##// END OF EJS Templates
tests: increase test-https malform error glob...
Durham Goode -
r29356:93b83ef7 default
parent child Browse files
Show More
@@ -1,369 +1,369
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Make server certificates:
5 Make server certificates:
6
6
7 $ CERTSDIR="$TESTDIR/sslcerts"
7 $ CERTSDIR="$TESTDIR/sslcerts"
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
9 $ PRIV=`pwd`/server.pem
9 $ PRIV=`pwd`/server.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
12
12
13 $ hg init test
13 $ hg init test
14 $ cd test
14 $ cd test
15 $ echo foo>foo
15 $ echo foo>foo
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
17 $ echo foo>foo.d/foo
17 $ echo foo>foo.d/foo
18 $ echo bar>foo.d/bAr.hg.d/BaR
18 $ echo bar>foo.d/bAr.hg.d/BaR
19 $ echo bar>foo.d/baR.d.hg/bAR
19 $ echo bar>foo.d/baR.d.hg/bAR
20 $ hg commit -A -m 1
20 $ hg commit -A -m 1
21 adding foo
21 adding foo
22 adding foo.d/bAr.hg.d/BaR
22 adding foo.d/bAr.hg.d/BaR
23 adding foo.d/baR.d.hg/bAR
23 adding foo.d/baR.d.hg/bAR
24 adding foo.d/foo
24 adding foo.d/foo
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
26 $ cat ../hg0.pid >> $DAEMON_PIDS
26 $ cat ../hg0.pid >> $DAEMON_PIDS
27
27
28 cacert not found
28 cacert not found
29
29
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
31 abort: could not find web.cacerts: no-such.pem
31 abort: could not find web.cacerts: no-such.pem
32 [255]
32 [255]
33
33
34 Test server address cannot be reused
34 Test server address cannot be reused
35
35
36 #if windows
36 #if windows
37 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
37 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
38 abort: cannot start server at ':$HGPORT':
38 abort: cannot start server at ':$HGPORT':
39 [255]
39 [255]
40 #else
40 #else
41 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
41 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
42 abort: cannot start server at ':$HGPORT': Address already in use
42 abort: cannot start server at ':$HGPORT': Address already in use
43 [255]
43 [255]
44 #endif
44 #endif
45 $ cd ..
45 $ cd ..
46
46
47 Our test cert is not signed by a trusted CA. It should fail to verify if
47 Our test cert is not signed by a trusted CA. It should fail to verify if
48 we are able to load CA certs.
48 we are able to load CA certs.
49
49
50 #if defaultcacerts
50 #if defaultcacerts
51 $ hg clone https://localhost:$HGPORT/ copy-pull
51 $ hg clone https://localhost:$HGPORT/ copy-pull
52 abort: error: *certificate verify failed* (glob)
52 abort: error: *certificate verify failed* (glob)
53 [255]
53 [255]
54 #endif
54 #endif
55
55
56 Specifying a per-host certificate file that doesn't exist will abort
56 Specifying a per-host certificate file that doesn't exist will abort
57
57
58 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
58 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
59 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
59 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
60 [255]
60 [255]
61
61
62 A malformed per-host certificate file will raise an error
62 A malformed per-host certificate file will raise an error
63
63
64 $ echo baddata > badca.pem
64 $ echo baddata > badca.pem
65 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
65 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
66 abort: error: unknown error* (glob)
66 abort: error: * (glob)
67 [255]
67 [255]
68
68
69 A per-host certificate mismatching the server will fail verification
69 A per-host certificate mismatching the server will fail verification
70
70
71 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
71 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
72 abort: error: *certificate verify failed* (glob)
72 abort: error: *certificate verify failed* (glob)
73 [255]
73 [255]
74
74
75 A per-host certificate matching the server's cert will be accepted
75 A per-host certificate matching the server's cert will be accepted
76
76
77 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
77 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
78 requesting all changes
78 requesting all changes
79 adding changesets
79 adding changesets
80 adding manifests
80 adding manifests
81 adding file changes
81 adding file changes
82 added 1 changesets with 4 changes to 4 files
82 added 1 changesets with 4 changes to 4 files
83
83
84 A per-host certificate with multiple certs and one matching will be accepted
84 A per-host certificate with multiple certs and one matching will be accepted
85
85
86 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
86 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
87 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
87 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
88 requesting all changes
88 requesting all changes
89 adding changesets
89 adding changesets
90 adding manifests
90 adding manifests
91 adding file changes
91 adding file changes
92 added 1 changesets with 4 changes to 4 files
92 added 1 changesets with 4 changes to 4 files
93
93
94 Defining both per-host certificate and a fingerprint will print a warning
94 Defining both per-host certificate and a fingerprint will print a warning
95
95
96 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning
96 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning
97 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
97 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
98 requesting all changes
98 requesting all changes
99 adding changesets
99 adding changesets
100 adding manifests
100 adding manifests
101 adding file changes
101 adding file changes
102 added 1 changesets with 4 changes to 4 files
102 added 1 changesets with 4 changes to 4 files
103
103
104 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
104 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
105
105
106 clone via pull
106 clone via pull
107
107
108 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
108 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
109 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
109 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
110 requesting all changes
110 requesting all changes
111 adding changesets
111 adding changesets
112 adding manifests
112 adding manifests
113 adding file changes
113 adding file changes
114 added 1 changesets with 4 changes to 4 files
114 added 1 changesets with 4 changes to 4 files
115 updating to branch default
115 updating to branch default
116 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
116 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
117 $ hg verify -R copy-pull
117 $ hg verify -R copy-pull
118 checking changesets
118 checking changesets
119 checking manifests
119 checking manifests
120 crosschecking files in changesets and manifests
120 crosschecking files in changesets and manifests
121 checking files
121 checking files
122 4 files, 1 changesets, 4 total revisions
122 4 files, 1 changesets, 4 total revisions
123 $ cd test
123 $ cd test
124 $ echo bar > bar
124 $ echo bar > bar
125 $ hg commit -A -d '1 0' -m 2
125 $ hg commit -A -d '1 0' -m 2
126 adding bar
126 adding bar
127 $ cd ..
127 $ cd ..
128
128
129 pull without cacert
129 pull without cacert
130
130
131 $ cd copy-pull
131 $ cd copy-pull
132 $ echo '[hooks]' >> .hg/hgrc
132 $ echo '[hooks]' >> .hg/hgrc
133 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
133 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
134 $ hg pull $DISABLECACERTS
134 $ hg pull $DISABLECACERTS
135 pulling from https://localhost:$HGPORT/
135 pulling from https://localhost:$HGPORT/
136 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
136 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
137 searching for changes
137 searching for changes
138 adding changesets
138 adding changesets
139 adding manifests
139 adding manifests
140 adding file changes
140 adding file changes
141 added 1 changesets with 1 changes to 1 files
141 added 1 changesets with 1 changes to 1 files
142 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
142 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
143 (run 'hg update' to get a working copy)
143 (run 'hg update' to get a working copy)
144 $ cd ..
144 $ cd ..
145
145
146 cacert configured in local repo
146 cacert configured in local repo
147
147
148 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
148 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
149 $ echo "[web]" >> copy-pull/.hg/hgrc
149 $ echo "[web]" >> copy-pull/.hg/hgrc
150 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
150 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
151 $ hg -R copy-pull pull --traceback
151 $ hg -R copy-pull pull --traceback
152 pulling from https://localhost:$HGPORT/
152 pulling from https://localhost:$HGPORT/
153 searching for changes
153 searching for changes
154 no changes found
154 no changes found
155 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
155 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
156
156
157 cacert configured globally, also testing expansion of environment
157 cacert configured globally, also testing expansion of environment
158 variables in the filename
158 variables in the filename
159
159
160 $ echo "[web]" >> $HGRCPATH
160 $ echo "[web]" >> $HGRCPATH
161 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
161 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
162 $ P="$CERTSDIR" hg -R copy-pull pull
162 $ P="$CERTSDIR" hg -R copy-pull pull
163 pulling from https://localhost:$HGPORT/
163 pulling from https://localhost:$HGPORT/
164 searching for changes
164 searching for changes
165 no changes found
165 no changes found
166 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
166 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
167 pulling from https://localhost:$HGPORT/
167 pulling from https://localhost:$HGPORT/
168 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
168 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
169 searching for changes
169 searching for changes
170 no changes found
170 no changes found
171
171
172 cacert mismatch
172 cacert mismatch
173
173
174 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
174 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
175 > https://127.0.0.1:$HGPORT/
175 > https://127.0.0.1:$HGPORT/
176 pulling from https://127.0.0.1:$HGPORT/
176 pulling from https://127.0.0.1:$HGPORT/
177 abort: 127.0.0.1 certificate error: certificate is for localhost
177 abort: 127.0.0.1 certificate error: certificate is for localhost
178 (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
178 (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
179 [255]
179 [255]
180 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
180 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
181 > https://127.0.0.1:$HGPORT/ --insecure
181 > https://127.0.0.1:$HGPORT/ --insecure
182 pulling from https://127.0.0.1:$HGPORT/
182 pulling from https://127.0.0.1:$HGPORT/
183 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering
183 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering
184 searching for changes
184 searching for changes
185 no changes found
185 no changes found
186 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
186 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
187 pulling from https://localhost:$HGPORT/
187 pulling from https://localhost:$HGPORT/
188 abort: error: *certificate verify failed* (glob)
188 abort: error: *certificate verify failed* (glob)
189 [255]
189 [255]
190 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
190 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
191 > --insecure
191 > --insecure
192 pulling from https://localhost:$HGPORT/
192 pulling from https://localhost:$HGPORT/
193 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
193 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
194 searching for changes
194 searching for changes
195 no changes found
195 no changes found
196
196
197 Test server cert which isn't valid yet
197 Test server cert which isn't valid yet
198
198
199 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
199 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
200 $ cat hg1.pid >> $DAEMON_PIDS
200 $ cat hg1.pid >> $DAEMON_PIDS
201 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
201 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
202 > https://localhost:$HGPORT1/
202 > https://localhost:$HGPORT1/
203 pulling from https://localhost:$HGPORT1/
203 pulling from https://localhost:$HGPORT1/
204 abort: error: *certificate verify failed* (glob)
204 abort: error: *certificate verify failed* (glob)
205 [255]
205 [255]
206
206
207 Test server cert which no longer is valid
207 Test server cert which no longer is valid
208
208
209 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
209 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
210 $ cat hg2.pid >> $DAEMON_PIDS
210 $ cat hg2.pid >> $DAEMON_PIDS
211 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
211 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
212 > https://localhost:$HGPORT2/
212 > https://localhost:$HGPORT2/
213 pulling from https://localhost:$HGPORT2/
213 pulling from https://localhost:$HGPORT2/
214 abort: error: *certificate verify failed* (glob)
214 abort: error: *certificate verify failed* (glob)
215 [255]
215 [255]
216
216
217 Fingerprints
217 Fingerprints
218
218
219 - works without cacerts (hostkeyfingerprints)
219 - works without cacerts (hostkeyfingerprints)
220 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
220 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
221 5fed3813f7f5
221 5fed3813f7f5
222
222
223 - works without cacerts (hostsecurity)
223 - works without cacerts (hostsecurity)
224 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
224 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
225 5fed3813f7f5
225 5fed3813f7f5
226
226
227 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
227 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
228 5fed3813f7f5
228 5fed3813f7f5
229
229
230 - multiple fingerprints specified and first matches
230 - multiple fingerprints specified and first matches
231 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
231 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
232 5fed3813f7f5
232 5fed3813f7f5
233
233
234 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
234 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
235 5fed3813f7f5
235 5fed3813f7f5
236
236
237 - multiple fingerprints specified and last matches
237 - multiple fingerprints specified and last matches
238 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
238 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
239 5fed3813f7f5
239 5fed3813f7f5
240
240
241 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
241 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
242 5fed3813f7f5
242 5fed3813f7f5
243
243
244 - multiple fingerprints specified and none match
244 - multiple fingerprints specified and none match
245
245
246 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
246 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
247 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
247 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
248 (check hostfingerprint configuration)
248 (check hostfingerprint configuration)
249 [255]
249 [255]
250
250
251 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
251 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
252 abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
252 abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
253 (check hostsecurity configuration)
253 (check hostsecurity configuration)
254 [255]
254 [255]
255
255
256 - fails when cert doesn't match hostname (port is ignored)
256 - fails when cert doesn't match hostname (port is ignored)
257 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
257 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
258 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
258 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
259 (check hostfingerprint configuration)
259 (check hostfingerprint configuration)
260 [255]
260 [255]
261
261
262
262
263 - ignores that certificate doesn't match hostname
263 - ignores that certificate doesn't match hostname
264 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
264 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
265 5fed3813f7f5
265 5fed3813f7f5
266
266
267 HGPORT1 is reused below for tinyproxy tests. Kill that server.
267 HGPORT1 is reused below for tinyproxy tests. Kill that server.
268 $ killdaemons.py hg1.pid
268 $ killdaemons.py hg1.pid
269
269
270 Prepare for connecting through proxy
270 Prepare for connecting through proxy
271
271
272 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
272 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
273 $ while [ ! -f proxy.pid ]; do sleep 0; done
273 $ while [ ! -f proxy.pid ]; do sleep 0; done
274 $ cat proxy.pid >> $DAEMON_PIDS
274 $ cat proxy.pid >> $DAEMON_PIDS
275
275
276 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
276 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
277 $ echo "always=True" >> copy-pull/.hg/hgrc
277 $ echo "always=True" >> copy-pull/.hg/hgrc
278 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
278 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
279 $ echo "localhost =" >> copy-pull/.hg/hgrc
279 $ echo "localhost =" >> copy-pull/.hg/hgrc
280
280
281 Test unvalidated https through proxy
281 Test unvalidated https through proxy
282
282
283 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
283 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
284 pulling from https://localhost:$HGPORT/
284 pulling from https://localhost:$HGPORT/
285 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
285 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
286 searching for changes
286 searching for changes
287 no changes found
287 no changes found
288
288
289 Test https with cacert and fingerprint through proxy
289 Test https with cacert and fingerprint through proxy
290
290
291 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
291 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
292 > --config web.cacerts="$CERTSDIR/pub.pem"
292 > --config web.cacerts="$CERTSDIR/pub.pem"
293 pulling from https://localhost:$HGPORT/
293 pulling from https://localhost:$HGPORT/
294 searching for changes
294 searching for changes
295 no changes found
295 no changes found
296 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
296 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
297 pulling from https://127.0.0.1:$HGPORT/
297 pulling from https://127.0.0.1:$HGPORT/
298 searching for changes
298 searching for changes
299 no changes found
299 no changes found
300
300
301 Test https with cert problems through proxy
301 Test https with cert problems through proxy
302
302
303 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
303 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
304 > --config web.cacerts="$CERTSDIR/pub-other.pem"
304 > --config web.cacerts="$CERTSDIR/pub-other.pem"
305 pulling from https://localhost:$HGPORT/
305 pulling from https://localhost:$HGPORT/
306 abort: error: *certificate verify failed* (glob)
306 abort: error: *certificate verify failed* (glob)
307 [255]
307 [255]
308 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
308 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
309 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
309 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
310 pulling from https://localhost:$HGPORT2/
310 pulling from https://localhost:$HGPORT2/
311 abort: error: *certificate verify failed* (glob)
311 abort: error: *certificate verify failed* (glob)
312 [255]
312 [255]
313
313
314
314
315 $ killdaemons.py hg0.pid
315 $ killdaemons.py hg0.pid
316
316
317 #if sslcontext
317 #if sslcontext
318
318
319 Start patched hgweb that requires client certificates:
319 Start patched hgweb that requires client certificates:
320
320
321 $ cat << EOT > reqclientcert.py
321 $ cat << EOT > reqclientcert.py
322 > import ssl
322 > import ssl
323 > from mercurial.hgweb import server
323 > from mercurial.hgweb import server
324 > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
324 > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
325 > @staticmethod
325 > @staticmethod
326 > def preparehttpserver(httpserver, ssl_cert):
326 > def preparehttpserver(httpserver, ssl_cert):
327 > sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
327 > sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
328 > sslcontext.verify_mode = ssl.CERT_REQUIRED
328 > sslcontext.verify_mode = ssl.CERT_REQUIRED
329 > sslcontext.load_cert_chain(ssl_cert)
329 > sslcontext.load_cert_chain(ssl_cert)
330 > # verify clients by server certificate
330 > # verify clients by server certificate
331 > sslcontext.load_verify_locations(ssl_cert)
331 > sslcontext.load_verify_locations(ssl_cert)
332 > httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
332 > httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
333 > server_side=True)
333 > server_side=True)
334 > server._httprequesthandlerssl = _httprequesthandlersslclientcert
334 > server._httprequesthandlerssl = _httprequesthandlersslclientcert
335 > EOT
335 > EOT
336 $ cd test
336 $ cd test
337 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
337 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
338 > --config extensions.reqclientcert=../reqclientcert.py
338 > --config extensions.reqclientcert=../reqclientcert.py
339 $ cat ../hg0.pid >> $DAEMON_PIDS
339 $ cat ../hg0.pid >> $DAEMON_PIDS
340 $ cd ..
340 $ cd ..
341
341
342 without client certificate:
342 without client certificate:
343
343
344 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
344 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
345 abort: error: *handshake failure* (glob)
345 abort: error: *handshake failure* (glob)
346 [255]
346 [255]
347
347
348 with client certificate:
348 with client certificate:
349
349
350 $ cat << EOT >> $HGRCPATH
350 $ cat << EOT >> $HGRCPATH
351 > [auth]
351 > [auth]
352 > l.prefix = localhost
352 > l.prefix = localhost
353 > l.cert = $CERTSDIR/client-cert.pem
353 > l.cert = $CERTSDIR/client-cert.pem
354 > l.key = $CERTSDIR/client-key.pem
354 > l.key = $CERTSDIR/client-key.pem
355 > EOT
355 > EOT
356
356
357 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
357 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
358 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
358 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
359 5fed3813f7f5
359 5fed3813f7f5
360
360
361 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
361 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
362 > --config ui.interactive=True --config ui.nontty=True
362 > --config ui.interactive=True --config ui.nontty=True
363 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
363 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
364
364
365 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
365 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
366 abort: error: * (glob)
366 abort: error: * (glob)
367 [255]
367 [255]
368
368
369 #endif
369 #endif
General Comments 0
You need to be logged in to leave comments. Login now