##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: remove dead code (that downgraded default minimum TLS version)...
Manuel Jacob -
r45431:5921dc0d default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -102,27 +102,14 b' def _hostsettings(ui, hostname):'
102 102 % b' '.join(sorted(configprotocols)),
103 103 )
104 104
105 # We default to TLS 1.1+ where we can because TLS 1.0 has known
106 # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
107 # TLS 1.0+ via config options in case a legacy server is encountered.
108 if supportedprotocols - {b'tls1.0'}:
109 defaultminimumprotocol = b'tls1.1'
110 else:
111 # Let people know they are borderline secure.
112 # We don't document this config option because we want people to see
113 # the bold warnings on the web site.
114 # internal config: hostsecurity.disabletls10warning
115 if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
116 ui.warn(
117 _(
118 b'warning: connecting to %s using legacy security '
119 b'technology (TLS 1.0); see '
120 b'https://mercurial-scm.org/wiki/SecureConnections for '
121 b'more info\n'
122 )
123 % bhostname
124 )
125 defaultminimumprotocol = b'tls1.0'
105 # We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like
106 # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
107 # options in case a legacy server is encountered.
108
109 # setup.py checks that either TLS 1.1 or TLS 1.2 is present, so the
110 # following assert should not fail.
111 assert supportedprotocols - {b'tls1.0'}
112 defaultminimumprotocol = b'tls1.1'
126 113
127 114 key = b'minimumprotocol'
128 115 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol)
Show file before | Show file after | Hide comments
@@ -34,7 +34,6 b' Make server certificates:'
34 34 cacert not found
35 35
36 36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
37 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
38 37 abort: could not find web.cacerts: no-such.pem
39 38 [255]
40 39
@@ -58,7 +57,6 b' we are able to load CA certs.'
58 57
59 58 #if defaultcacertsloaded
60 59 $ hg clone https://localhost:$HGPORT/ copy-pull
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
62 60 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
63 61 abort: error: *certificate verify failed* (glob)
64 62 [255]
@@ -68,7 +66,6 b' Specifying a per-host certificate file t'
68 66 C:/path/to/msysroot will print on Windows.
69 67
70 68 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
71 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
72 69 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
73 70 [255]
74 71
@@ -76,7 +73,6 b' A malformed per-host certificate file wi'
76 73
77 74 $ echo baddata > badca.pem
78 75 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
79 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
80 76 abort: error loading CA file badca.pem: * (glob)
81 77 (file is empty or malformed?)
82 78 [255]
@@ -85,7 +81,6 b' A per-host certificate mismatching the s'
85 81
86 82 (modern ssl is able to discern whether the loaded cert is a CA cert)
87 83 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
88 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
89 84 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
90 85 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
91 86 abort: error: *certificate verify failed* (glob)
@@ -94,7 +89,6 b' A per-host certificate mismatching the s'
94 89 A per-host certificate matching the server's cert will be accepted
95 90
96 91 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
97 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
98 92 requesting all changes
99 93 adding changesets
100 94 adding manifests
@@ -106,7 +100,6 b' A per-host certificate with multiple cer'
106 100
107 101 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
108 102 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
109 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
110 103 requesting all changes
111 104 adding changesets
112 105 adding manifests
@@ -117,7 +110,6 b' A per-host certificate with multiple cer'
117 110 Defining both per-host certificate and a fingerprint will print a warning
118 111
119 112 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
120 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
121 113 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
122 114 requesting all changes
123 115 adding changesets
@@ -131,13 +123,11 b' Defining both per-host certificate and a'
131 123 Inability to verify peer certificate will result in abort
132 124
133 125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
134 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
135 126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
136 127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
137 128 [255]
138 129
139 130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
140 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
141 131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
142 132 requesting all changes
143 133 adding changesets
@@ -168,14 +158,12 b' pull without cacert'
168 158 > EOF
169 159 $ hg pull $DISABLECACERTS
170 160 pulling from https://localhost:$HGPORT/
171 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
172 161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
173 162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
174 163 [255]
175 164
176 165 $ hg pull --insecure
177 166 pulling from https://localhost:$HGPORT/
178 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
179 167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
180 168 searching for changes
181 169 adding changesets
@@ -203,7 +191,6 b' cacert configured in local repo'
203 191 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
204 192 $ hg -R copy-pull pull
205 193 pulling from https://localhost:$HGPORT/
206 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
207 194 searching for changes
208 195 no changes found
209 196 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
@@ -215,12 +202,10 b' variables in the filename'
215 202 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
216 203 $ P="$CERTSDIR" hg -R copy-pull pull
217 204 pulling from https://localhost:$HGPORT/
218 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
219 205 searching for changes
220 206 no changes found
221 207 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
222 208 pulling from https://localhost:$HGPORT/
223 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
224 209 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
225 210 searching for changes
226 211 no changes found
@@ -231,7 +216,6 b' empty cacert file'
231 216
232 217 $ hg --config web.cacerts=emptycafile -R copy-pull pull
233 218 pulling from https://localhost:$HGPORT/
234 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
235 219 abort: error loading CA file emptycafile: * (glob)
236 220 (file is empty or malformed?)
237 221 [255]
@@ -241,27 +225,23 b' cacert mismatch'
241 225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
242 226 > https://$LOCALIP:$HGPORT/
243 227 pulling from https://*:$HGPORT/ (glob)
244 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
245 228 abort: $LOCALIP certificate error: certificate is for localhost (glob)
246 229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
247 230 [255]
248 231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
249 232 > https://$LOCALIP:$HGPORT/ --insecure
250 233 pulling from https://*:$HGPORT/ (glob)
251 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
252 234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
253 235 searching for changes
254 236 no changes found
255 237 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
256 238 pulling from https://localhost:$HGPORT/
257 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
258 239 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
259 240 abort: error: *certificate verify failed* (glob)
260 241 [255]
261 242 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
262 243 > --insecure
263 244 pulling from https://localhost:$HGPORT/
264 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
265 245 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
266 246 searching for changes
267 247 no changes found
@@ -273,7 +253,6 b" Test server cert which isn't valid yet"
273 253 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
274 254 > https://localhost:$HGPORT1/
275 255 pulling from https://localhost:$HGPORT1/
276 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
277 256 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
278 257 abort: error: *certificate verify failed* (glob)
279 258 [255]
@@ -285,7 +264,6 b' Test server cert which no longer is vali'
285 264 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
286 265 > https://localhost:$HGPORT2/
287 266 pulling from https://localhost:$HGPORT2/
288 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
289 267 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
290 268 abort: error: *certificate verify failed* (glob)
291 269 [255]
@@ -298,13 +276,11 b' Disabling the TLS 1.0 warning works'
298 276
299 277 Setting ciphers to an invalid value aborts
300 278 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
301 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
302 279 abort: could not set ciphers: No cipher can be selected.
303 280 (change cipher string (invalid) in config)
304 281 [255]
305 282
306 283 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
307 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
308 284 abort: could not set ciphers: No cipher can be selected.
309 285 (change cipher string (invalid) in config)
310 286 [255]
@@ -312,63 +288,52 b' Setting ciphers to an invalid value abor'
312 288 Changing the cipher string works
313 289
314 290 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
316 291 5fed3813f7f5
317 292
318 293 Fingerprints
319 294
320 295 - works without cacerts (hostfingerprints)
321 296 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
322 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
323 297 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
324 298 5fed3813f7f5
325 299
326 300 - works without cacerts (hostsecurity)
327 301 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
328 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
329 302 5fed3813f7f5
330 303
331 304 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
332 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
333 305 5fed3813f7f5
334 306
335 307 - multiple fingerprints specified and first matches
336 308 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
337 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
338 309 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
339 310 5fed3813f7f5
340 311
341 312 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
342 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
343 313 5fed3813f7f5
344 314
345 315 - multiple fingerprints specified and last matches
346 316 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
347 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
348 317 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
349 318 5fed3813f7f5
350 319
351 320 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
352 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
353 321 5fed3813f7f5
354 322
355 323 - multiple fingerprints specified and none match
356 324
357 325 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
358 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
359 326 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
360 327 (check hostfingerprint configuration)
361 328 [255]
362 329
363 330 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
364 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
365 331 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
366 332 (check hostsecurity configuration)
367 333 [255]
368 334
369 335 - fails when cert doesn't match hostname (port is ignored)
370 336 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
371 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
372 337 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
373 338 (check hostfingerprint configuration)
374 339 [255]
@@ -376,7 +341,6 b' Fingerprints'
376 341
377 342 - ignores that certificate doesn't match hostname
378 343 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
379 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
380 344 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
381 345 5fed3813f7f5
382 346
@@ -500,7 +464,6 b' Test unvalidated https through proxy'
500 464
501 465 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
502 466 pulling from https://localhost:$HGPORT/
503 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
504 467 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
505 468 searching for changes
506 469 no changes found
@@ -510,12 +473,10 b' Test https with cacert and fingerprint t'
510 473 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
511 474 > --config web.cacerts="$CERTSDIR/pub.pem"
512 475 pulling from https://localhost:$HGPORT/
513 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
514 476 searching for changes
515 477 no changes found
516 478 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
517 479 pulling from https://*:$HGPORT/ (glob)
518 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
519 480 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
520 481 searching for changes
521 482 no changes found
@@ -525,14 +486,12 b' Test https with cert problems through pr'
525 486 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
526 487 > --config web.cacerts="$CERTSDIR/pub-other.pem"
527 488 pulling from https://localhost:$HGPORT/
528 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
529 489 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
530 490 abort: error: *certificate verify failed* (glob)
531 491 [255]
532 492 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
533 493 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
534 494 pulling from https://localhost:$HGPORT2/
535 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
536 495 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
537 496 abort: error: *certificate verify failed* (glob)
538 497 [255]
@@ -564,7 +523,6 b' Start hgweb that requires client certifi'
564 523 without client certificate:
565 524
566 525 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
567 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
568 526 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)
569 527 [255]
570 528
@@ -579,16 +537,13 b' with client certificate:'
579 537
580 538 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
581 539 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
582 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
583 540 5fed3813f7f5
584 541
585 542 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
586 543 > --config ui.interactive=True --config ui.nontty=True
587 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
588 544 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
589 545
590 546 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
592 547 abort: error: * (glob)
593 548 [255]
594 549
Show file before | Show file after | Hide comments
@@ -54,7 +54,6 b' we are able to load CA certs:'
54 54 this patch series consists of 1 patches.
55 55
56 56
57 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
58 57 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
59 58 (?i)abort: .*?certificate.verify.failed.* (re)
60 59 [255]
@@ -71,7 +70,6 b' Without certificates:'
71 70
72 71 (using smtps)
73 72 sending mail: smtp host localhost, port * (glob)
74 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
75 73 (verifying remote certificate)
76 74 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
77 75 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
@@ -85,7 +83,6 b' With global certificates:'
85 83
86 84 (using smtps)
87 85 sending mail: smtp host localhost, port * (glob)
88 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
89 86 (verifying remote certificate)
90 87 sending [PATCH] a ...
91 88
@@ -95,7 +92,6 b' With invalid certificates:'
95 92 this patch series consists of 1 patches.
96 93
97 94
98 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
99 95 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
100 96 (?i)abort: .*?certificate.verify.failed.* (re)
101 97 [255]
General Comments 0
You need to be logged in to leave comments. Login now