##// END OF EJS Templates
sslutil: remove dead code (that downgraded default minimum TLS version)...
Manuel Jacob -
r45431:5921dc0d default
parent child Browse files
Show More
@@ -102,27 +102,14 b' def _hostsettings(ui, hostname):'
102 % b' '.join(sorted(configprotocols)),
102 % b' '.join(sorted(configprotocols)),
103 )
103 )
104
104
105 # We default to TLS 1.1+ where we can because TLS 1.0 has known
105 # We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like
106 # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
106 # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
107 # TLS 1.0+ via config options in case a legacy server is encountered.
107 # options in case a legacy server is encountered.
108 if supportedprotocols - {b'tls1.0'}:
108
109 defaultminimumprotocol = b'tls1.1'
109 # setup.py checks that either TLS 1.1 or TLS 1.2 is present, so the
110 else:
110 # following assert should not fail.
111 # Let people know they are borderline secure.
111 assert supportedprotocols - {b'tls1.0'}
112 # We don't document this config option because we want people to see
112 defaultminimumprotocol = b'tls1.1'
113 # the bold warnings on the web site.
114 # internal config: hostsecurity.disabletls10warning
115 if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
116 ui.warn(
117 _(
118 b'warning: connecting to %s using legacy security '
119 b'technology (TLS 1.0); see '
120 b'https://mercurial-scm.org/wiki/SecureConnections for '
121 b'more info\n'
122 )
123 % bhostname
124 )
125 defaultminimumprotocol = b'tls1.0'
126
113
127 key = b'minimumprotocol'
114 key = b'minimumprotocol'
128 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol)
115 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol)
@@ -34,7 +34,6 b' Make server certificates:'
34 cacert not found
34 cacert not found
35
35
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
37 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
38 abort: could not find web.cacerts: no-such.pem
37 abort: could not find web.cacerts: no-such.pem
39 [255]
38 [255]
40
39
@@ -58,7 +57,6 b' we are able to load CA certs.'
58
57
59 #if defaultcacertsloaded
58 #if defaultcacertsloaded
60 $ hg clone https://localhost:$HGPORT/ copy-pull
59 $ hg clone https://localhost:$HGPORT/ copy-pull
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
62 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
60 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
63 abort: error: *certificate verify failed* (glob)
61 abort: error: *certificate verify failed* (glob)
64 [255]
62 [255]
@@ -68,7 +66,6 b' Specifying a per-host certificate file t'
68 C:/path/to/msysroot will print on Windows.
66 C:/path/to/msysroot will print on Windows.
69
67
70 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
68 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
71 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
72 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
69 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
73 [255]
70 [255]
74
71
@@ -76,7 +73,6 b' A malformed per-host certificate file wi'
76
73
77 $ echo baddata > badca.pem
74 $ echo baddata > badca.pem
78 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
75 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
79 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
80 abort: error loading CA file badca.pem: * (glob)
76 abort: error loading CA file badca.pem: * (glob)
81 (file is empty or malformed?)
77 (file is empty or malformed?)
82 [255]
78 [255]
@@ -85,7 +81,6 b' A per-host certificate mismatching the s'
85
81
86 (modern ssl is able to discern whether the loaded cert is a CA cert)
82 (modern ssl is able to discern whether the loaded cert is a CA cert)
87 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
83 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
88 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
89 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
84 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
90 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
85 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
91 abort: error: *certificate verify failed* (glob)
86 abort: error: *certificate verify failed* (glob)
@@ -94,7 +89,6 b' A per-host certificate mismatching the s'
94 A per-host certificate matching the server's cert will be accepted
89 A per-host certificate matching the server's cert will be accepted
95
90
96 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
91 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
97 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
98 requesting all changes
92 requesting all changes
99 adding changesets
93 adding changesets
100 adding manifests
94 adding manifests
@@ -106,7 +100,6 b' A per-host certificate with multiple cer'
106
100
107 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
101 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
108 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
102 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
109 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
110 requesting all changes
103 requesting all changes
111 adding changesets
104 adding changesets
112 adding manifests
105 adding manifests
@@ -117,7 +110,6 b' A per-host certificate with multiple cer'
117 Defining both per-host certificate and a fingerprint will print a warning
110 Defining both per-host certificate and a fingerprint will print a warning
118
111
119 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
112 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
120 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
121 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
113 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
122 requesting all changes
114 requesting all changes
123 adding changesets
115 adding changesets
@@ -131,13 +123,11 b' Defining both per-host certificate and a'
131 Inability to verify peer certificate will result in abort
123 Inability to verify peer certificate will result in abort
132
124
133 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
134 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
135 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
136 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
137 [255]
128 [255]
138
129
139 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
140 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
141 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
142 requesting all changes
132 requesting all changes
143 adding changesets
133 adding changesets
@@ -168,14 +158,12 b' pull without cacert'
168 > EOF
158 > EOF
169 $ hg pull $DISABLECACERTS
159 $ hg pull $DISABLECACERTS
170 pulling from https://localhost:$HGPORT/
160 pulling from https://localhost:$HGPORT/
171 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
172 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
173 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
174 [255]
163 [255]
175
164
176 $ hg pull --insecure
165 $ hg pull --insecure
177 pulling from https://localhost:$HGPORT/
166 pulling from https://localhost:$HGPORT/
178 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
179 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
180 searching for changes
168 searching for changes
181 adding changesets
169 adding changesets
@@ -203,7 +191,6 b' cacert configured in local repo'
203 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
191 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
204 $ hg -R copy-pull pull
192 $ hg -R copy-pull pull
205 pulling from https://localhost:$HGPORT/
193 pulling from https://localhost:$HGPORT/
206 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
207 searching for changes
194 searching for changes
208 no changes found
195 no changes found
209 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
196 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
@@ -215,12 +202,10 b' variables in the filename'
215 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
202 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
216 $ P="$CERTSDIR" hg -R copy-pull pull
203 $ P="$CERTSDIR" hg -R copy-pull pull
217 pulling from https://localhost:$HGPORT/
204 pulling from https://localhost:$HGPORT/
218 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
219 searching for changes
205 searching for changes
220 no changes found
206 no changes found
221 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
207 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
222 pulling from https://localhost:$HGPORT/
208 pulling from https://localhost:$HGPORT/
223 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
224 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
209 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
225 searching for changes
210 searching for changes
226 no changes found
211 no changes found
@@ -231,7 +216,6 b' empty cacert file'
231
216
232 $ hg --config web.cacerts=emptycafile -R copy-pull pull
217 $ hg --config web.cacerts=emptycafile -R copy-pull pull
233 pulling from https://localhost:$HGPORT/
218 pulling from https://localhost:$HGPORT/
234 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
235 abort: error loading CA file emptycafile: * (glob)
219 abort: error loading CA file emptycafile: * (glob)
236 (file is empty or malformed?)
220 (file is empty or malformed?)
237 [255]
221 [255]
@@ -241,27 +225,23 b' cacert mismatch'
241 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
242 > https://$LOCALIP:$HGPORT/
226 > https://$LOCALIP:$HGPORT/
243 pulling from https://*:$HGPORT/ (glob)
227 pulling from https://*:$HGPORT/ (glob)
244 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
245 abort: $LOCALIP certificate error: certificate is for localhost (glob)
228 abort: $LOCALIP certificate error: certificate is for localhost (glob)
246 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
247 [255]
230 [255]
248 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
249 > https://$LOCALIP:$HGPORT/ --insecure
232 > https://$LOCALIP:$HGPORT/ --insecure
250 pulling from https://*:$HGPORT/ (glob)
233 pulling from https://*:$HGPORT/ (glob)
251 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
252 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
253 searching for changes
235 searching for changes
254 no changes found
236 no changes found
255 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
237 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
256 pulling from https://localhost:$HGPORT/
238 pulling from https://localhost:$HGPORT/
257 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
258 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
239 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
259 abort: error: *certificate verify failed* (glob)
240 abort: error: *certificate verify failed* (glob)
260 [255]
241 [255]
261 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
242 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
262 > --insecure
243 > --insecure
263 pulling from https://localhost:$HGPORT/
244 pulling from https://localhost:$HGPORT/
264 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
265 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
245 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
266 searching for changes
246 searching for changes
267 no changes found
247 no changes found
@@ -273,7 +253,6 b" Test server cert which isn't valid yet"
273 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
253 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
274 > https://localhost:$HGPORT1/
254 > https://localhost:$HGPORT1/
275 pulling from https://localhost:$HGPORT1/
255 pulling from https://localhost:$HGPORT1/
276 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
277 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
256 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
278 abort: error: *certificate verify failed* (glob)
257 abort: error: *certificate verify failed* (glob)
279 [255]
258 [255]
@@ -285,7 +264,6 b' Test server cert which no longer is vali'
285 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
264 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
286 > https://localhost:$HGPORT2/
265 > https://localhost:$HGPORT2/
287 pulling from https://localhost:$HGPORT2/
266 pulling from https://localhost:$HGPORT2/
288 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
289 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
267 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
290 abort: error: *certificate verify failed* (glob)
268 abort: error: *certificate verify failed* (glob)
291 [255]
269 [255]
@@ -298,13 +276,11 b' Disabling the TLS 1.0 warning works'
298
276
299 Setting ciphers to an invalid value aborts
277 Setting ciphers to an invalid value aborts
300 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
278 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
301 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
302 abort: could not set ciphers: No cipher can be selected.
279 abort: could not set ciphers: No cipher can be selected.
303 (change cipher string (invalid) in config)
280 (change cipher string (invalid) in config)
304 [255]
281 [255]
305
282
306 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
283 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
307 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
308 abort: could not set ciphers: No cipher can be selected.
284 abort: could not set ciphers: No cipher can be selected.
309 (change cipher string (invalid) in config)
285 (change cipher string (invalid) in config)
310 [255]
286 [255]
@@ -312,63 +288,52 b' Setting ciphers to an invalid value abor'
312 Changing the cipher string works
288 Changing the cipher string works
313
289
314 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
290 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
316 5fed3813f7f5
291 5fed3813f7f5
317
292
318 Fingerprints
293 Fingerprints
319
294
320 - works without cacerts (hostfingerprints)
295 - works without cacerts (hostfingerprints)
321 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
296 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
322 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
323 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
297 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
324 5fed3813f7f5
298 5fed3813f7f5
325
299
326 - works without cacerts (hostsecurity)
300 - works without cacerts (hostsecurity)
327 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
301 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
328 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
329 5fed3813f7f5
302 5fed3813f7f5
330
303
331 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
304 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
332 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
333 5fed3813f7f5
305 5fed3813f7f5
334
306
335 - multiple fingerprints specified and first matches
307 - multiple fingerprints specified and first matches
336 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
308 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
337 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
338 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
309 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
339 5fed3813f7f5
310 5fed3813f7f5
340
311
341 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
312 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
342 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
343 5fed3813f7f5
313 5fed3813f7f5
344
314
345 - multiple fingerprints specified and last matches
315 - multiple fingerprints specified and last matches
346 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
316 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
347 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
348 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
317 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
349 5fed3813f7f5
318 5fed3813f7f5
350
319
351 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
320 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
352 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
353 5fed3813f7f5
321 5fed3813f7f5
354
322
355 - multiple fingerprints specified and none match
323 - multiple fingerprints specified and none match
356
324
357 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
325 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
358 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
359 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
326 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
360 (check hostfingerprint configuration)
327 (check hostfingerprint configuration)
361 [255]
328 [255]
362
329
363 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
330 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
364 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
365 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
331 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
366 (check hostsecurity configuration)
332 (check hostsecurity configuration)
367 [255]
333 [255]
368
334
369 - fails when cert doesn't match hostname (port is ignored)
335 - fails when cert doesn't match hostname (port is ignored)
370 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
336 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
371 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
372 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
337 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
373 (check hostfingerprint configuration)
338 (check hostfingerprint configuration)
374 [255]
339 [255]
@@ -376,7 +341,6 b' Fingerprints'
376
341
377 - ignores that certificate doesn't match hostname
342 - ignores that certificate doesn't match hostname
378 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
343 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
379 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
380 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
344 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
381 5fed3813f7f5
345 5fed3813f7f5
382
346
@@ -500,7 +464,6 b' Test unvalidated https through proxy'
500
464
501 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
465 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
502 pulling from https://localhost:$HGPORT/
466 pulling from https://localhost:$HGPORT/
503 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
504 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
467 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
505 searching for changes
468 searching for changes
506 no changes found
469 no changes found
@@ -510,12 +473,10 b' Test https with cacert and fingerprint t'
510 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
473 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
511 > --config web.cacerts="$CERTSDIR/pub.pem"
474 > --config web.cacerts="$CERTSDIR/pub.pem"
512 pulling from https://localhost:$HGPORT/
475 pulling from https://localhost:$HGPORT/
513 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
514 searching for changes
476 searching for changes
515 no changes found
477 no changes found
516 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
478 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
517 pulling from https://*:$HGPORT/ (glob)
479 pulling from https://*:$HGPORT/ (glob)
518 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
519 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
480 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
520 searching for changes
481 searching for changes
521 no changes found
482 no changes found
@@ -525,14 +486,12 b' Test https with cert problems through pr'
525 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
486 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
526 > --config web.cacerts="$CERTSDIR/pub-other.pem"
487 > --config web.cacerts="$CERTSDIR/pub-other.pem"
527 pulling from https://localhost:$HGPORT/
488 pulling from https://localhost:$HGPORT/
528 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
529 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
489 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
530 abort: error: *certificate verify failed* (glob)
490 abort: error: *certificate verify failed* (glob)
531 [255]
491 [255]
532 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
492 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
533 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
493 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
534 pulling from https://localhost:$HGPORT2/
494 pulling from https://localhost:$HGPORT2/
535 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
536 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
495 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
537 abort: error: *certificate verify failed* (glob)
496 abort: error: *certificate verify failed* (glob)
538 [255]
497 [255]
@@ -564,7 +523,6 b' Start hgweb that requires client certifi'
564 without client certificate:
523 without client certificate:
565
524
566 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
525 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
567 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
568 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)
526 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)
569 [255]
527 [255]
570
528
@@ -579,16 +537,13 b' with client certificate:'
579
537
580 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
538 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
581 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
539 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
582 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
583 5fed3813f7f5
540 5fed3813f7f5
584
541
585 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
542 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
586 > --config ui.interactive=True --config ui.nontty=True
543 > --config ui.interactive=True --config ui.nontty=True
587 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
588 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
544 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
589
545
590 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
546 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
592 abort: error: * (glob)
547 abort: error: * (glob)
593 [255]
548 [255]
594
549
@@ -54,7 +54,6 b' we are able to load CA certs:'
54 this patch series consists of 1 patches.
54 this patch series consists of 1 patches.
55
55
56
56
57 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
58 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
57 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
59 (?i)abort: .*?certificate.verify.failed.* (re)
58 (?i)abort: .*?certificate.verify.failed.* (re)
60 [255]
59 [255]
@@ -71,7 +70,6 b' Without certificates:'
71
70
72 (using smtps)
71 (using smtps)
73 sending mail: smtp host localhost, port * (glob)
72 sending mail: smtp host localhost, port * (glob)
74 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
75 (verifying remote certificate)
73 (verifying remote certificate)
76 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
74 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
77 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
75 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
@@ -85,7 +83,6 b' With global certificates:'
85
83
86 (using smtps)
84 (using smtps)
87 sending mail: smtp host localhost, port * (glob)
85 sending mail: smtp host localhost, port * (glob)
88 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
89 (verifying remote certificate)
86 (verifying remote certificate)
90 sending [PATCH] a ...
87 sending [PATCH] a ...
91
88
@@ -95,7 +92,6 b' With invalid certificates:'
95 this patch series consists of 1 patches.
92 this patch series consists of 1 patches.
96
93
97
94
98 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
99 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
95 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
100 (?i)abort: .*?certificate.verify.failed.* (re)
96 (?i)abort: .*?certificate.verify.failed.* (re)
101 [255]
97 [255]
General Comments 0
You need to be logged in to leave comments. Login now