Show More
| @@ -418,6 +418,25 b' def has_defaultcacerts():' | |||||
| 418 | from mercurial import sslutil |
|
418 | from mercurial import sslutil | |
| 419 | return sslutil._defaultcacerts() or sslutil._canloaddefaultcerts |
|
419 | return sslutil._defaultcacerts() or sslutil._canloaddefaultcerts | |
| 420 |
|
420 | |||
|
|
421 | @check("defaultcacertsloaded", "detected presence of loaded system CA certs") | |||
|
|
422 | def has_defaultcacertsloaded(): | |||
|
|
423 | import ssl | |||
|
|
424 | from mercurial import sslutil | |||
|
|
425 | ||||
|
|
426 | if not has_defaultcacerts(): | |||
|
|
427 | return False | |||
|
|
428 | if not has_sslcontext(): | |||
|
|
429 | return False | |||
|
|
430 | ||||
|
|
431 | cafile = sslutil._defaultcacerts() | |||
|
|
432 | ctx = ssl.create_default_context() | |||
|
|
433 | if cafile: | |||
|
|
434 | ctx.load_verify_locations(cafile=cafile) | |||
|
|
435 | else: | |||
|
|
436 | ctx.load_default_certs() | |||
|
|
437 | ||||
|
|
438 | return len(ctx.get_ca_certs()) > 0 | |||
|
|
439 | ||||
| 421 | @check("windows", "Windows") |
|
440 | @check("windows", "Windows") | |
| 422 | def has_windows(): |
|
441 | def has_windows(): | |
| 423 | return os.name == 'nt' |
|
442 | return os.name == 'nt' | |
| @@ -47,12 +47,26 b' Test server address cannot be reused' | |||||
| 47 | Our test cert is not signed by a trusted CA. It should fail to verify if |
|
47 | Our test cert is not signed by a trusted CA. It should fail to verify if | |
| 48 | we are able to load CA certs. |
|
48 | we are able to load CA certs. | |
| 49 |
|
49 | |||
| 50 | #if defaultcacerts |
|
50 | #if sslcontext defaultcacerts no-defaultcacertsloaded | |
| 51 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
51 | $ hg clone https://localhost:$HGPORT/ copy-pull | |
| 52 | (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
52 | (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | |
| 53 | abort: error: *certificate verify failed* (glob) |
|
53 | abort: error: *certificate verify failed* (glob) | |
| 54 | [255] |
|
54 | [255] | |
| 55 | #else |
|
55 | #endif | |
|
|
56 | ||||
|
|
57 | #if no-sslcontext defaultcacerts | |||
|
|
58 | $ hg clone https://localhost:$HGPORT/ copy-pull | |||
|
|
59 | abort: error: *certificate verify failed* (glob) | |||
|
|
60 | [255] | |||
|
|
61 | #endif | |||
|
|
62 | ||||
|
|
63 | #if defaultcacertsloaded | |||
|
|
64 | $ hg clone https://localhost:$HGPORT/ copy-pull | |||
|
|
65 | abort: error: *certificate verify failed* (glob) | |||
|
|
66 | [255] | |||
|
|
67 | #endif | |||
|
|
68 | ||||
|
|
69 | #if no-defaultcacerts | |||
| 56 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
70 | $ hg clone https://localhost:$HGPORT/ copy-pull | |
| 57 | abort: localhost certificate error: no certificate received |
|
71 | abort: localhost certificate error: no certificate received | |
| 58 | (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) |
|
72 | (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) | |
| @@ -43,7 +43,7 b' Utility functions:' | |||||
| 43 | Our test cert is not signed by a trusted CA. It should fail to verify if |
|
43 | Our test cert is not signed by a trusted CA. It should fail to verify if | |
| 44 | we are able to load CA certs: |
|
44 | we are able to load CA certs: | |
| 45 |
|
45 | |||
| 46 | #if defaultcacerts |
|
46 | #if sslcontext defaultcacerts no-defaultcacertsloaded | |
| 47 | $ try |
|
47 | $ try | |
| 48 | this patch series consists of 1 patches. |
|
48 | this patch series consists of 1 patches. | |
| 49 |
|
49 | |||
| @@ -53,6 +53,35 b' we are able to load CA certs:' | |||||
| 53 | [255] |
|
53 | [255] | |
| 54 | #endif |
|
54 | #endif | |
| 55 |
|
55 | |||
|
|
56 | #if no-sslcontext defaultcacerts | |||
|
|
57 | $ try | |||
|
|
58 | this patch series consists of 1 patches. | |||
|
|
59 | ||||
|
|
60 | ||||
|
|
61 | (?i)abort: .*?certificate.verify.failed.* (re) | |||
|
|
62 | [255] | |||
|
|
63 | #endif | |||
|
|
64 | ||||
|
|
65 | #if defaultcacertsloaded | |||
|
|
66 | $ try | |||
|
|
67 | this patch series consists of 1 patches. | |||
|
|
68 | ||||
|
|
69 | ||||
|
|
70 | (?i)abort: .*?certificate.verify.failed.* (re) | |||
|
|
71 | [255] | |||
|
|
72 | ||||
|
|
73 | #endif | |||
|
|
74 | ||||
|
|
75 | #if no-defaultcacerts | |||
|
|
76 | $ try | |||
|
|
77 | this patch series consists of 1 patches. | |||
|
|
78 | ||||
|
|
79 | ||||
|
|
80 | abort: localhost certificate error: no certificate received | |||
|
|
81 | (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) | |||
|
|
82 | [255] | |||
|
|
83 | #endif | |||
|
|
84 | ||||
| 56 | $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
|
85 | $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" | |
| 57 |
|
86 | |||
| 58 | Without certificates: |
|
87 | Without certificates: | |
General Comments 0
You need to be logged in to leave comments.
Login now