upstream/mercurial-mirror Commit - r25428:51e7acc3

1

#require serve ssl

1

#require serve ssl

2

3

Proper https client requires the built-in ssl from Python 2.6.

3

Proper https client requires the built-in ssl from Python 2.6.

4

5

Certificates created with:

5

Certificates created with:

6

printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

6

printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

7

openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

7

openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

8

Can be dumped with:

8

Can be dumped with:

9

openssl x509 -in pub.pem -text

9

openssl x509 -in pub.pem -text

10

11

$ cat << EOT > priv.pem

11

$ cat << EOT > priv.pem

12

> -----BEGIN PRIVATE KEY-----

12

> -----BEGIN PRIVATE KEY-----

13

> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

13

> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

14

> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

14

> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

15

> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

15

> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

16

> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

16

> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

17

> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

17

> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

18

> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

18

> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

19

> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

19

> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

20

> HY8gUVkVRVs=

20

> HY8gUVkVRVs=

21

> -----END PRIVATE KEY-----

21

> -----END PRIVATE KEY-----

22

> EOT

22

> EOT

23

24

$ cat << EOT > pub.pem

24

$ cat << EOT > pub.pem

25

> -----BEGIN CERTIFICATE-----

25

> -----BEGIN CERTIFICATE-----

26

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

26

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

27

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

27

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

28

> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

28

> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

29

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

29

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

30

> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

30

> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

31

> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

31

> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

32

> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

32

> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

33

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

33

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

34

> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

34

> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

35

> -----END CERTIFICATE-----

35

> -----END CERTIFICATE-----

36

> EOT

36

> EOT

37

$ cat priv.pem pub.pem >> server.pem

37

$ cat priv.pem pub.pem >> server.pem

38

$ PRIV=`pwd`/server.pem

38

$ PRIV=`pwd`/server.pem

39

40

$ cat << EOT > pub-other.pem

40

$ cat << EOT > pub-other.pem

41

> -----BEGIN CERTIFICATE-----

41

> -----BEGIN CERTIFICATE-----

42

> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

42

> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

43

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

43

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

44

> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

44

> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

45

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

45

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

46

> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

46

> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

47

> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

47

> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

48

> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

48

> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

49

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

49

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

50

> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

50

> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

51

> -----END CERTIFICATE-----

51

> -----END CERTIFICATE-----

52

> EOT

52

> EOT

53

54

pub.pem patched with other notBefore / notAfter:

54

pub.pem patched with other notBefore / notAfter:

55

56

$ cat << EOT > pub-not-yet.pem

56

$ cat << EOT > pub-not-yet.pem

57

> -----BEGIN CERTIFICATE-----

57

> -----BEGIN CERTIFICATE-----

58

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

58

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

59

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

59

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

60

> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

60

> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

61

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

61

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

62

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

62

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

63

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

63

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

64

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

64

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

65

> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

65

> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

66

> -----END CERTIFICATE-----

66

> -----END CERTIFICATE-----

67

> EOT

67

> EOT

68

$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

68

$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

69

70

$ cat << EOT > pub-expired.pem

70

$ cat << EOT > pub-expired.pem

71

> -----BEGIN CERTIFICATE-----

71

> -----BEGIN CERTIFICATE-----

72

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

72

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

73

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

73

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

74

> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

74

> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

75

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

75

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

76

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

76

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

77

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

77

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

78

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

78

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

79

> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

79

> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

80

> -----END CERTIFICATE-----

80

> -----END CERTIFICATE-----

81

> EOT

81

> EOT

82

$ cat priv.pem pub-expired.pem > server-expired.pem

82

$ cat priv.pem pub-expired.pem > server-expired.pem

83

84

Client certificates created with:

84

Client certificates created with:

85

openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512

85

openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512

86

openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem

86

openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem

87

printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \

87

printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \

88

openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem

88

openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem

89

openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \

89

openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \

90

-set_serial 01 -out client-cert.pem

90

-set_serial 01 -out client-cert.pem

91

92

$ cat << EOT > client-key.pem

92

$ cat << EOT > client-key.pem

93

> -----BEGIN RSA PRIVATE KEY-----

93

> -----BEGIN RSA PRIVATE KEY-----

94

> Proc-Type: 4,ENCRYPTED

94

> Proc-Type: 4,ENCRYPTED

95

> DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8

95

> DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8

96

>

96

>

97

> JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF

97

> JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF

98

> BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS

98

> BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS

99

> jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7

99

> jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7

100

> Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2

100

> Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2

101

> u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/

101

> u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/

102

> CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl

102

> CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl

103

> bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=

103

> bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=

104

> -----END RSA PRIVATE KEY-----

104

> -----END RSA PRIVATE KEY-----

105

> EOT

105

> EOT

106

107

$ cat << EOT > client-key-decrypted.pem

107

$ cat << EOT > client-key-decrypted.pem

108

> -----BEGIN RSA PRIVATE KEY-----

108

> -----BEGIN RSA PRIVATE KEY-----

109

> MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb

109

> MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb

110

> FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6

110

> FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6

111

> AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT

111

> AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT

112

> AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop

112

> AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop

113

> 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5

113

> 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5

114

> +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01

114

> +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01

115

> mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY

115

> mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY

116

> -----END RSA PRIVATE KEY-----

116

> -----END RSA PRIVATE KEY-----

117

> EOT

117

> EOT

118

119

$ cat << EOT > client-cert.pem

119

$ cat << EOT > client-cert.pem

120

> -----BEGIN CERTIFICATE-----

120

> -----BEGIN CERTIFICATE-----

121

> MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx

121

> MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx

122

> GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z

122

> GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z

123

> OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv

123

> OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv

124

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH

124

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH

125

> R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB

125

> R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB

126

> MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/

126

> MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/

127

> NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==

127

> NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==

128

> -----END CERTIFICATE-----

128

> -----END CERTIFICATE-----

129

> EOT

129

> EOT

130

131

$ hg init test

131

$ hg init test

132

$ cd test

132

$ cd test

133

$ echo foo>foo

133

$ echo foo>foo

134

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

134

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

135

$ echo foo>foo.d/foo

135

$ echo foo>foo.d/foo

136

$ echo bar>foo.d/bAr.hg.d/BaR

136

$ echo bar>foo.d/bAr.hg.d/BaR

137

$ echo bar>foo.d/baR.d.hg/bAR

137

$ echo bar>foo.d/baR.d.hg/bAR

138

$ hg commit -A -m 1

138

$ hg commit -A -m 1

139

adding foo

139

adding foo

140

adding foo.d/bAr.hg.d/BaR

140

adding foo.d/bAr.hg.d/BaR

141

adding foo.d/baR.d.hg/bAR

141

adding foo.d/baR.d.hg/bAR

142

adding foo.d/foo

142

adding foo.d/foo

143

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

143

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

144

$ cat ../hg0.pid >> $DAEMON_PIDS

144

$ cat ../hg0.pid >> $DAEMON_PIDS

145

146

cacert not found

146

cacert not found

147

148

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

148

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

149

abort: could not find web.cacerts: no-such.pem

149

abort: could not find web.cacerts: no-such.pem

150

[255]

150

[255]

151

152

Test server address cannot be reused

152

Test server address cannot be reused

153

154

#if windows

154

#if windows

155

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

155

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

156

abort: cannot start server at ':$HGPORT':

156

abort: cannot start server at ':$HGPORT':

157

[255]

157

[255]

158

#else

158

#else

159

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

159

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

160

abort: cannot start server at ':$HGPORT': Address already in use

160

abort: cannot start server at ':$HGPORT': Address already in use

161

[255]

161

[255]

162

#endif

162

#endif

163

$ cd ..

163

$ cd ..

164

165

OS X has a dummy CA cert that enables use of the system CA store when using

165

OS X has a dummy CA cert that enables use of the system CA store when using

166

Apple's OpenSSL. This trick do not work with plain OpenSSL.

166

Apple's OpenSSL. This trick do not work with plain OpenSSL.

167

168

$ DISABLEOSXDUMMYCERT=

168

$ DISABLEOSXDUMMYCERT=

169

#if defaultcacerts

169

#if defaultcacerts

170

$ hg clone https://localhost:$HGPORT/ copy-pull

170

$ hg clone https://localhost:$HGPORT/ copy-pull

171

abort: error: *certificate verify failed* (glob)

171

abort: error: *certificate verify failed* (glob)

172

[255]

172

[255]

173

174

$ DISABLEOSXDUMMYCERT="--config=web.cacerts=!"

174

$ DISABLEOSXDUMMYCERT="--config=web.cacerts=!"

175

#endif

175

#endif

176

177

clone via pull

177

clone via pull

178

179

$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT

179

$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT

180

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

180

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

181

requesting all changes

181

requesting all changes

182

adding changesets

182

adding changesets

183

adding manifests

183

adding manifests

184

adding file changes

184

adding file changes

185

added 1 changesets with 4 changes to 4 files

185

added 1 changesets with 4 changes to 4 files

186

updating to branch default

186

updating to branch default

187

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

187

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

188

$ hg verify -R copy-pull

188

$ hg verify -R copy-pull

189

checking changesets

189

checking changesets

190

checking manifests

190

checking manifests

191

crosschecking files in changesets and manifests

191

crosschecking files in changesets and manifests

192

checking files

192

checking files

193

4 files, 1 changesets, 4 total revisions

193

4 files, 1 changesets, 4 total revisions

194

$ cd test

194

$ cd test

195

$ echo bar > bar

195

$ echo bar > bar

196

$ hg commit -A -d '1 0' -m 2

196

$ hg commit -A -d '1 0' -m 2

197

adding bar

197

adding bar

198

$ cd ..

198

$ cd ..

199

200

pull without cacert

200

pull without cacert

201

202

$ cd copy-pull

202

$ cd copy-pull

203

$ echo '[hooks]' >> .hg/hgrc

203

$ echo '[hooks]' >> .hg/hgrc

204

$ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc

204

$ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc

205

$ hg pull $DISABLEOSXDUMMYCERT

205

$ hg pull $DISABLEOSXDUMMYCERT

206

pulling from https://localhost:$HGPORT/

206

pulling from https://localhost:$HGPORT/

207

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

207

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

208

searching for changes

208

searching for changes

209

adding changesets

209

adding changesets

210

adding manifests

210

adding manifests

211

adding file changes

211

adding file changes

212

added 1 changesets with 1 changes to 1 files

212

added 1 changesets with 1 changes to 1 files

213

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)

213

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)

214

(run 'hg update' to get a working copy)

214

(run 'hg update' to get a working copy)

215

$ cd ..

215

$ cd ..

216

217

cacert configured in local repo

217

cacert configured in local repo

218

219

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

219

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

220

$ echo "[web]" >> copy-pull/.hg/hgrc

220

$ echo "[web]" >> copy-pull/.hg/hgrc

221

$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

221

$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

222

$ hg -R copy-pull pull --traceback

222

$ hg -R copy-pull pull --traceback

223

pulling from https://localhost:$HGPORT/

223

pulling from https://localhost:$HGPORT/

224

searching for changes

224

searching for changes

225

no changes found

225

no changes found

226

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

226

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

227

228

cacert configured globally, also testing expansion of environment

228

cacert configured globally, also testing expansion of environment

229

variables in the filename

229

variables in the filename

230

231

$ echo "[web]" >> $HGRCPATH

231

$ echo "[web]" >> $HGRCPATH

232

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

232

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

233

$ P=`pwd` hg -R copy-pull pull

233

$ P=`pwd` hg -R copy-pull pull

234

pulling from https://localhost:$HGPORT/

234

pulling from https://localhost:$HGPORT/

235

searching for changes

235

searching for changes

236

no changes found

236

no changes found

237

$ P=`pwd` hg -R copy-pull pull --insecure

237

$ P=`pwd` hg -R copy-pull pull --insecure

238

pulling from https://localhost:$HGPORT/

238

pulling from https://localhost:$HGPORT/

239

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

239

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

240

searching for changes

240

searching for changes

241

no changes found

241

no changes found

242

243

cacert mismatch

243

cacert mismatch

244

245

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

245

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

246

pulling from https://127.0.0.1:$HGPORT/

246

pulling from https://127.0.0.1:$HGPORT/

247

abort: 127.0.0.1 certificate error: certificate is for localhost

247

abort: 127.0.0.1 certificate error: certificate is for localhost

248

(configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)

248

(configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)

249

[255]

249

[255]

250

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

250

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

251

pulling from https://127.0.0.1:$HGPORT/

251

pulling from https://127.0.0.1:$HGPORT/

252

warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

252

warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

253

searching for changes

253

searching for changes

254

no changes found

254

no changes found

255

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem

255

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem

256

pulling from https://localhost:$HGPORT/

256

pulling from https://localhost:$HGPORT/

257

abort: error: *certificate verify failed* (glob)

257

abort: error: *certificate verify failed* (glob)

258

[255]

258

[255]

259

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

259

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

260

pulling from https://localhost:$HGPORT/

260

pulling from https://localhost:$HGPORT/

261

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

261

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

262

searching for changes

262

searching for changes

263

no changes found

263

no changes found

264

265

Test server cert which isn't valid yet

265

Test server cert which isn't valid yet

266

267

$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

267

$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

268

$ cat hg1.pid >> $DAEMON_PIDS

268

$ cat hg1.pid >> $DAEMON_PIDS

269

$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

269

$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

270

pulling from https://localhost:$HGPORT1/

270

pulling from https://localhost:$HGPORT1/

271

abort: error: *certificate verify failed* (glob)

271

abort: error: *certificate verify failed* (glob)

272

[255]

272

[255]

273

274

Test server cert which no longer is valid

274

Test server cert which no longer is valid

275

276

$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

276

$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

277

$ cat hg2.pid >> $DAEMON_PIDS

277

$ cat hg2.pid >> $DAEMON_PIDS

278

$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

278

$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

279

pulling from https://localhost:$HGPORT2/

279

pulling from https://localhost:$HGPORT2/

280

abort: error: *certificate verify failed* (glob)

280

abort: error: *certificate verify failed* (glob)

281

[255]

281

[255]

282

283

Fingerprints

283

Fingerprints

284

285

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

285

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

286

$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

286

$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

287

$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

287

$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

288

289

- works without cacerts

289

- works without cacerts

290

$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!

290

$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!

291

5fed3813f7f5

291

5fed3813f7f5

292

293

- fails when cert doesn't match hostname (port is ignored)

293

- fails when cert doesn't match hostname (port is ignored)

294

$ hg -R copy-pull id https://localhost:$HGPORT1/

294

$ hg -R copy-pull id https://localhost:$HGPORT1/

295

abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

295

abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

296

(check hostfingerprint configuration)

296

(check hostfingerprint configuration)

297

[255]

297

[255]

298

299

300

- ignores that certificate doesn't match hostname

300

- ignores that certificate doesn't match hostname

301

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/

301

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/

302

5fed3813f7f5

302

5fed3813f7f5

303

304

HGPORT1 is reused below for tinyproxy tests. Kill that server.

304

HGPORT1 is reused below for tinyproxy tests. Kill that server.

305

$ "$TESTDIR/killdaemons.py" hg1.pid

305

$ "$TESTDIR/killdaemons.py" hg1.pid

306

307

Prepare for connecting through proxy

307

Prepare for connecting through proxy

308

309

$ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

309

$ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

310

$ while [ ! -f proxy.pid ]; do sleep 0; done

310

$ while [ ! -f proxy.pid ]; do sleep 0; done

311

$ cat proxy.pid >> $DAEMON_PIDS

311

$ cat proxy.pid >> $DAEMON_PIDS

312

313

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

313

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

314

$ echo "always=True" >> copy-pull/.hg/hgrc

314

$ echo "always=True" >> copy-pull/.hg/hgrc

315

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

315

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

316

$ echo "localhost =" >> copy-pull/.hg/hgrc

316

$ echo "localhost =" >> copy-pull/.hg/hgrc

317

318

Test unvalidated https through proxy

318

Test unvalidated https through proxy

319

320

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

320

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

321

pulling from https://localhost:$HGPORT/

321

pulling from https://localhost:$HGPORT/

322

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

322

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

323

searching for changes

323

searching for changes

324

no changes found

324

no changes found

325

326

Test https with cacert and fingerprint through proxy

326

Test https with cacert and fingerprint through proxy

327

328

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

328

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

329

pulling from https://localhost:$HGPORT/

329

pulling from https://localhost:$HGPORT/

330

searching for changes

330

searching for changes

331

no changes found

331

no changes found

332

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

332

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

333

pulling from https://127.0.0.1:$HGPORT/

333

pulling from https://127.0.0.1:$HGPORT/

334

searching for changes

334

searching for changes

335

no changes found

335

no changes found

336

337

Test https with cert problems through proxy

337

Test https with cert problems through proxy

338

339

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

339

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

340

pulling from https://localhost:$HGPORT/

340

pulling from https://localhost:$HGPORT/

341

abort: error: *certificate verify failed* (glob)

341

abort: error: *certificate verify failed* (glob)

342

[255]

342

[255]

343

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

343

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

344

pulling from https://localhost:$HGPORT2/

344

pulling from https://localhost:$HGPORT2/

345

abort: error: *certificate verify failed* (glob)

345

abort: error: *certificate verify failed* (glob)

346

[255]

346

[255]

347

348

349

$ "$TESTDIR/killdaemons.py" $~~DAEMON_PIDS~~

349

$ "$TESTDIR/killdaemons.py" hg0.pid

350

351

#if sslcontext

351

#if sslcontext

352

353

Start patched hgweb that requires client certificates:

353

Start patched hgweb that requires client certificates:

354

355

$ cat << EOT > reqclientcert.py

355

$ cat << EOT > reqclientcert.py

356

> import ssl

356

> import ssl

357

> from mercurial.hgweb import server

357

> from mercurial.hgweb import server

358

> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):

358

> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):

359

> @staticmethod

359

> @staticmethod

360

> def preparehttpserver(httpserver, ssl_cert):

360

> def preparehttpserver(httpserver, ssl_cert):

361

> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

361

> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

362

> sslcontext.verify_mode = ssl.CERT_REQUIRED

362

> sslcontext.verify_mode = ssl.CERT_REQUIRED

363

> sslcontext.load_cert_chain(ssl_cert)

363

> sslcontext.load_cert_chain(ssl_cert)

364

> # verify clients by server certificate

364

> # verify clients by server certificate

365

> sslcontext.load_verify_locations(ssl_cert)

365

> sslcontext.load_verify_locations(ssl_cert)

366

> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,

366

> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,

367

> server_side=True)

367

> server_side=True)

368

> server._httprequesthandlerssl = _httprequesthandlersslclientcert

368

> server._httprequesthandlerssl = _httprequesthandlersslclientcert

369

> EOT

369

> EOT

370

$ cd test

370

$ cd test

371

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

371

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

372

> --config extensions.reqclientcert=../reqclientcert.py

372

> --config extensions.reqclientcert=../reqclientcert.py

373

$ cat ../hg0.pid >> $DAEMON_PIDS

373

$ cat ../hg0.pid >> $DAEMON_PIDS

374

$ cd ..

374

$ cd ..

375

376

without client certificate:

376

without client certificate:

377

378

$ P=`pwd` hg id https://localhost:$HGPORT/

378

$ P=`pwd` hg id https://localhost:$HGPORT/

379

abort: error: *handshake failure* (glob)

379

abort: error: *handshake failure* (glob)

380

[255]

380

[255]

381

382

with client certificate:

382

with client certificate:

383

384

$ cat << EOT >> $HGRCPATH

384

$ cat << EOT >> $HGRCPATH

385

> [auth]

385

> [auth]

386

> l.prefix = localhost

386

> l.prefix = localhost

387

> l.cert = client-cert.pem

387

> l.cert = client-cert.pem

388

> l.key = client-key.pem

388

> l.key = client-key.pem

389

> EOT

389

> EOT

390

391

$ P=`pwd` hg id https://localhost:$HGPORT/ \

391

$ P=`pwd` hg id https://localhost:$HGPORT/ \

392

> --config auth.l.key=client-key-decrypted.pem

392

> --config auth.l.key=client-key-decrypted.pem

393

5fed3813f7f5

393

5fed3813f7f5

394

395

$ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \

395

$ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \

396

> --config ui.interactive=True --config ui.nontty=True

396

> --config ui.interactive=True --config ui.nontty=True

397

passphrase for client-key.pem: 5fed3813f7f5

397

passphrase for client-key.pem: 5fed3813f7f5

398

399

$ env P=`pwd` hg id https://localhost:$HGPORT/

399

$ env P=`pwd` hg id https://localhost:$HGPORT/

400

abort: error: * (glob)

400

abort: error: * (glob)

401

[255]

401

[255]

402

403

#endif

403

#endif

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #require serve ssl
             Proper https client requires the built-in ssl from Python 2.6.
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat << EOT > pub-other.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
               > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
               > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
               > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
               > -----END CERTIFICATE-----
               > EOT
             pub.pem patched with other notBefore / notAfter:
               $ cat << EOT > pub-not-yet.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
               > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
               > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
               $ cat << EOT > pub-expired.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
               > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
               > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-expired.pem > server-expired.pem
             Client certificates created with:
              openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
              openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
              printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
              openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
              openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
              -set_serial 01 -out client-cert.pem
               $ cat << EOT > client-key.pem
               > -----BEGIN RSA PRIVATE KEY-----
               > Proc-Type: 4,ENCRYPTED
               > DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8
               >
               > JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF
               > BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS
               > jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7
               > Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2
               > u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/
               > CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl
               > bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=
               > -----END RSA PRIVATE KEY-----
               > EOT
               $ cat << EOT > client-key-decrypted.pem
               > -----BEGIN RSA PRIVATE KEY-----
               > MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb
               > FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6
               > AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT
               > AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop
               > 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5
               > +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01
               > mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY
               > -----END RSA PRIVATE KEY-----
               > EOT
               $ cat << EOT > client-cert.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
               > GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z
               > OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH
               > R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB
               > MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/
               > NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==
               > -----END CERTIFICATE-----
               > EOT
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
             #if windows
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT':
               [255]
             #else
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
             #endif
               $ cd ..
             OS X has a dummy CA cert that enables use of the system CA store when using
             Apple's OpenSSL. This trick do not work with plain OpenSSL.
               $ DISABLEOSXDUMMYCERT=
             #if defaultcacerts
               $ hg clone https://localhost:$HGPORT/ copy-pull
               abort: error: *certificate verify failed* (glob)
               [255]
               $ DISABLEOSXDUMMYCERT="--config=web.cacerts=!"
             #endif
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc
               $ hg pull $DISABLEOSXDUMMYCERT
               pulling from https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P=`pwd` hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P=`pwd` hg -R copy-pull pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost
               (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
               pulling from https://127.0.0.1:$HGPORT/
               warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
               pulling from https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
               pulling from https://localhost:$HGPORT1/
               abort: error: *certificate verify failed* (glob)
               [255]
             Test server cert which no longer is valid
               $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
             Fingerprints
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
               $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
             - works without cacerts
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
 fed3813f7f5
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/
               abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
               (check hostfingerprint configuration)
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/
 fed3813f7f5
             HGPORT1 is reused below for tinyproxy tests. Kill that server.
               $ "$TESTDIR/killdaemons.py" hg1.pid
             Prepare for connecting through proxy
               $ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
               $ while [ ! -f proxy.pid ]; do sleep 0; done
               $ cat proxy.pid >> $DAEMON_PIDS
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
               pulling from https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
-              $ "$TESTDIR/killdaemons.py" $DAEMON_PIDS
+              $ "$TESTDIR/killdaemons.py" hg0.pid
             #if sslcontext
             Start patched hgweb that requires client certificates:
               $ cat << EOT > reqclientcert.py
               > import ssl
               > from mercurial.hgweb import server
               > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
               >     @staticmethod
               >     def preparehttpserver(httpserver, ssl_cert):
               >         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
               >         sslcontext.verify_mode = ssl.CERT_REQUIRED
               >         sslcontext.load_cert_chain(ssl_cert)
               >         # verify clients by server certificate
               >         sslcontext.load_verify_locations(ssl_cert)
               >         httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
               >                                                    server_side=True)
               > server._httprequesthandlerssl = _httprequesthandlersslclientcert
               > EOT
               $ cd test
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
               > --config extensions.reqclientcert=../reqclientcert.py
               $ cat ../hg0.pid >> $DAEMON_PIDS
               $ cd ..
             without client certificate:
               $ P=`pwd` hg id https://localhost:$HGPORT/
               abort: error: *handshake failure* (glob)
               [255]
             with client certificate:
               $ cat << EOT >> $HGRCPATH
               > [auth]
               > l.prefix = localhost
               > l.cert = client-cert.pem
               > l.key = client-key.pem
               > EOT
               $ P=`pwd` hg id https://localhost:$HGPORT/ \
               > --config auth.l.key=client-key-decrypted.pem
 fed3813f7f5
               $ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \
               > --config ui.interactive=True --config ui.nontty=True
               passphrase for client-key.pem: 5fed3813f7f5
               $ env P=`pwd` hg id https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif