##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

tests: fix missing (glob) annotations in test-https.t
Augie Fackler -
r31813:68bd8cd3 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,645 +1,645 b''
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Make server certificates:
5 Make server certificates:
6
6
7 $ CERTSDIR="$TESTDIR/sslcerts"
7 $ CERTSDIR="$TESTDIR/sslcerts"
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
9 $ PRIV=`pwd`/server.pem
9 $ PRIV=`pwd`/server.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
12
12
13 $ hg init test
13 $ hg init test
14 $ cd test
14 $ cd test
15 $ echo foo>foo
15 $ echo foo>foo
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
17 $ echo foo>foo.d/foo
17 $ echo foo>foo.d/foo
18 $ echo bar>foo.d/bAr.hg.d/BaR
18 $ echo bar>foo.d/bAr.hg.d/BaR
19 $ echo bar>foo.d/baR.d.hg/bAR
19 $ echo bar>foo.d/baR.d.hg/bAR
20 $ hg commit -A -m 1
20 $ hg commit -A -m 1
21 adding foo
21 adding foo
22 adding foo.d/bAr.hg.d/BaR
22 adding foo.d/bAr.hg.d/BaR
23 adding foo.d/baR.d.hg/bAR
23 adding foo.d/baR.d.hg/bAR
24 adding foo.d/foo
24 adding foo.d/foo
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
26 $ cat ../hg0.pid >> $DAEMON_PIDS
26 $ cat ../hg0.pid >> $DAEMON_PIDS
27
27
28 cacert not found
28 cacert not found
29
29
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32 abort: could not find web.cacerts: no-such.pem
32 abort: could not find web.cacerts: no-such.pem
33 [255]
33 [255]
34
34
35 Test server address cannot be reused
35 Test server address cannot be reused
36
36
37 #if windows
37 #if windows
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
40 [255]
40 [255]
41 #else
41 #else
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
44 [255]
44 [255]
45 #endif
45 #endif
46 $ cd ..
46 $ cd ..
47
47
48 Our test cert is not signed by a trusted CA. It should fail to verify if
48 Our test cert is not signed by a trusted CA. It should fail to verify if
49 we are able to load CA certs.
49 we are able to load CA certs.
50
50
51 #if sslcontext defaultcacerts no-defaultcacertsloaded
51 #if sslcontext defaultcacerts no-defaultcacertsloaded
52 $ hg clone https://localhost:$HGPORT/ copy-pull
52 $ hg clone https://localhost:$HGPORT/ copy-pull
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
54 abort: error: *certificate verify failed* (glob)
54 abort: error: *certificate verify failed* (glob)
55 [255]
55 [255]
56 #endif
56 #endif
57
57
58 #if no-sslcontext defaultcacerts
58 #if no-sslcontext defaultcacerts
59 $ hg clone https://localhost:$HGPORT/ copy-pull
59 $ hg clone https://localhost:$HGPORT/ copy-pull
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
62 abort: error: *certificate verify failed* (glob)
62 abort: error: *certificate verify failed* (glob)
63 [255]
63 [255]
64 #endif
64 #endif
65
65
66 #if no-sslcontext windows
66 #if no-sslcontext windows
67 $ hg clone https://localhost:$HGPORT/ copy-pull
67 $ hg clone https://localhost:$HGPORT/ copy-pull
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
70 abort: error: *certificate verify failed* (glob)
70 abort: error: *certificate verify failed* (glob)
71 [255]
71 [255]
72 #endif
72 #endif
73
73
74 #if no-sslcontext osx
74 #if no-sslcontext osx
75 $ hg clone https://localhost:$HGPORT/ copy-pull
75 $ hg clone https://localhost:$HGPORT/ copy-pull
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
78 abort: localhost certificate error: no certificate received
78 abort: localhost certificate error: no certificate received
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
80 [255]
80 [255]
81 #endif
81 #endif
82
82
83 #if defaultcacertsloaded
83 #if defaultcacertsloaded
84 $ hg clone https://localhost:$HGPORT/ copy-pull
84 $ hg clone https://localhost:$HGPORT/ copy-pull
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
87 abort: error: *certificate verify failed* (glob)
87 abort: error: *certificate verify failed* (glob)
88 [255]
88 [255]
89 #endif
89 #endif
90
90
91 #if no-defaultcacerts
91 #if no-defaultcacerts
92 $ hg clone https://localhost:$HGPORT/ copy-pull
92 $ hg clone https://localhost:$HGPORT/ copy-pull
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
95 abort: localhost certificate error: no certificate received
95 abort: localhost certificate error: no certificate received
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
97 [255]
97 [255]
98 #endif
98 #endif
99
99
100 Specifying a per-host certificate file that doesn't exist will abort. The full
100 Specifying a per-host certificate file that doesn't exist will abort. The full
101 C:/path/to/msysroot will print on Windows.
101 C:/path/to/msysroot will print on Windows.
102
102
103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
106 [255]
106 [255]
107
107
108 A malformed per-host certificate file will raise an error
108 A malformed per-host certificate file will raise an error
109
109
110 $ echo baddata > badca.pem
110 $ echo baddata > badca.pem
111 #if sslcontext
111 #if sslcontext
112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
114 abort: error loading CA file badca.pem: * (glob)
114 abort: error loading CA file badca.pem: * (glob)
115 (file is empty or malformed?)
115 (file is empty or malformed?)
116 [255]
116 [255]
117 #else
117 #else
118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
120 abort: error: * (glob)
120 abort: error: * (glob)
121 [255]
121 [255]
122 #endif
122 #endif
123
123
124 A per-host certificate mismatching the server will fail verification
124 A per-host certificate mismatching the server will fail verification
125
125
126 (modern ssl is able to discern whether the loaded cert is a CA cert)
126 (modern ssl is able to discern whether the loaded cert is a CA cert)
127 #if sslcontext
127 #if sslcontext
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
131 abort: error: *certificate verify failed* (glob)
131 abort: error: *certificate verify failed* (glob)
132 [255]
132 [255]
133 #else
133 #else
134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
136 abort: error: *certificate verify failed* (glob)
136 abort: error: *certificate verify failed* (glob)
137 [255]
137 [255]
138 #endif
138 #endif
139
139
140 A per-host certificate matching the server's cert will be accepted
140 A per-host certificate matching the server's cert will be accepted
141
141
142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
144 requesting all changes
144 requesting all changes
145 adding changesets
145 adding changesets
146 adding manifests
146 adding manifests
147 adding file changes
147 adding file changes
148 added 1 changesets with 4 changes to 4 files
148 added 1 changesets with 4 changes to 4 files
149
149
150 A per-host certificate with multiple certs and one matching will be accepted
150 A per-host certificate with multiple certs and one matching will be accepted
151
151
152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
155 requesting all changes
155 requesting all changes
156 adding changesets
156 adding changesets
157 adding manifests
157 adding manifests
158 adding file changes
158 adding file changes
159 added 1 changesets with 4 changes to 4 files
159 added 1 changesets with 4 changes to 4 files
160
160
161 Defining both per-host certificate and a fingerprint will print a warning
161 Defining both per-host certificate and a fingerprint will print a warning
162
162
163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
166 requesting all changes
166 requesting all changes
167 adding changesets
167 adding changesets
168 adding manifests
168 adding manifests
169 adding file changes
169 adding file changes
170 added 1 changesets with 4 changes to 4 files
170 added 1 changesets with 4 changes to 4 files
171
171
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
173
173
174 Inability to verify peer certificate will result in abort
174 Inability to verify peer certificate will result in abort
175
175
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
180 [255]
180 [255]
181
181
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
185 requesting all changes
185 requesting all changes
186 adding changesets
186 adding changesets
187 adding manifests
187 adding manifests
188 adding file changes
188 adding file changes
189 added 1 changesets with 4 changes to 4 files
189 added 1 changesets with 4 changes to 4 files
190 updating to branch default
190 updating to branch default
191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
192 $ hg verify -R copy-pull
192 $ hg verify -R copy-pull
193 checking changesets
193 checking changesets
194 checking manifests
194 checking manifests
195 crosschecking files in changesets and manifests
195 crosschecking files in changesets and manifests
196 checking files
196 checking files
197 4 files, 1 changesets, 4 total revisions
197 4 files, 1 changesets, 4 total revisions
198 $ cd test
198 $ cd test
199 $ echo bar > bar
199 $ echo bar > bar
200 $ hg commit -A -d '1 0' -m 2
200 $ hg commit -A -d '1 0' -m 2
201 adding bar
201 adding bar
202 $ cd ..
202 $ cd ..
203
203
204 pull without cacert
204 pull without cacert
205
205
206 $ cd copy-pull
206 $ cd copy-pull
207 $ cat >> .hg/hgrc <<EOF
207 $ cat >> .hg/hgrc <<EOF
208 > [hooks]
208 > [hooks]
209 > changegroup = sh -c "printenv.py changegroup"
209 > changegroup = sh -c "printenv.py changegroup"
210 > EOF
210 > EOF
211 $ hg pull $DISABLECACERTS
211 $ hg pull $DISABLECACERTS
212 pulling from https://localhost:$HGPORT/
212 pulling from https://localhost:$HGPORT/
213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
216 [255]
216 [255]
217
217
218 $ hg pull --insecure
218 $ hg pull --insecure
219 pulling from https://localhost:$HGPORT/
219 pulling from https://localhost:$HGPORT/
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
222 searching for changes
222 searching for changes
223 adding changesets
223 adding changesets
224 adding manifests
224 adding manifests
225 adding file changes
225 adding file changes
226 added 1 changesets with 1 changes to 1 files
226 added 1 changesets with 1 changes to 1 files
227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
228 (run 'hg update' to get a working copy)
228 (run 'hg update' to get a working copy)
229 $ cd ..
229 $ cd ..
230
230
231 cacert configured in local repo
231 cacert configured in local repo
232
232
233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
234 $ echo "[web]" >> copy-pull/.hg/hgrc
234 $ echo "[web]" >> copy-pull/.hg/hgrc
235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
236 $ hg -R copy-pull pull
236 $ hg -R copy-pull pull
237 pulling from https://localhost:$HGPORT/
237 pulling from https://localhost:$HGPORT/
238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
239 searching for changes
239 searching for changes
240 no changes found
240 no changes found
241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
242
242
243 cacert configured globally, also testing expansion of environment
243 cacert configured globally, also testing expansion of environment
244 variables in the filename
244 variables in the filename
245
245
246 $ echo "[web]" >> $HGRCPATH
246 $ echo "[web]" >> $HGRCPATH
247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
248 $ P="$CERTSDIR" hg -R copy-pull pull
248 $ P="$CERTSDIR" hg -R copy-pull pull
249 pulling from https://localhost:$HGPORT/
249 pulling from https://localhost:$HGPORT/
250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
251 searching for changes
251 searching for changes
252 no changes found
252 no changes found
253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
254 pulling from https://localhost:$HGPORT/
254 pulling from https://localhost:$HGPORT/
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
257 searching for changes
257 searching for changes
258 no changes found
258 no changes found
259
259
260 empty cacert file
260 empty cacert file
261
261
262 $ touch emptycafile
262 $ touch emptycafile
263
263
264 #if sslcontext
264 #if sslcontext
265 $ hg --config web.cacerts=emptycafile -R copy-pull pull
265 $ hg --config web.cacerts=emptycafile -R copy-pull pull
266 pulling from https://localhost:$HGPORT/
266 pulling from https://localhost:$HGPORT/
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
268 abort: error loading CA file emptycafile: * (glob)
268 abort: error loading CA file emptycafile: * (glob)
269 (file is empty or malformed?)
269 (file is empty or malformed?)
270 [255]
270 [255]
271 #else
271 #else
272 $ hg --config web.cacerts=emptycafile -R copy-pull pull
272 $ hg --config web.cacerts=emptycafile -R copy-pull pull
273 pulling from https://localhost:$HGPORT/
273 pulling from https://localhost:$HGPORT/
274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
275 abort: error: * (glob)
275 abort: error: * (glob)
276 [255]
276 [255]
277 #endif
277 #endif
278
278
279 cacert mismatch
279 cacert mismatch
280
280
281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
282 > https://$LOCALIP:$HGPORT/
282 > https://$LOCALIP:$HGPORT/
283 pulling from https://*:$HGPORT/ (glob)
283 pulling from https://*:$HGPORT/ (glob)
284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
285 abort: $LOCALIP certificate error: certificate is for localhost
285 abort: $LOCALIP certificate error: certificate is for localhost (glob)
286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
287 [255]
287 [255]
288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
289 > https://$LOCALIP:$HGPORT/ --insecure
289 > https://$LOCALIP:$HGPORT/ --insecure
290 pulling from https://*:$HGPORT/ (glob)
290 pulling from https://*:$HGPORT/ (glob)
291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering
292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
293 searching for changes
293 searching for changes
294 no changes found
294 no changes found
295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
296 pulling from https://localhost:$HGPORT/
296 pulling from https://localhost:$HGPORT/
297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
298 abort: error: *certificate verify failed* (glob)
298 abort: error: *certificate verify failed* (glob)
299 [255]
299 [255]
300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
301 > --insecure
301 > --insecure
302 pulling from https://localhost:$HGPORT/
302 pulling from https://localhost:$HGPORT/
303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
305 searching for changes
305 searching for changes
306 no changes found
306 no changes found
307
307
308 Test server cert which isn't valid yet
308 Test server cert which isn't valid yet
309
309
310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
311 $ cat hg1.pid >> $DAEMON_PIDS
311 $ cat hg1.pid >> $DAEMON_PIDS
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
313 > https://localhost:$HGPORT1/
313 > https://localhost:$HGPORT1/
314 pulling from https://localhost:$HGPORT1/
314 pulling from https://localhost:$HGPORT1/
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
316 abort: error: *certificate verify failed* (glob)
316 abort: error: *certificate verify failed* (glob)
317 [255]
317 [255]
318
318
319 Test server cert which no longer is valid
319 Test server cert which no longer is valid
320
320
321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
322 $ cat hg2.pid >> $DAEMON_PIDS
322 $ cat hg2.pid >> $DAEMON_PIDS
323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
324 > https://localhost:$HGPORT2/
324 > https://localhost:$HGPORT2/
325 pulling from https://localhost:$HGPORT2/
325 pulling from https://localhost:$HGPORT2/
326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
327 abort: error: *certificate verify failed* (glob)
327 abort: error: *certificate verify failed* (glob)
328 [255]
328 [255]
329
329
330 Disabling the TLS 1.0 warning works
330 Disabling the TLS 1.0 warning works
331 $ hg -R copy-pull id https://localhost:$HGPORT/ \
331 $ hg -R copy-pull id https://localhost:$HGPORT/ \
332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
333 > --config hostsecurity.disabletls10warning=true
333 > --config hostsecurity.disabletls10warning=true
334 5fed3813f7f5
334 5fed3813f7f5
335
335
336 #if no-sslcontext no-py27+
336 #if no-sslcontext no-py27+
337 Setting ciphers doesn't work in Python 2.6
337 Setting ciphers doesn't work in Python 2.6
338 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
338 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
339 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
339 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
340 abort: setting ciphers in [hostsecurity] is not supported by this version of Python
340 abort: setting ciphers in [hostsecurity] is not supported by this version of Python
341 (remove the config option or run Mercurial with a modern Python version (preferred))
341 (remove the config option or run Mercurial with a modern Python version (preferred))
342 [255]
342 [255]
343 #endif
343 #endif
344
344
345 Setting ciphers works in Python 2.7+ but the error message is different on
345 Setting ciphers works in Python 2.7+ but the error message is different on
346 legacy ssl. We test legacy once and do more feature checking on modern
346 legacy ssl. We test legacy once and do more feature checking on modern
347 configs.
347 configs.
348
348
349 #if py27+ no-sslcontext
349 #if py27+ no-sslcontext
350 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
350 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
351 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
351 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
352 abort: *No cipher can be selected. (glob)
352 abort: *No cipher can be selected. (glob)
353 [255]
353 [255]
354
354
355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
356 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
356 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
357 5fed3813f7f5
357 5fed3813f7f5
358 #endif
358 #endif
359
359
360 #if sslcontext
360 #if sslcontext
361 Setting ciphers to an invalid value aborts
361 Setting ciphers to an invalid value aborts
362 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
362 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
364 abort: could not set ciphers: No cipher can be selected.
364 abort: could not set ciphers: No cipher can be selected.
365 (change cipher string (invalid) in config)
365 (change cipher string (invalid) in config)
366 [255]
366 [255]
367
367
368 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
368 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
369 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
369 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
370 abort: could not set ciphers: No cipher can be selected.
370 abort: could not set ciphers: No cipher can be selected.
371 (change cipher string (invalid) in config)
371 (change cipher string (invalid) in config)
372 [255]
372 [255]
373
373
374 Changing the cipher string works
374 Changing the cipher string works
375
375
376 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
376 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
377 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
377 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
378 5fed3813f7f5
378 5fed3813f7f5
379 #endif
379 #endif
380
380
381 Fingerprints
381 Fingerprints
382
382
383 - works without cacerts (hostfingerprints)
383 - works without cacerts (hostfingerprints)
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
386 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
386 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
387 5fed3813f7f5
387 5fed3813f7f5
388
388
389 - works without cacerts (hostsecurity)
389 - works without cacerts (hostsecurity)
390 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
390 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
391 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
391 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
392 5fed3813f7f5
392 5fed3813f7f5
393
393
394 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
394 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
395 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
395 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
396 5fed3813f7f5
396 5fed3813f7f5
397
397
398 - multiple fingerprints specified and first matches
398 - multiple fingerprints specified and first matches
399 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
399 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
401 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
401 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
402 5fed3813f7f5
402 5fed3813f7f5
403
403
404 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
404 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
405 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
405 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
406 5fed3813f7f5
406 5fed3813f7f5
407
407
408 - multiple fingerprints specified and last matches
408 - multiple fingerprints specified and last matches
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
411 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
411 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
412 5fed3813f7f5
412 5fed3813f7f5
413
413
414 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
414 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
416 5fed3813f7f5
416 5fed3813f7f5
417
417
418 - multiple fingerprints specified and none match
418 - multiple fingerprints specified and none match
419
419
420 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
420 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
422 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
422 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
423 (check hostfingerprint configuration)
423 (check hostfingerprint configuration)
424 [255]
424 [255]
425
425
426 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
426 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
427 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
427 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
428 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
428 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
429 (check hostsecurity configuration)
429 (check hostsecurity configuration)
430 [255]
430 [255]
431
431
432 - fails when cert doesn't match hostname (port is ignored)
432 - fails when cert doesn't match hostname (port is ignored)
433 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
433 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
434 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
434 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
435 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
435 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
436 (check hostfingerprint configuration)
436 (check hostfingerprint configuration)
437 [255]
437 [255]
438
438
439
439
440 - ignores that certificate doesn't match hostname
440 - ignores that certificate doesn't match hostname
441 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
441 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
442 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
442 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
443 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
443 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
444 5fed3813f7f5
444 5fed3813f7f5
445
445
446 Ports used by next test. Kill servers.
446 Ports used by next test. Kill servers.
447
447
448 $ killdaemons.py hg0.pid
448 $ killdaemons.py hg0.pid
449 $ killdaemons.py hg1.pid
449 $ killdaemons.py hg1.pid
450 $ killdaemons.py hg2.pid
450 $ killdaemons.py hg2.pid
451
451
452 #if sslcontext tls1.2
452 #if sslcontext tls1.2
453 Start servers running supported TLS versions
453 Start servers running supported TLS versions
454
454
455 $ cd test
455 $ cd test
456 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
456 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
457 > --config devel.serverexactprotocol=tls1.0
457 > --config devel.serverexactprotocol=tls1.0
458 $ cat ../hg0.pid >> $DAEMON_PIDS
458 $ cat ../hg0.pid >> $DAEMON_PIDS
459 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
459 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
460 > --config devel.serverexactprotocol=tls1.1
460 > --config devel.serverexactprotocol=tls1.1
461 $ cat ../hg1.pid >> $DAEMON_PIDS
461 $ cat ../hg1.pid >> $DAEMON_PIDS
462 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
462 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
463 > --config devel.serverexactprotocol=tls1.2
463 > --config devel.serverexactprotocol=tls1.2
464 $ cat ../hg2.pid >> $DAEMON_PIDS
464 $ cat ../hg2.pid >> $DAEMON_PIDS
465 $ cd ..
465 $ cd ..
466
466
467 Clients talking same TLS versions work
467 Clients talking same TLS versions work
468
468
469 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
469 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
470 5fed3813f7f5
470 5fed3813f7f5
471 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
471 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
472 5fed3813f7f5
472 5fed3813f7f5
473 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
473 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
474 5fed3813f7f5
474 5fed3813f7f5
475
475
476 Clients requiring newer TLS version than what server supports fail
476 Clients requiring newer TLS version than what server supports fail
477
477
478 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
478 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
482 abort: error: *unsupported protocol* (glob)
482 abort: error: *unsupported protocol* (glob)
483 [255]
483 [255]
484
484
485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
486 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
486 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
489 abort: error: *unsupported protocol* (glob)
489 abort: error: *unsupported protocol* (glob)
490 [255]
490 [255]
491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
495 abort: error: *unsupported protocol* (glob)
495 abort: error: *unsupported protocol* (glob)
496 [255]
496 [255]
497 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
497 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
498 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
498 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
499 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
499 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
500 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
500 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
501 abort: error: *unsupported protocol* (glob)
501 abort: error: *unsupported protocol* (glob)
502 [255]
502 [255]
503
503
504 --insecure will allow TLS 1.0 connections and override configs
504 --insecure will allow TLS 1.0 connections and override configs
505
505
506 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
506 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
507 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
507 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
508 5fed3813f7f5
508 5fed3813f7f5
509
509
510 The per-host config option overrides the default
510 The per-host config option overrides the default
511
511
512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
513 > --config hostsecurity.minimumprotocol=tls1.2 \
513 > --config hostsecurity.minimumprotocol=tls1.2 \
514 > --config hostsecurity.localhost:minimumprotocol=tls1.0
514 > --config hostsecurity.localhost:minimumprotocol=tls1.0
515 5fed3813f7f5
515 5fed3813f7f5
516
516
517 The per-host config option by itself works
517 The per-host config option by itself works
518
518
519 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
519 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
520 > --config hostsecurity.localhost:minimumprotocol=tls1.2
520 > --config hostsecurity.localhost:minimumprotocol=tls1.2
521 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
521 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
522 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
522 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
523 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
523 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
524 abort: error: *unsupported protocol* (glob)
524 abort: error: *unsupported protocol* (glob)
525 [255]
525 [255]
526
526
527 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
527 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
528
528
529 $ cat >> copy-pull/.hg/hgrc << EOF
529 $ cat >> copy-pull/.hg/hgrc << EOF
530 > [hostsecurity]
530 > [hostsecurity]
531 > localhost:minimumprotocol=tls1.2
531 > localhost:minimumprotocol=tls1.2
532 > EOF
532 > EOF
533 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
533 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
534 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
534 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
535 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
535 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
536 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
536 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
537 abort: error: *unsupported protocol* (glob)
537 abort: error: *unsupported protocol* (glob)
538 [255]
538 [255]
539
539
540 $ killdaemons.py hg0.pid
540 $ killdaemons.py hg0.pid
541 $ killdaemons.py hg1.pid
541 $ killdaemons.py hg1.pid
542 $ killdaemons.py hg2.pid
542 $ killdaemons.py hg2.pid
543 #endif
543 #endif
544
544
545 Prepare for connecting through proxy
545 Prepare for connecting through proxy
546
546
547 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
547 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
548 $ cat hg0.pid >> $DAEMON_PIDS
548 $ cat hg0.pid >> $DAEMON_PIDS
549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
550 $ cat hg2.pid >> $DAEMON_PIDS
550 $ cat hg2.pid >> $DAEMON_PIDS
551 tinyproxy.py doesn't fully detach, so killing it may result in extra output
551 tinyproxy.py doesn't fully detach, so killing it may result in extra output
552 from the shell. So don't kill it.
552 from the shell. So don't kill it.
553 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
553 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
554 $ while [ ! -f proxy.pid ]; do sleep 0; done
554 $ while [ ! -f proxy.pid ]; do sleep 0; done
555 $ cat proxy.pid >> $DAEMON_PIDS
555 $ cat proxy.pid >> $DAEMON_PIDS
556
556
557 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
557 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
558 $ echo "always=True" >> copy-pull/.hg/hgrc
558 $ echo "always=True" >> copy-pull/.hg/hgrc
559 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
559 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
560 $ echo "localhost =" >> copy-pull/.hg/hgrc
560 $ echo "localhost =" >> copy-pull/.hg/hgrc
561
561
562 Test unvalidated https through proxy
562 Test unvalidated https through proxy
563
563
564 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
564 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
565 pulling from https://localhost:$HGPORT/
565 pulling from https://localhost:$HGPORT/
566 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
566 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
567 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
567 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
568 searching for changes
568 searching for changes
569 no changes found
569 no changes found
570
570
571 Test https with cacert and fingerprint through proxy
571 Test https with cacert and fingerprint through proxy
572
572
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
574 > --config web.cacerts="$CERTSDIR/pub.pem"
574 > --config web.cacerts="$CERTSDIR/pub.pem"
575 pulling from https://localhost:$HGPORT/
575 pulling from https://localhost:$HGPORT/
576 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
576 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
577 searching for changes
577 searching for changes
578 no changes found
578 no changes found
579 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
579 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
580 pulling from https://*:$HGPORT/ (glob)
580 pulling from https://*:$HGPORT/ (glob)
581 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
581 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
582 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
582 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
583 searching for changes
583 searching for changes
584 no changes found
584 no changes found
585
585
586 Test https with cert problems through proxy
586 Test https with cert problems through proxy
587
587
588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
589 > --config web.cacerts="$CERTSDIR/pub-other.pem"
589 > --config web.cacerts="$CERTSDIR/pub-other.pem"
590 pulling from https://localhost:$HGPORT/
590 pulling from https://localhost:$HGPORT/
591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
592 abort: error: *certificate verify failed* (glob)
592 abort: error: *certificate verify failed* (glob)
593 [255]
593 [255]
594 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
594 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
595 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
595 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
596 pulling from https://localhost:$HGPORT2/
596 pulling from https://localhost:$HGPORT2/
597 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
597 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
598 abort: error: *certificate verify failed* (glob)
598 abort: error: *certificate verify failed* (glob)
599 [255]
599 [255]
600
600
601
601
602 $ killdaemons.py hg0.pid
602 $ killdaemons.py hg0.pid
603
603
604 #if sslcontext
604 #if sslcontext
605
605
606 Start hgweb that requires client certificates:
606 Start hgweb that requires client certificates:
607
607
608 $ cd test
608 $ cd test
609 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
609 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
610 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
610 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
611 $ cat ../hg0.pid >> $DAEMON_PIDS
611 $ cat ../hg0.pid >> $DAEMON_PIDS
612 $ cd ..
612 $ cd ..
613
613
614 without client certificate:
614 without client certificate:
615
615
616 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
616 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
617 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
617 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
618 abort: error: *handshake failure* (glob)
618 abort: error: *handshake failure* (glob)
619 [255]
619 [255]
620
620
621 with client certificate:
621 with client certificate:
622
622
623 $ cat << EOT >> $HGRCPATH
623 $ cat << EOT >> $HGRCPATH
624 > [auth]
624 > [auth]
625 > l.prefix = localhost
625 > l.prefix = localhost
626 > l.cert = $CERTSDIR/client-cert.pem
626 > l.cert = $CERTSDIR/client-cert.pem
627 > l.key = $CERTSDIR/client-key.pem
627 > l.key = $CERTSDIR/client-key.pem
628 > EOT
628 > EOT
629
629
630 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
630 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
631 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
631 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
632 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
632 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
633 5fed3813f7f5
633 5fed3813f7f5
634
634
635 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
635 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
636 > --config ui.interactive=True --config ui.nontty=True
636 > --config ui.interactive=True --config ui.nontty=True
637 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
637 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
638 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
638 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
639
639
640 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
640 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
642 abort: error: * (glob)
642 abort: error: * (glob)
643 [255]
643 [255]
644
644
645 #endif
645 #endif
General Comments 0
You need to be logged in to leave comments. Login now