upstream/mercurial-mirror Commit - r49932:7ea2bd20

1

#require serve ssl

1

#require serve ssl

2

3

Proper https client requires the built-in ssl from Python 2.6.

3

Proper https client requires the built-in ssl from Python 2.6.

4

5

Disable the system configuration which may set stricter TLS requirements.

5

Disable the system configuration which may set stricter TLS requirements.

6

This test expects that legacy TLS versions are supported.

6

This test expects that legacy TLS versions are supported.

7

8

$ OPENSSL_CONF=

8

$ OPENSSL_CONF=

9

$ export OPENSSL_CONF

9

$ export OPENSSL_CONF

10

11

Make server certificates:

11

Make server certificates:

12

13

$ CERTSDIR="$TESTDIR/sslcerts"

13

$ CERTSDIR="$TESTDIR/sslcerts"

14

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem

14

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem

15

$ PRIV=`pwd`/server.pem

15

$ PRIV=`pwd`/server.pem

16

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem

16

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem

17

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem

17

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem

18

19

$ hg init test

19

$ hg init test

20

$ cd test

20

$ cd test

21

$ echo foo>foo

21

$ echo foo>foo

22

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

22

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

23

$ echo foo>foo.d/foo

23

$ echo foo>foo.d/foo

24

$ echo bar>foo.d/bAr.hg.d/BaR

24

$ echo bar>foo.d/bAr.hg.d/BaR

25

$ echo bar>foo.d/baR.d.hg/bAR

25

$ echo bar>foo.d/baR.d.hg/bAR

26

$ hg commit -A -m 1

26

$ hg commit -A -m 1

27

adding foo

27

adding foo

28

adding foo.d/bAr.hg.d/BaR

28

adding foo.d/bAr.hg.d/BaR

29

adding foo.d/baR.d.hg/bAR

29

adding foo.d/baR.d.hg/bAR

30

adding foo.d/foo

30

adding foo.d/foo

31

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

31

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

32

$ cat ../hg0.pid >> $DAEMON_PIDS

32

$ cat ../hg0.pid >> $DAEMON_PIDS

33

34

cacert not found

34

cacert not found

35

36

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

36

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

37

abort: could not find web.cacerts: no-such.pem

37

abort: could not find web.cacerts: no-such.pem

38

[255]

38

[255]

39

40

Test server address cannot be reused

40

Test server address cannot be reused

41

42

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

42

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

43

abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$

43

abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$

44

[255]

44

[255]

45

46

$ cd ..

46

$ cd ..

47

48

Our test cert is not signed by a trusted CA. It should fail to verify if

48

Our test cert is not signed by a trusted CA. It should fail to verify if

49

we are able to load CA certs.

49

we are able to load CA certs.

50

51

#if no-defaultcacertsloaded

51

#if no-defaultcacertsloaded

52

$ hg clone https://localhost:$HGPORT/ copy-pull

52

$ hg clone https://localhost:$HGPORT/ copy-pull

53

(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)

53

(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)

54

abort: error: *certificate verify failed* (glob)

54

abort: error: *certificate verify failed* (glob)

55

[100]

55

[100]

56

#endif

56

#endif

57

58

#if defaultcacertsloaded

58

#if defaultcacertsloaded

59

$ hg clone https://localhost:$HGPORT/ copy-pull

59

$ hg clone https://localhost:$HGPORT/ copy-pull

60

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

60

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

61

abort: error: *certificate verify failed* (glob)

61

abort: error: *certificate verify failed* (glob)

62

[100]

62

[100]

63

#endif

63

#endif

64

65

Specifying a per-host certificate file that doesn't exist will abort. The full

65

Specifying a per-host certificate file that doesn't exist will abort. The full

66

C:/path/to/msysroot will print on Windows.

66

C:/path/to/msysroot will print on Windows.

67

68

$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/

68

$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/

69

abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)

69

abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)

70

[255]

70

[255]

71

72

A malformed per-host certificate file will raise an error

72

A malformed per-host certificate file will raise an error

73

74

$ echo baddata > badca.pem

74

$ echo baddata > badca.pem

75

$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

75

$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

76

abort: error loading CA file badca.pem: * (glob)

76

abort: error loading CA file badca.pem: * (glob)

77

(file is empty or malformed?)

77

(file is empty or malformed?)

78

[255]

78

[255]

79

80

A per-host certificate mismatching the server will fail verification

80

A per-host certificate mismatching the server will fail verification

81

82

(modern ssl is able to discern whether the loaded cert is a CA cert)

82

(modern ssl is able to discern whether the loaded cert is a CA cert)

83

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

83

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

84

(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)

84

(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)

85

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

85

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

86

abort: error: *certificate verify failed* (glob)

86

abort: error: *certificate verify failed* (glob)

87

[100]

87

[100]

88

89

A per-host certificate matching the server's cert will be accepted

89

A per-host certificate matching the server's cert will be accepted

90

91

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

91

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

92

requesting all changes

92

requesting all changes

93

adding changesets

93

adding changesets

94

adding manifests

94

adding manifests

95

adding file changes

95

adding file changes

96

added 1 changesets with 4 changes to 4 files

96

added 1 changesets with 4 changes to 4 files

97

new changesets 8b6053c928fe

97

new changesets 8b6053c928fe

98

99

A per-host certificate with multiple certs and one matching will be accepted

99

A per-host certificate with multiple certs and one matching will be accepted

100

101

$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem

101

$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem

102

$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2

102

$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2

103

requesting all changes

103

requesting all changes

104

adding changesets

104

adding changesets

105

adding manifests

105

adding manifests

106

adding file changes

106

adding file changes

107

added 1 changesets with 4 changes to 4 files

107

added 1 changesets with 4 changes to 4 files

108

new changesets 8b6053c928fe

108

new changesets 8b6053c928fe

109

110

Defining both per-host certificate and a fingerprint will print a warning

110

Defining both per-host certificate and a fingerprint will print a warning

111

112

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning

112

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning

113

(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)

113

(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)

114

requesting all changes

114

requesting all changes

115

adding changesets

115

adding changesets

116

adding manifests

116

adding manifests

117

adding file changes

117

adding file changes

118

added 1 changesets with 4 changes to 4 files

118

added 1 changesets with 4 changes to 4 files

119

new changesets 8b6053c928fe

119

new changesets 8b6053c928fe

120

121

$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"

121

$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"

122

123

Inability to verify peer certificate will result in abort

123

Inability to verify peer certificate will result in abort

124

125

$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS

125

$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS

126

abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

126

abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

127

(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)

127

(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)

128

[150]

128

[150]

129

130

$ hg clone --insecure https://localhost:$HGPORT/ copy-pull

130

$ hg clone --insecure https://localhost:$HGPORT/ copy-pull

131

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

131

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

132

requesting all changes

132

requesting all changes

133

adding changesets

133

adding changesets

134

adding manifests

134

adding manifests

135

adding file changes

135

adding file changes

136

added 1 changesets with 4 changes to 4 files

136

added 1 changesets with 4 changes to 4 files

137

new changesets 8b6053c928fe

137

new changesets 8b6053c928fe

138

updating to branch default

138

updating to branch default

139

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

139

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

140

$ hg verify -R copy-pull

140

$ hg verify -R copy-pull

141

checking changesets

141

checking changesets

142

checking manifests

142

checking manifests

143

crosschecking files in changesets and manifests

143

crosschecking files in changesets and manifests

144

checking files

144

checking files

145

checked 1 changesets with 4 changes to 4 files

145

checked 1 changesets with 4 changes to 4 files

146

$ cd test

146

$ cd test

147

$ echo bar > bar

147

$ echo bar > bar

148

$ hg commit -A -d '1 0' -m 2

148

$ hg commit -A -d '1 0' -m 2

149

adding bar

149

adding bar

150

$ cd ..

150

$ cd ..

151

152

pull without cacert

152

pull without cacert

153

154

$ cd copy-pull

154

$ cd copy-pull

155

$ cat >> .hg/hgrc <<EOF

155

$ cat >> .hg/hgrc <<EOF

156

> [hooks]

156

> [hooks]

157

> changegroup = sh -c "printenv.py --line changegroup"

157

> changegroup = sh -c "printenv.py --line changegroup"

158

> EOF

158

> EOF

159

$ hg pull $DISABLECACERTS

159

$ hg pull $DISABLECACERTS

160

pulling from https://localhost:$HGPORT/

160

pulling from https://localhost:$HGPORT/

161

abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

161

abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

162

(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)

162

(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)

163

[150]

163

[150]

164

165

$ hg pull --insecure

165

$ hg pull --insecure

166

pulling from https://localhost:$HGPORT/

166

pulling from https://localhost:$HGPORT/

167

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

167

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

168

searching for changes

168

searching for changes

169

adding changesets

169

adding changesets

170

adding manifests

170

adding manifests

171

adding file changes

171

adding file changes

172

added 1 changesets with 1 changes to 1 files

172

added 1 changesets with 1 changes to 1 files

173

new changesets 5fed3813f7f5

173

new changesets 5fed3813f7f5

174

changegroup hook: HG_HOOKNAME=changegroup

174

changegroup hook: HG_HOOKNAME=changegroup

175

HG_HOOKTYPE=changegroup

175

HG_HOOKTYPE=changegroup

176

HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d

176

HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d

177

HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d

177

HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d

178

HG_SOURCE=pull

178

HG_SOURCE=pull

179

HG_TXNID=TXN:$ID$

179

HG_TXNID=TXN:$ID$

180

HG_TXNNAME=pull

180

HG_TXNNAME=pull

181

https://localhost:$HGPORT/

181

https://localhost:$HGPORT/

182

HG_URL=https://localhost:$HGPORT/

182

HG_URL=https://localhost:$HGPORT/

183

184

(run 'hg update' to get a working copy)

184

(run 'hg update' to get a working copy)

185

$ cd ..

185

$ cd ..

186

187

cacert configured in local repo

187

cacert configured in local repo

188

189

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

189

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

190

$ echo "[web]" >> copy-pull/.hg/hgrc

190

$ echo "[web]" >> copy-pull/.hg/hgrc

191

$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc

191

$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc

192

$ hg -R copy-pull pull

192

$ hg -R copy-pull pull

193

pulling from https://localhost:$HGPORT/

193

pulling from https://localhost:$HGPORT/

194

searching for changes

194

searching for changes

195

no changes found

195

no changes found

196

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

196

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

197

198

cacert configured globally, also testing expansion of environment

198

cacert configured globally, also testing expansion of environment

199

variables in the filename

199

variables in the filename

200

201

$ echo "[web]" >> $HGRCPATH

201

$ echo "[web]" >> $HGRCPATH

202

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

202

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

203

$ P="$CERTSDIR" hg -R copy-pull pull

203

$ P="$CERTSDIR" hg -R copy-pull pull

204

pulling from https://localhost:$HGPORT/

204

pulling from https://localhost:$HGPORT/

205

searching for changes

205

searching for changes

206

no changes found

206

no changes found

207

$ P="$CERTSDIR" hg -R copy-pull pull --insecure

207

$ P="$CERTSDIR" hg -R copy-pull pull --insecure

208

pulling from https://localhost:$HGPORT/

208

pulling from https://localhost:$HGPORT/

209

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

209

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

210

searching for changes

210

searching for changes

211

no changes found

211

no changes found

212

213

empty cacert file

213

empty cacert file

214

215

$ touch emptycafile

215

$ touch emptycafile

216

217

$ hg --config web.cacerts=emptycafile -R copy-pull pull

217

$ hg --config web.cacerts=emptycafile -R copy-pull pull

218

pulling from https://localhost:$HGPORT/

218

pulling from https://localhost:$HGPORT/

219

abort: error loading CA file emptycafile: * (glob)

219

abort: error loading CA file emptycafile: * (glob)

220

(file is empty or malformed?)

220

(file is empty or malformed?)

221

[255]

221

[255]

222

223

cacert mismatch

223

cacert mismatch

224

225

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

225

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

226

> https://$LOCALIP:$HGPORT/

226

> https://$LOCALIP:$HGPORT/

227

pulling from https://*:$HGPORT/ (glob)

227

pulling from https://*:$HGPORT/ (glob)

228

abort: $LOCALIP certificate error: certificate is for localhost (glob)

228

abort: $LOCALIP certificate error: certificate is for localhost (glob)

229

(set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)

229

(set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)

230

[150]

230

[150]

231

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

231

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

232

> https://$LOCALIP:$HGPORT/ --insecure

232

> https://$LOCALIP:$HGPORT/ --insecure

233

pulling from https://*:$HGPORT/ (glob)

233

pulling from https://*:$HGPORT/ (glob)

234

warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)

234

warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)

235

searching for changes

235

searching for changes

236

no changes found

236

no changes found

237

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

237

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

238

pulling from https://localhost:$HGPORT/

238

pulling from https://localhost:$HGPORT/

239

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

239

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

240

abort: error: *certificate verify failed* (glob)

240

abort: error: *certificate verify failed* (glob)

241

[100]

241

[100]

242

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

242

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

243

> --insecure

243

> --insecure

244

pulling from https://localhost:$HGPORT/

244

pulling from https://localhost:$HGPORT/

245

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

245

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

246

searching for changes

246

searching for changes

247

no changes found

247

no changes found

248

249

Test server cert which isn't valid yet

249

Test server cert which isn't valid yet

250

251

$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

251

$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

252

$ cat hg1.pid >> $DAEMON_PIDS

252

$ cat hg1.pid >> $DAEMON_PIDS

253

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

253

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

254

> https://localhost:$HGPORT1/

254

> https://localhost:$HGPORT1/

255

pulling from https://localhost:$HGPORT1/

255

pulling from https://localhost:$HGPORT1/

256

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

256

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

257

abort: error: *certificate verify failed* (glob)

257

abort: error: *certificate verify failed* (glob)

258

[100]

258

[100]

259

260

Test server cert which no longer is valid

260

Test server cert which no longer is valid

261

262

$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

262

$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

263

$ cat hg2.pid >> $DAEMON_PIDS

263

$ cat hg2.pid >> $DAEMON_PIDS

264

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

264

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

265

> https://localhost:$HGPORT2/

265

> https://localhost:$HGPORT2/

266

pulling from https://localhost:$HGPORT2/

266

pulling from https://localhost:$HGPORT2/

267

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

267

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

268

abort: error: *certificate verify failed* (glob)

268

abort: error: *certificate verify failed* (glob)

269

[100]

269

[100]

270

271

Setting ciphers to an invalid value aborts

271

Setting ciphers to an invalid value aborts

272

$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/

272

$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/

273

abort: could not set ciphers: No cipher can be selected.

273

abort: could not set ciphers: No cipher can be selected.

274

(change cipher string (invalid) in config)

274

(change cipher string (invalid) in config)

275

[255]

275

[255]

276

277

$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/

277

$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/

278

abort: could not set ciphers: No cipher can be selected.

278

abort: could not set ciphers: No cipher can be selected.

279

(change cipher string (invalid) in config)

279

(change cipher string (invalid) in config)

280

[255]

280

[255]

281

282

Changing the cipher string works

282

Changing the cipher string works

283

284

$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/

284

$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/

285

5fed3813f7f5

285

5fed3813f7f5

286

287

Fingerprints

287

Fingerprints

288

289

- works without cacerts (hostfingerprints)

289

- works without cacerts (hostfingerprints)

290

$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

290

$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

291

(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

291

(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

292

5fed3813f7f5

292

5fed3813f7f5

293

294

- works without cacerts (hostsecurity)

294

- works without cacerts (hostsecurity)

295

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

295

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

296

5fed3813f7f5

296

5fed3813f7f5

297

298

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e

298

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e

299

5fed3813f7f5

299

5fed3813f7f5

300

301

- multiple fingerprints specified and first matches

301

- multiple fingerprints specified and first matches

302

$ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

302

$ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

303

(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

303

(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

304

5fed3813f7f5

304

5fed3813f7f5

305

306

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

306

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

307

5fed3813f7f5

307

5fed3813f7f5

308

309

- multiple fingerprints specified and last matches

309

- multiple fingerprints specified and last matches

310

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure

310

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure

311

(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

311

(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

312

5fed3813f7f5

312

5fed3813f7f5

313

314

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/

314

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/

315

5fed3813f7f5

315

5fed3813f7f5

316

317

- multiple fingerprints specified and none match

317

- multiple fingerprints specified and none match

318

319

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

319

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

320

abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

320

abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

321

(check hostfingerprint configuration)

321

(check hostfingerprint configuration)

322

[150]

322

[150]

323

324

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

324

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

325

abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

325

abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

326

(check hostsecurity configuration)

326

(check hostsecurity configuration)

327

[150]

327

[150]

328

329

- fails when cert doesn't match hostname (port is ignored)

329

- fails when cert doesn't match hostname (port is ignored)

330

$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

330

$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

331

abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84

331

abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84

332

(check hostfingerprint configuration)

332

(check hostfingerprint configuration)

333

[150]

333

[150]

334

335

336

- ignores that certificate doesn't match hostname

336

- ignores that certificate doesn't match hostname

337

$ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

337

$ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

338

(SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

338

(SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

339

5fed3813f7f5

339

5fed3813f7f5

340

341

Ports used by next test. Kill servers.

341

Ports used by next test. Kill servers.

342

343

$ killdaemons.py hg0.pid

343

$ killdaemons.py hg0.pid

344

$ killdaemons.py hg1.pid

344

$ killdaemons.py hg1.pid

345

$ killdaemons.py hg2.pid

345

$ killdaemons.py hg2.pid

346

347

#if tls1.2

347

#if tls1.2

348

Start servers running supported TLS versions

348

Start servers running supported TLS versions

349

350

$ cd test

350

$ cd test

351

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

351

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

352

> --config devel.serverexactprotocol=tls1.0

352

> --config devel.serverexactprotocol=tls1.0

353

$ cat ../hg0.pid >> $DAEMON_PIDS

353

$ cat ../hg0.pid >> $DAEMON_PIDS

354

$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \

354

$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \

355

> --config devel.serverexactprotocol=tls1.1

355

> --config devel.serverexactprotocol=tls1.1

356

$ cat ../hg1.pid >> $DAEMON_PIDS

356

$ cat ../hg1.pid >> $DAEMON_PIDS

357

$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \

357

$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \

358

> --config devel.serverexactprotocol=tls1.2

358

> --config devel.serverexactprotocol=tls1.2

359

$ cat ../hg2.pid >> $DAEMON_PIDS

359

$ cat ../hg2.pid >> $DAEMON_PIDS

360

$ cd ..

360

$ cd ..

361

362

Clients talking same TLS versions work

362

Clients talking same TLS versions work

363

364

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/

364

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/

365

5fed3813f7f5

365

5fed3813f7f5

366

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/

366

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/

367

5fed3813f7f5

367

5fed3813f7f5

368

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/

368

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/

369

5fed3813f7f5

369

5fed3813f7f5

370

371

Clients requiring newer TLS version than what server supports fail

371

Clients requiring newer TLS version than what server supports fail

372

373

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/

373

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/

374

(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

374

(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

375

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

375

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

376

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

376

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

377

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

377

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

378

[100]

378

[100]

379

380

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/

380

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/

381

(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

381

(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

382

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

382

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

383

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

383

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

384

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

384

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

385

[100]

385

[100]

386

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/

386

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/

387

(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

387

(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

388

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

388

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

389

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

389

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

390

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

390

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

391

[100]

391

[100]

392

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/

392

$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/

393

(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

393

(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

394

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

394

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

395

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

395

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

396

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

396

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

397

[100]

397

[100]

398

399

--insecure will allow TLS 1.0 connections and override configs

399

--insecure will allow TLS 1.0 connections and override configs

400

401

$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/

401

$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/

402

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

402

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

403

5fed3813f7f5

403

5fed3813f7f5

404

405

The per-host config option overrides the default

405

The per-host config option overrides the default

406

407

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

407

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

408

> --config hostsecurity.ciphers=DEFAULT \

408

> --config hostsecurity.minimumprotocol=tls1.2 \

409

> --config hostsecurity.minimumprotocol=tls1.2 \

409

> --config hostsecurity.localhost:minimumprotocol=tls1.0

410

> --config hostsecurity.localhost:minimumprotocol=tls1.0

410

5fed3813f7f5

411

5fed3813f7f5

411

412

The per-host config option by itself works

413

The per-host config option by itself works

413

414

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

415

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

415

> --config hostsecurity.localhost:minimumprotocol=tls1.2

416

> --config hostsecurity.localhost:minimumprotocol=tls1.2

416

(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

417

(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

417

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

418

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

418

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

419

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

419

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

420

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

420

[100]

421

[100]

421

422

.hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)

423

.hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)

423

424

$ cat >> copy-pull/.hg/hgrc << EOF

425

$ cat >> copy-pull/.hg/hgrc << EOF

425

> [hostsecurity]

426

> [hostsecurity]

426

> localhost:minimumprotocol=tls1.2

427

> localhost:minimumprotocol=tls1.2

427

> EOF

428

> EOF

428

$ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/

429

$ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/

429

(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

430

(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

430

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

431

(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

431

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

432

(see https://mercurial-scm.org/wiki/SecureConnections for more info)

432

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

433

abort: error: .*(unsupported protocol|wrong ssl version).* (re)

433

[100]

434

[100]

434

435

$ killdaemons.py hg0.pid

436

$ killdaemons.py hg0.pid

436

$ killdaemons.py hg1.pid

437

$ killdaemons.py hg1.pid

437

$ killdaemons.py hg2.pid

438

$ killdaemons.py hg2.pid

438

#endif

439

#endif

439

440

Prepare for connecting through proxy

441

Prepare for connecting through proxy

441

442

$ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV

443

$ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV

443

$ cat hg0.pid >> $DAEMON_PIDS

444

$ cat hg0.pid >> $DAEMON_PIDS

444

$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

445

$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

445

$ cat hg2.pid >> $DAEMON_PIDS

446

$ cat hg2.pid >> $DAEMON_PIDS

446

tinyproxy.py doesn't fully detach, so killing it may result in extra output

447

tinyproxy.py doesn't fully detach, so killing it may result in extra output

447

from the shell. So don't kill it.

448

from the shell. So don't kill it.

448

$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

449

$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

449

$ while [ ! -f proxy.pid ]; do sleep 0; done

450

$ while [ ! -f proxy.pid ]; do sleep 0; done

450

$ cat proxy.pid >> $DAEMON_PIDS

451

$ cat proxy.pid >> $DAEMON_PIDS

451

452

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

453

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

453

$ echo "always=True" >> copy-pull/.hg/hgrc

454

$ echo "always=True" >> copy-pull/.hg/hgrc

454

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

455

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

455

$ echo "localhost =" >> copy-pull/.hg/hgrc

456

$ echo "localhost =" >> copy-pull/.hg/hgrc

456

457

Test unvalidated https through proxy

458

Test unvalidated https through proxy

458

459

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure

460

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure

460

pulling from https://localhost:$HGPORT/

461

pulling from https://localhost:$HGPORT/

461

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

462

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

462

searching for changes

463

searching for changes

463

no changes found

464

no changes found

464

465

Test https with cacert and fingerprint through proxy

466

Test https with cacert and fingerprint through proxy

466

467

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

468

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

468

> --config web.cacerts="$CERTSDIR/pub.pem"

469

> --config web.cacerts="$CERTSDIR/pub.pem"

469

pulling from https://localhost:$HGPORT/

470

pulling from https://localhost:$HGPORT/

470

searching for changes

471

searching for changes

471

no changes found

472

no changes found

472

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace

473

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace

473

pulling from https://*:$HGPORT/ (glob)

474

pulling from https://*:$HGPORT/ (glob)

474

(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

475

(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

475

searching for changes

476

searching for changes

476

no changes found

477

no changes found

477

478

Test https with cert problems through proxy

479

Test https with cert problems through proxy

479

480

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

481

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

481

> --config web.cacerts="$CERTSDIR/pub-other.pem"

482

> --config web.cacerts="$CERTSDIR/pub-other.pem"

482

pulling from https://localhost:$HGPORT/

483

pulling from https://localhost:$HGPORT/

483

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

484

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

484

abort: error: *certificate verify failed* (glob)

485

abort: error: *certificate verify failed* (glob)

485

[100]

486

[100]

486

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

487

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

487

> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/

488

> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/

488

pulling from https://localhost:$HGPORT2/

489

pulling from https://localhost:$HGPORT2/

489

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

490

(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

490

abort: error: *certificate verify failed* (glob)

491

abort: error: *certificate verify failed* (glob)

491

[100]

492

[100]

492

493

494

$ killdaemons.py hg0.pid

495

$ killdaemons.py hg0.pid

495

496

$ cd test

497

$ cd test

497

498

Missing certificate file(s) are detected

499

Missing certificate file(s) are detected

499

500

$ hg serve -p $HGPORT --certificate=/missing/certificate \

501

$ hg serve -p $HGPORT --certificate=/missing/certificate \

501

> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true

502

> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true

502

abort: referenced certificate file (*/missing/certificate) does not exist (glob)

503

abort: referenced certificate file (*/missing/certificate) does not exist (glob)

503

[255]

504

[255]

504

505

$ hg serve -p $HGPORT --certificate=$PRIV \

506

$ hg serve -p $HGPORT --certificate=$PRIV \

506

> --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true

507

> --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true

507

abort: referenced certificate file (*/missing/cafile) does not exist (glob)

508

abort: referenced certificate file (*/missing/cafile) does not exist (glob)

508

[255]

509

[255]

509

510

Start hgweb that requires client certificates:

511

Start hgweb that requires client certificates:

511

512

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

513

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

513

> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true

514

> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true

514

$ cat ../hg0.pid >> $DAEMON_PIDS

515

$ cat ../hg0.pid >> $DAEMON_PIDS

515

$ cd ..

516

$ cd ..

516

517

without client certificate:

518

without client certificate:

518

519

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/

520

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/

520

abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)

521

abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)

521

[100]

522

[100]

522

523

with client certificate:

524

with client certificate:

524

525

$ cat << EOT >> $HGRCPATH

526

$ cat << EOT >> $HGRCPATH

526

> [auth]

527

> [auth]

527

> l.prefix = localhost

528

> l.prefix = localhost

528

> l.cert = $CERTSDIR/client-cert.pem

529

> l.cert = $CERTSDIR/client-cert.pem

529

> l.key = $CERTSDIR/client-key.pem

530

> l.key = $CERTSDIR/client-key.pem

530

> EOT

531

> EOT

531

532

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

533

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

533

> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"

534

> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"

534

5fed3813f7f5

535

5fed3813f7f5

535

536

$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

537

$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

537

> --config ui.interactive=True --config ui.nontty=True

538

> --config ui.interactive=True --config ui.nontty=True

538

passphrase for */client-key.pem: 5fed3813f7f5 (glob)

539

passphrase for */client-key.pem: 5fed3813f7f5 (glob)

539

540

$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/

541

$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/

541

abort: error: * (glob)

542

abort: error: * (glob)

542

[100]

543

[100]

543

544

Missing certficate and key files result in error

545

Missing certficate and key files result in error

545

546

$ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert

547

$ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert

547

abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)

548

abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)

548

(restore missing file or fix references in Mercurial config)

549

(restore missing file or fix references in Mercurial config)

549

[255]

550

[255]

550

551

$ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key

552

$ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key

552

abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)

553

abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)

553

(restore missing file or fix references in Mercurial config)

554

(restore missing file or fix references in Mercurial config)

554

[255]

555

[255]

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #require serve ssl
             Proper https client requires the built-in ssl from Python 2.6.
             Disable the system configuration which may set stricter TLS requirements.
             This test expects that legacy TLS versions are supported.
               $ OPENSSL_CONF=
               $ export OPENSSL_CONF
             Make server certificates:
               $ CERTSDIR="$TESTDIR/sslcerts"
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
               [255]
               $ cd ..
             Our test cert is not signed by a trusted CA. It should fail to verify if
             we are able to load CA certs.
             #if no-defaultcacertsloaded
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *certificate verify failed* (glob)
               [100]
             #endif
             #if defaultcacertsloaded
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
               abort: error: *certificate verify failed* (glob)
               [100]
             #endif
             Specifying a per-host certificate file that doesn't exist will abort.  The full
             C:/path/to/msysroot will print on Windows.
               $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
               abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
               [255]
             A malformed per-host certificate file will raise an error
               $ echo baddata > badca.pem
               $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
               abort: error loading CA file badca.pem: * (glob)
               (file is empty or malformed?)
               [255]
             A per-host certificate mismatching the server will fail verification
             (modern ssl is able to discern whether the loaded cert is a CA cert)
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
               (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
               abort: error: *certificate verify failed* (glob)
               [100]
             A per-host certificate matching the server's cert will be accepted
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               new changesets 8b6053c928fe
             A per-host certificate with multiple certs and one matching will be accepted
               $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
               $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               new changesets 8b6053c928fe
             Defining both per-host certificate and a fingerprint will print a warning
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
               (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               new changesets 8b6053c928fe
               $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
             Inability to verify peer certificate will result in abort
               $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
               abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
               (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
               [150]
               $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               new changesets 8b6053c928fe
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
               checked 1 changesets with 4 changes to 4 files
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ cat >> .hg/hgrc <<EOF
               > [hooks]
               > changegroup = sh -c "printenv.py --line changegroup"
               > EOF
               $ hg pull $DISABLECACERTS
               pulling from https://localhost:$HGPORT/
               abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
               (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
               [150]
               $ hg pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               new changesets 5fed3813f7f5
               changegroup hook: HG_HOOKNAME=changegroup
               HG_HOOKTYPE=changegroup
               HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
               HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
               HG_SOURCE=pull
               HG_TXNID=TXN:$ID$
               HG_TXNNAME=pull
               https://localhost:$HGPORT/
               HG_URL=https://localhost:$HGPORT/
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P="$CERTSDIR" hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P="$CERTSDIR" hg -R copy-pull pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             empty cacert file
               $ touch emptycafile
               $ hg --config web.cacerts=emptycafile -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               abort: error loading CA file emptycafile: * (glob)
               (file is empty or malformed?)
               [255]
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://$LOCALIP:$HGPORT/
               pulling from https://*:$HGPORT/ (glob)
               abort: $LOCALIP certificate error: certificate is for localhost (glob)
               (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
               [150]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://$LOCALIP:$HGPORT/ --insecure
               pulling from https://*:$HGPORT/ (glob)
               warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
               abort: error: *certificate verify failed* (glob)
               [100]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
               > --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
               > https://localhost:$HGPORT1/
               pulling from https://localhost:$HGPORT1/
               (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
               abort: error: *certificate verify failed* (glob)
               [100]
             Test server cert which no longer is valid
               $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
               > https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
               abort: error: *certificate verify failed* (glob)
               [100]
             Setting ciphers to an invalid value aborts
               $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
               abort: could not set ciphers: No cipher can be selected.
               (change cipher string (invalid) in config)
               [255]
               $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
               abort: could not set ciphers: No cipher can be selected.
               (change cipher string (invalid) in config)
               [255]
             Changing the cipher string works
               $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             Fingerprints
             - works without cacerts (hostfingerprints)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
               (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
 fed3813f7f5
             - works without cacerts (hostsecurity)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
 fed3813f7f5
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
 fed3813f7f5
             - multiple fingerprints specified and first matches
               $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
               (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             - multiple fingerprints specified and last matches
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
               (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             - multiple fingerprints specified and none match
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
               abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
               (check hostfingerprint configuration)
               [150]
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
               abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
               (check hostsecurity configuration)
               [150]
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
               abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
               (check hostfingerprint configuration)
               [150]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
               (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
 fed3813f7f5
             Ports used by next test. Kill servers.
               $ killdaemons.py hg0.pid
               $ killdaemons.py hg1.pid
               $ killdaemons.py hg2.pid
             #if tls1.2
             Start servers running supported TLS versions
               $ cd test
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
               > --config devel.serverexactprotocol=tls1.0
               $ cat ../hg0.pid >> $DAEMON_PIDS
               $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
               > --config devel.serverexactprotocol=tls1.1
               $ cat ../hg1.pid >> $DAEMON_PIDS
               $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
               > --config devel.serverexactprotocol=tls1.2
               $ cat ../hg2.pid >> $DAEMON_PIDS
               $ cd ..
             Clients talking same TLS versions work
-              $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
+              $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
 fed3813f7f5
-              $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
+              $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
 fed3813f7f5
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
 fed3813f7f5
             Clients requiring newer TLS version than what server supports fail
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
               (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
               (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
               (see https://mercurial-scm.org/wiki/SecureConnections for more info)
               abort: error: .*(unsupported protocol|wrong ssl version).* (re)
               [100]
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
               (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
               (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
               (see https://mercurial-scm.org/wiki/SecureConnections for more info)
               abort: error: .*(unsupported protocol|wrong ssl version).* (re)
               [100]
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
               (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
               (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
               (see https://mercurial-scm.org/wiki/SecureConnections for more info)
               abort: error: .*(unsupported protocol|wrong ssl version).* (re)
               [100]
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
               (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
               (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
               (see https://mercurial-scm.org/wiki/SecureConnections for more info)
               abort: error: .*(unsupported protocol|wrong ssl version).* (re)
               [100]
             --insecure will allow TLS 1.0 connections and override configs
               $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
 fed3813f7f5
             The per-host config option overrides the default
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
+              > --config hostsecurity.ciphers=DEFAULT \
               > --config hostsecurity.minimumprotocol=tls1.2 \
               > --config hostsecurity.localhost:minimumprotocol=tls1.0
 fed3813f7f5
             The per-host config option by itself works
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config hostsecurity.localhost:minimumprotocol=tls1.2
               (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
               (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
               (see https://mercurial-scm.org/wiki/SecureConnections for more info)
               abort: error: .*(unsupported protocol|wrong ssl version).* (re)
               [100]
             .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
               $ cat >> copy-pull/.hg/hgrc << EOF
               > [hostsecurity]
               > localhost:minimumprotocol=tls1.2
               > EOF
               $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
               (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
               (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
               (see https://mercurial-scm.org/wiki/SecureConnections for more info)
               abort: error: .*(unsupported protocol|wrong ssl version).* (re)
               [100]
               $ killdaemons.py hg0.pid
               $ killdaemons.py hg1.pid
               $ killdaemons.py hg2.pid
             #endif
             Prepare for connecting through proxy
               $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
               $ cat hg0.pid >> $DAEMON_PIDS
               $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
             tinyproxy.py doesn't fully detach, so killing it may result in extra output
             from the shell. So don't kill it.
               $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
               $ while [ ! -f proxy.pid ]; do sleep 0; done
               $ cat proxy.pid >> $DAEMON_PIDS
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub.pem"
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
               pulling from https://*:$HGPORT/ (glob)
               (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
               abort: error: *certificate verify failed* (glob)
               [100]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
               abort: error: *certificate verify failed* (glob)
               [100]
               $ killdaemons.py hg0.pid
               $ cd test
             Missing certificate file(s) are detected
               $ hg serve -p $HGPORT --certificate=/missing/certificate \
               > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
               abort: referenced certificate file (*/missing/certificate) does not exist (glob)
               [255]
               $ hg serve -p $HGPORT --certificate=$PRIV \
               > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
               abort: referenced certificate file (*/missing/cafile) does not exist (glob)
               [255]
             Start hgweb that requires client certificates:
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
               > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
               $ cat ../hg0.pid >> $DAEMON_PIDS
               $ cd ..
             without client certificate:
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)
               [100]
             with client certificate:
               $ cat << EOT >> $HGRCPATH
               > [auth]
               > l.prefix = localhost
               > l.cert = $CERTSDIR/client-cert.pem
               > l.key = $CERTSDIR/client-key.pem
               > EOT
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
 fed3813f7f5
               $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config ui.interactive=True --config ui.nontty=True
               passphrase for */client-key.pem: 5fed3813f7f5 (glob)
               $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: * (glob)
               [100]
             Missing certficate and key files result in error
               $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
               abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
               (restore missing file or fix references in Mercurial config)
               [255]
               $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
               abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
               (restore missing file or fix references in Mercurial config)
               [255]