob)
633 abort: error: *handshake failure* (glob)
628 [255]
634 [255]
629
635
630 with client certificate:
636 with client certificate:
631
637
632 $ cat << EOT >> $HGRCPATH
638 $ cat << EOT >> $HGRCPATH
633 > [auth]
639 > [auth]
634 > l.prefix = localhost
640 > l.prefix = localhost
635 > l.cert = $CERTSDIR/client-cert.pem
641 > l.cert = $CERTSDIR/client-cert.pem
636 > l.key = $CERTSDIR/client-key.pem
642 > l.key = $CERTSDIR/client-key.pem
637 > EOT
643 > EOT
638
644
639 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
645 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
640 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
646 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
647 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
642 5fed3813f7f5
648 5fed3813f7f5
643
649
644 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
650 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
645 > --config ui.interactive=True --config ui.nontty=True
651 > --config ui.interactive=True --config ui.nontty=True
646 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
652 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
647 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
653 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
648
654
649 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
655 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
650 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
656 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
651 abort: error: * (glob)
657 abort: error: * (glob)
652 [255]
658 [255]
653
659
654 Missing certficate and key files result in error
660 Missing certficate and key files result in error
655
661
656 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
662 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
657 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
663 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
658 (restore missing file or fix references in Mercurial config)
664 (restore missing file or fix references in Mercurial config)
659 [255]
665 [255]
660
666
661 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
667 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
662 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
668 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
663 (restore missing file or fix references in Mercurial config)
669 (restore missing file or fix references in Mercurial config)
664 [255]
670 [255]
665
671
666 #endif
672 #endif
General Comments 0
You need to be logged in to leave comments. Login now