upstream/mercurial-mirror Commit - r13438:48463d88

1

Proper https client requires the built-in ssl from Python 2.6.

1

Proper https client requires the built-in ssl from Python 2.6.

2

3

$ "$TESTDIR/hghave" ssl || exit 80

3

$ "$TESTDIR/hghave" ssl || exit 80

4

5

Certificates created with:

5

Certificates created with:

6

printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

6

printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

7

openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

7

openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

8

Can be dumped with:

8

Can be dumped with:

9

openssl x509 -in pub.pem -text

9

openssl x509 -in pub.pem -text

10

11

$ cat << EOT > priv.pem

11

$ cat << EOT > priv.pem

12

> -----BEGIN PRIVATE KEY-----

12

> -----BEGIN PRIVATE KEY-----

13

> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

13

> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

14

> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

14

> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

15

> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

15

> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

16

> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

16

> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

17

> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

17

> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

18

> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

18

> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

19

> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

19

> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

20

> HY8gUVkVRVs=

20

> HY8gUVkVRVs=

21

> -----END PRIVATE KEY-----

21

> -----END PRIVATE KEY-----

22

> EOT

22

> EOT

23

24

$ cat << EOT > pub.pem

24

$ cat << EOT > pub.pem

25

> -----BEGIN CERTIFICATE-----

25

> -----BEGIN CERTIFICATE-----

26

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

26

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

27

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

27

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

28

> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

28

> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

29

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

29

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

30

> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

30

> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

31

> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

31

> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

32

> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

32

> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

33

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

33

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

34

> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

34

> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

35

> -----END CERTIFICATE-----

35

> -----END CERTIFICATE-----

36

> EOT

36

> EOT

37

$ cat priv.pem pub.pem >> server.pem

37

$ cat priv.pem pub.pem >> server.pem

38

$ PRIV=`pwd`/server.pem

38

$ PRIV=`pwd`/server.pem

39

40

$ cat << EOT > pub-other.pem

40

$ cat << EOT > pub-other.pem

41

> -----BEGIN CERTIFICATE-----

41

> -----BEGIN CERTIFICATE-----

42

> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

42

> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

43

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

43

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

44

> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

44

> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

45

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

45

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

46

> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

46

> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

47

> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

47

> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

48

> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

48

> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

49

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

49

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

50

> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

50

> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

51

> -----END CERTIFICATE-----

51

> -----END CERTIFICATE-----

52

> EOT

52

> EOT

53

54

pub.pem patched with other notBefore / notAfter:

54

pub.pem patched with other notBefore / notAfter:

55

56

$ cat << EOT > pub-not-yet.pem

56

$ cat << EOT > pub-not-yet.pem

57

> -----BEGIN CERTIFICATE-----

57

> -----BEGIN CERTIFICATE-----

58

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

58

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

59

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

59

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

60

> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

60

> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

61

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

61

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

62

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

62

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

63

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

63

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

64

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

64

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

65

> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

65

> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

66

> -----END CERTIFICATE-----

66

> -----END CERTIFICATE-----

67

> EOT

67

> EOT

68

$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

68

$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

69

70

$ cat << EOT > pub-expired.pem

70

$ cat << EOT > pub-expired.pem

71

> -----BEGIN CERTIFICATE-----

71

> -----BEGIN CERTIFICATE-----

72

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

72

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

73

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

73

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

74

> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

74

> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

75

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

75

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

76

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

76

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

77

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

77

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

78

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

78

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

79

> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

79

> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

80

> -----END CERTIFICATE-----

80

> -----END CERTIFICATE-----

81

> EOT

81

> EOT

82

$ cat priv.pem pub-expired.pem > server-expired.pem

82

$ cat priv.pem pub-expired.pem > server-expired.pem

83

84

$ hg init test

84

$ hg init test

85

$ cd test

85

$ cd test

86

$ echo foo>foo

86

$ echo foo>foo

87

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

87

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

88

$ echo foo>foo.d/foo

88

$ echo foo>foo.d/foo

89

$ echo bar>foo.d/bAr.hg.d/BaR

89

$ echo bar>foo.d/bAr.hg.d/BaR

90

$ echo bar>foo.d/baR.d.hg/bAR

90

$ echo bar>foo.d/baR.d.hg/bAR

91

$ hg commit -A -m 1

91

$ hg commit -A -m 1

92

adding foo

92

adding foo

93

adding foo.d/bAr.hg.d/BaR

93

adding foo.d/bAr.hg.d/BaR

94

adding foo.d/baR.d.hg/bAR

94

adding foo.d/baR.d.hg/bAR

95

adding foo.d/foo

95

adding foo.d/foo

96

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

96

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

97

$ cat ../hg0.pid >> $DAEMON_PIDS

97

$ cat ../hg0.pid >> $DAEMON_PIDS

98

99

Test server address cannot be reused

99

Test server address cannot be reused

100

101

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

101

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

102

abort: cannot start server at ':$HGPORT': Address already in use

102

abort: cannot start server at ':$HGPORT': Address already in use

103

[255]

103

[255]

104

$ cd ..

104

$ cd ..

105

106

clone via pull

106

clone via pull

107

108

$ hg clone https://localhost:$HGPORT/ copy-pull

108

$ hg clone https://localhost:$HGPORT/ copy-pull

109

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

109

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

110

requesting all changes

110

requesting all changes

111

adding changesets

111

adding changesets

112

adding manifests

112

adding manifests

113

adding file changes

113

adding file changes

114

added 1 changesets with 4 changes to 4 files

114

added 1 changesets with 4 changes to 4 files

115

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

115

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

116

updating to branch default

116

updating to branch default

117

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

117

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

118

$ hg verify -R copy-pull

118

$ hg verify -R copy-pull

119

checking changesets

119

checking changesets

120

checking manifests

120

checking manifests

121

crosschecking files in changesets and manifests

121

crosschecking files in changesets and manifests

122

checking files

122

checking files

123

4 files, 1 changesets, 4 total revisions

123

4 files, 1 changesets, 4 total revisions

124

$ cd test

124

$ cd test

125

$ echo bar > bar

125

$ echo bar > bar

126

$ hg commit -A -d '1 0' -m 2

126

$ hg commit -A -d '1 0' -m 2

127

adding bar

127

adding bar

128

$ cd ..

128

$ cd ..

129

130

pull without cacert

130

pull without cacert

131

132

$ cd copy-pull

132

$ cd copy-pull

133

$ echo '[hooks]' >> .hg/hgrc

133

$ echo '[hooks]' >> .hg/hgrc

134

$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc

134

$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc

135

$ hg pull

135

$ hg pull

136

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

136

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

137

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/

137

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/

138

pulling from https://localhost:$HGPORT/

138

pulling from https://localhost:$HGPORT/

139

searching for changes

139

searching for changes

140

adding changesets

140

adding changesets

141

adding manifests

141

adding manifests

142

adding file changes

142

adding file changes

143

added 1 changesets with 1 changes to 1 files

143

added 1 changesets with 1 changes to 1 files

144

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

144

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

145

(run 'hg update' to get a working copy)

145

(run 'hg update' to get a working copy)

146

$ cd ..

146

$ cd ..

147

148

cacert configured in local repo

148

cacert configured in local repo

149

150

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

150

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

151

$ echo "[web]" >> copy-pull/.hg/hgrc

151

$ echo "[web]" >> copy-pull/.hg/hgrc

152

$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

152

$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

153

$ hg -R copy-pull pull --traceback

153

$ hg -R copy-pull pull --traceback

154

pulling from https://localhost:$HGPORT/

154

pulling from https://localhost:$HGPORT/

155

searching for changes

155

searching for changes

156

no changes found

156

no changes found

157

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

157

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

158

159

cacert configured globally, also testing expansion of environment

159

cacert configured globally, also testing expansion of environment

160

variables in the filename

160

variables in the filename

161

162

$ echo "[web]" >> $HGRCPATH

162

$ echo "[web]" >> $HGRCPATH

163

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

163

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

164

$ P=`pwd` hg -R copy-pull pull

164

$ P=`pwd` hg -R copy-pull pull

165

pulling from https://localhost:$HGPORT/

165

pulling from https://localhost:$HGPORT/

166

searching for changes

166

searching for changes

167

no changes found

167

no changes found

168

$ P=`pwd` hg -R copy-pull pull --insecure

168

$ P=`pwd` hg -R copy-pull pull --insecure

169

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

169

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

170

pulling from https://localhost:$HGPORT/

170

pulling from https://localhost:$HGPORT/

171

searching for changes

171

searching for changes

172

no changes found

172

no changes found

173

174

cacert mismatch

174

cacert mismatch

175

176

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

176

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

177

abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)

177

abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)

178

[255]

178

[255]

179

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

179

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

180

warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

180

warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

181

pulling from https://127.0.0.1:$HGPORT/

181

pulling from https://127.0.0.1:$HGPORT/

182

searching for changes

182

searching for changes

183

no changes found

183

no changes found

184

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem

184

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem

185

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

185

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

186

[255]

186

[255]

187

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

187

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

188

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

188

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

189

pulling from https://localhost:$HGPORT/

189

pulling from https://localhost:$HGPORT/

190

searching for changes

190

searching for changes

191

no changes found

191

no changes found

192

193

Test server cert which isn't valid yet

193

Test server cert which isn't valid yet

194

195

$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

195

$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

196

$ cat hg1.pid >> $DAEMON_PIDS

196

$ cat hg1.pid >> $DAEMON_PIDS

197

$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

197

$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

198

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

198

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

199

[255]

199

[255]

200

201

Test server cert which no longer is valid

201

Test server cert which no longer is valid

202

203

$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

203

$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

204

$ cat hg2.pid >> $DAEMON_PIDS

204

$ cat hg2.pid >> $DAEMON_PIDS

205

$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

205

$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

206

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

206

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

207

[255]

207

[255]

208

209

Fingerprints

209

Fingerprints

210

211

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

211

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

212

$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

212

$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

213

$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

213

$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

214

215

- works without cacerts

215

- works without cacerts

216

$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=

216

$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=

217

5fed3813f7f5

217

5fed3813f7f5

218

219

- fails when cert doesn't match hostname (port is ignored)

219

- fails when cert doesn't match hostname (port is ignored)

220

$ hg -R copy-pull id https://localhost:$HGPORT1/

220

$ hg -R copy-pull id https://localhost:$HGPORT1/

221

abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

221

abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

222

[255]

222

[255]

223

224

- ignores that certificate doesn't match hostname

224

- ignores that certificate doesn't match hostname

225

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/

225

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/

226

5fed3813f7f5

226

5fed3813f7f5

227

228

Prepare for connecting through proxy

228

Prepare for connecting through proxy

229

230

$ kill `cat hg1.pid`

230

$ kill `cat hg1.pid`

231

$ sleep 1

231

$ sleep 1

232

233

$ ("$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log 2>&1 </dev/null &

233

$ ("$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log 2>&1 </dev/null &

234

$ echo $! > proxy.pid)

234

$ echo $! > proxy.pid)

235

$ cat proxy.pid >> $DAEMON_PIDS

235

$ cat proxy.pid >> $DAEMON_PIDS

236

$ sleep 2

236

$ sleep 2

237

238

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

238

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

239

$ echo "always=True" >> copy-pull/.hg/hgrc

239

$ echo "always=True" >> copy-pull/.hg/hgrc

240

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

240

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

241

$ echo "localhost =" >> copy-pull/.hg/hgrc

241

$ echo "localhost =" >> copy-pull/.hg/hgrc

242

243

Test unvalidated https through proxy

243

Test unvalidated https through proxy

244

245

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

245

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

246

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

246

pulling from https://localhost:$HGPORT/

247

pulling from https://localhost:$HGPORT/

247

searching for changes

248

searching for changes

248

no changes found

249

no changes found

249

250

Test https with cacert and fingerprint through proxy

251

Test https with cacert and fingerprint through proxy

251

252

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

253

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

253

pulling from https://localhost:$HGPORT/

254

pulling from https://localhost:$HGPORT/

254

searching for changes

255

searching for changes

255

no changes found

256

no changes found

256

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

257

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

257

pulling from https://127.0.0.1:$HGPORT/

258

pulling from https://127.0.0.1:$HGPORT/

258

searching for changes

259

searching for changes

259

no changes found

260

no changes found

260

261

Test https with cert problems through proxy

262

Test https with cert problems through proxy

262

263

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

264

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

264

abort: error: ~~_ssl.c:499: error:14090086:SSL routines~~:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

265

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

265

[255]

266

[255]

266

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

267

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

267

abort: error: ~~_ssl.c:499: error:14090086:SSL routines~~:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

268

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

268

[255]

269

[255]

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             Proper https client requires the built-in ssl from Python 2.6.
               $ "$TESTDIR/hghave" ssl || exit 80
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat << EOT > pub-other.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
               > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
               > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
               > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
               > -----END CERTIFICATE-----
               > EOT
             pub.pem patched with other notBefore / notAfter:
               $ cat << EOT > pub-not-yet.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
               > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
               > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
               $ cat << EOT > pub-expired.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
               > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
               > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-expired.pem > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             Test server address cannot be reused
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
               $ cd ..
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
               $ hg pull
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
               pulling from https://localhost:$HGPORT/
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P=`pwd` hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P=`pwd` hg -R copy-pull pull --insecure
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
               warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which no longer is valid
               $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Fingerprints
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
               $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
             - works without cacerts
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
 fed3813f7f5
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/
               abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/
 fed3813f7f5
             Prepare for connecting through proxy
               $ kill `cat hg1.pid`
               $ sleep 1
               $ ("$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log 2>&1 </dev/null &
               $ echo $! > proxy.pid)
               $ cat proxy.pid >> $DAEMON_PIDS
               $ sleep 2
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
+              warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
-              abort: error: _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
+              abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
-              abort: error: _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
+              abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]