upstream/mercurial-mirror Commit - r29356:93b83ef7

1

#require serve ssl

1

#require serve ssl

2

3

Proper https client requires the built-in ssl from Python 2.6.

3

Proper https client requires the built-in ssl from Python 2.6.

4

5

Make server certificates:

5

Make server certificates:

6

7

$ CERTSDIR="$TESTDIR/sslcerts"

7

$ CERTSDIR="$TESTDIR/sslcerts"

8

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem

8

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem

9

$ PRIV=`pwd`/server.pem

9

$ PRIV=`pwd`/server.pem

10

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem

10

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem

11

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem

11

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem

12

13

$ hg init test

13

$ hg init test

14

$ cd test

14

$ cd test

15

$ echo foo>foo

15

$ echo foo>foo

16

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

16

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

17

$ echo foo>foo.d/foo

17

$ echo foo>foo.d/foo

18

$ echo bar>foo.d/bAr.hg.d/BaR

18

$ echo bar>foo.d/bAr.hg.d/BaR

19

$ echo bar>foo.d/baR.d.hg/bAR

19

$ echo bar>foo.d/baR.d.hg/bAR

20

$ hg commit -A -m 1

20

$ hg commit -A -m 1

21

adding foo

21

adding foo

22

adding foo.d/bAr.hg.d/BaR

22

adding foo.d/bAr.hg.d/BaR

23

adding foo.d/baR.d.hg/bAR

23

adding foo.d/baR.d.hg/bAR

24

adding foo.d/foo

24

adding foo.d/foo

25

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

25

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

26

$ cat ../hg0.pid >> $DAEMON_PIDS

26

$ cat ../hg0.pid >> $DAEMON_PIDS

27

28

cacert not found

28

cacert not found

29

30

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

30

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

31

abort: could not find web.cacerts: no-such.pem

31

abort: could not find web.cacerts: no-such.pem

32

[255]

32

[255]

33

34

Test server address cannot be reused

34

Test server address cannot be reused

35

36

#if windows

36

#if windows

37

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

37

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

38

abort: cannot start server at ':$HGPORT':

38

abort: cannot start server at ':$HGPORT':

39

[255]

39

[255]

40

#else

40

#else

41

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

41

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

42

abort: cannot start server at ':$HGPORT': Address already in use

42

abort: cannot start server at ':$HGPORT': Address already in use

43

[255]

43

[255]

44

#endif

44

#endif

45

$ cd ..

45

$ cd ..

46

47

Our test cert is not signed by a trusted CA. It should fail to verify if

47

Our test cert is not signed by a trusted CA. It should fail to verify if

48

we are able to load CA certs.

48

we are able to load CA certs.

49

50

#if defaultcacerts

50

#if defaultcacerts

51

$ hg clone https://localhost:$HGPORT/ copy-pull

51

$ hg clone https://localhost:$HGPORT/ copy-pull

52

abort: error: *certificate verify failed* (glob)

52

abort: error: *certificate verify failed* (glob)

53

[255]

53

[255]

54

#endif

54

#endif

55

56

Specifying a per-host certificate file that doesn't exist will abort

56

Specifying a per-host certificate file that doesn't exist will abort

57

58

$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/

58

$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/

59

abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist

59

abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist

60

[255]

60

[255]

61

62

A malformed per-host certificate file will raise an error

62

A malformed per-host certificate file will raise an error

63

64

$ echo baddata > badca.pem

64

$ echo baddata > badca.pem

65

$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

65

$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

66

abort: error: ~~unknown error~~* (glob)

66

abort: error: * (glob)

67

[255]

67

[255]

68

69

A per-host certificate mismatching the server will fail verification

69

A per-host certificate mismatching the server will fail verification

70

71

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

71

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

72

abort: error: *certificate verify failed* (glob)

72

abort: error: *certificate verify failed* (glob)

73

[255]

73

[255]

74

75

A per-host certificate matching the server's cert will be accepted

75

A per-host certificate matching the server's cert will be accepted

76

77

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

77

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

78

requesting all changes

78

requesting all changes

79

adding changesets

79

adding changesets

80

adding manifests

80

adding manifests

81

adding file changes

81

adding file changes

82

added 1 changesets with 4 changes to 4 files

82

added 1 changesets with 4 changes to 4 files

83

84

A per-host certificate with multiple certs and one matching will be accepted

84

A per-host certificate with multiple certs and one matching will be accepted

85

86

$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem

86

$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem

87

$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2

87

$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2

88

requesting all changes

88

requesting all changes

89

adding changesets

89

adding changesets

90

adding manifests

90

adding manifests

91

adding file changes

91

adding file changes

92

added 1 changesets with 4 changes to 4 files

92

added 1 changesets with 4 changes to 4 files

93

94

Defining both per-host certificate and a fingerprint will print a warning

94

Defining both per-host certificate and a fingerprint will print a warning

95

96

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning

96

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning

97

(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)

97

(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)

98

requesting all changes

98

requesting all changes

99

adding changesets

99

adding changesets

100

adding manifests

100

adding manifests

101

adding file changes

101

adding file changes

102

added 1 changesets with 4 changes to 4 files

102

added 1 changesets with 4 changes to 4 files

103

104

$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"

104

$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"

105

106

clone via pull

106

clone via pull

107

108

$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS

108

$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS

109

warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)

109

warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)

110

requesting all changes

110

requesting all changes

111

adding changesets

111

adding changesets

112

adding manifests

112

adding manifests

113

adding file changes

113

adding file changes

114

added 1 changesets with 4 changes to 4 files

114

added 1 changesets with 4 changes to 4 files

115

updating to branch default

115

updating to branch default

116

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

116

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

117

$ hg verify -R copy-pull

117

$ hg verify -R copy-pull

118

checking changesets

118

checking changesets

119

checking manifests

119

checking manifests

120

crosschecking files in changesets and manifests

120

crosschecking files in changesets and manifests

121

checking files

121

checking files

122

4 files, 1 changesets, 4 total revisions

122

4 files, 1 changesets, 4 total revisions

123

$ cd test

123

$ cd test

124

$ echo bar > bar

124

$ echo bar > bar

125

$ hg commit -A -d '1 0' -m 2

125

$ hg commit -A -d '1 0' -m 2

126

adding bar

126

adding bar

127

$ cd ..

127

$ cd ..

128

129

pull without cacert

129

pull without cacert

130

131

$ cd copy-pull

131

$ cd copy-pull

132

$ echo '[hooks]' >> .hg/hgrc

132

$ echo '[hooks]' >> .hg/hgrc

133

$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc

133

$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc

134

$ hg pull $DISABLECACERTS

134

$ hg pull $DISABLECACERTS

135

pulling from https://localhost:$HGPORT/

135

pulling from https://localhost:$HGPORT/

136

warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)

136

warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)

137

searching for changes

137

searching for changes

138

adding changesets

138

adding changesets

139

adding manifests

139

adding manifests

140

adding file changes

140

adding file changes

141

added 1 changesets with 1 changes to 1 files

141

added 1 changesets with 1 changes to 1 files

142

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)

142

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)

143

(run 'hg update' to get a working copy)

143

(run 'hg update' to get a working copy)

144

$ cd ..

144

$ cd ..

145

146

cacert configured in local repo

146

cacert configured in local repo

147

148

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

148

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

149

$ echo "[web]" >> copy-pull/.hg/hgrc

149

$ echo "[web]" >> copy-pull/.hg/hgrc

150

$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc

150

$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc

151

$ hg -R copy-pull pull --traceback

151

$ hg -R copy-pull pull --traceback

152

pulling from https://localhost:$HGPORT/

152

pulling from https://localhost:$HGPORT/

153

searching for changes

153

searching for changes

154

no changes found

154

no changes found

155

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

155

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

156

157

cacert configured globally, also testing expansion of environment

157

cacert configured globally, also testing expansion of environment

158

variables in the filename

158

variables in the filename

159

160

$ echo "[web]" >> $HGRCPATH

160

$ echo "[web]" >> $HGRCPATH

161

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

161

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

162

$ P="$CERTSDIR" hg -R copy-pull pull

162

$ P="$CERTSDIR" hg -R copy-pull pull

163

pulling from https://localhost:$HGPORT/

163

pulling from https://localhost:$HGPORT/

164

searching for changes

164

searching for changes

165

no changes found

165

no changes found

166

$ P="$CERTSDIR" hg -R copy-pull pull --insecure

166

$ P="$CERTSDIR" hg -R copy-pull pull --insecure

167

pulling from https://localhost:$HGPORT/

167

pulling from https://localhost:$HGPORT/

168

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

168

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

169

searching for changes

169

searching for changes

170

no changes found

170

no changes found

171

172

cacert mismatch

172

cacert mismatch

173

174

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

174

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

175

> https://127.0.0.1:$HGPORT/

175

> https://127.0.0.1:$HGPORT/

176

pulling from https://127.0.0.1:$HGPORT/

176

pulling from https://127.0.0.1:$HGPORT/

177

abort: 127.0.0.1 certificate error: certificate is for localhost

177

abort: 127.0.0.1 certificate error: certificate is for localhost

178

(set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)

178

(set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)

179

[255]

179

[255]

180

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

180

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

181

> https://127.0.0.1:$HGPORT/ --insecure

181

> https://127.0.0.1:$HGPORT/ --insecure

182

pulling from https://127.0.0.1:$HGPORT/

182

pulling from https://127.0.0.1:$HGPORT/

183

warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering

183

warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering

184

searching for changes

184

searching for changes

185

no changes found

185

no changes found

186

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

186

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

187

pulling from https://localhost:$HGPORT/

187

pulling from https://localhost:$HGPORT/

188

abort: error: *certificate verify failed* (glob)

188

abort: error: *certificate verify failed* (glob)

189

[255]

189

[255]

190

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

190

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

191

> --insecure

191

> --insecure

192

pulling from https://localhost:$HGPORT/

192

pulling from https://localhost:$HGPORT/

193

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

193

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

194

searching for changes

194

searching for changes

195

no changes found

195

no changes found

196

197

Test server cert which isn't valid yet

197

Test server cert which isn't valid yet

198

199

$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

199

$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

200

$ cat hg1.pid >> $DAEMON_PIDS

200

$ cat hg1.pid >> $DAEMON_PIDS

201

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

201

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

202

> https://localhost:$HGPORT1/

202

> https://localhost:$HGPORT1/

203

pulling from https://localhost:$HGPORT1/

203

pulling from https://localhost:$HGPORT1/

204

abort: error: *certificate verify failed* (glob)

204

abort: error: *certificate verify failed* (glob)

205

[255]

205

[255]

206

207

Test server cert which no longer is valid

207

Test server cert which no longer is valid

208

209

$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

209

$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

210

$ cat hg2.pid >> $DAEMON_PIDS

210

$ cat hg2.pid >> $DAEMON_PIDS

211

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

211

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

212

> https://localhost:$HGPORT2/

212

> https://localhost:$HGPORT2/

213

pulling from https://localhost:$HGPORT2/

213

pulling from https://localhost:$HGPORT2/

214

abort: error: *certificate verify failed* (glob)

214

abort: error: *certificate verify failed* (glob)

215

[255]

215

[255]

216

217

Fingerprints

217

Fingerprints

218

219

- works without cacerts (hostkeyfingerprints)

219

- works without cacerts (hostkeyfingerprints)

220

$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

220

$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

221

5fed3813f7f5

221

5fed3813f7f5

222

223

- works without cacerts (hostsecurity)

223

- works without cacerts (hostsecurity)

224

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca

224

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca

225

5fed3813f7f5

225

5fed3813f7f5

226

227

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30

227

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30

228

5fed3813f7f5

228

5fed3813f7f5

229

230

- multiple fingerprints specified and first matches

230

- multiple fingerprints specified and first matches

231

$ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

231

$ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

232

5fed3813f7f5

232

5fed3813f7f5

233

234

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

234

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

235

5fed3813f7f5

235

5fed3813f7f5

236

237

- multiple fingerprints specified and last matches

237

- multiple fingerprints specified and last matches

238

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure

238

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure

239

5fed3813f7f5

239

5fed3813f7f5

240

241

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/

241

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/

242

5fed3813f7f5

242

5fed3813f7f5

243

244

- multiple fingerprints specified and none match

244

- multiple fingerprints specified and none match

245

246

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

246

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

247

abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

247

abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

248

(check hostfingerprint configuration)

248

(check hostfingerprint configuration)

249

[255]

249

[255]

250

251

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

251

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

252

abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

252

abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

253

(check hostsecurity configuration)

253

(check hostsecurity configuration)

254

[255]

254

[255]

255

256

- fails when cert doesn't match hostname (port is ignored)

256

- fails when cert doesn't match hostname (port is ignored)

257

$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca

257

$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca

258

abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

258

abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

259

(check hostfingerprint configuration)

259

(check hostfingerprint configuration)

260

[255]

260

[255]

261

262

263

- ignores that certificate doesn't match hostname

263

- ignores that certificate doesn't match hostname

264

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca

264

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca

265

5fed3813f7f5

265

5fed3813f7f5

266

267

HGPORT1 is reused below for tinyproxy tests. Kill that server.

267

HGPORT1 is reused below for tinyproxy tests. Kill that server.

268

$ killdaemons.py hg1.pid

268

$ killdaemons.py hg1.pid

269

270

Prepare for connecting through proxy

270

Prepare for connecting through proxy

271

272

$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

272

$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

273

$ while [ ! -f proxy.pid ]; do sleep 0; done

273

$ while [ ! -f proxy.pid ]; do sleep 0; done

274

$ cat proxy.pid >> $DAEMON_PIDS

274

$ cat proxy.pid >> $DAEMON_PIDS

275

276

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

276

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

277

$ echo "always=True" >> copy-pull/.hg/hgrc

277

$ echo "always=True" >> copy-pull/.hg/hgrc

278

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

278

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

279

$ echo "localhost =" >> copy-pull/.hg/hgrc

279

$ echo "localhost =" >> copy-pull/.hg/hgrc

280

281

Test unvalidated https through proxy

281

Test unvalidated https through proxy

282

283

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

283

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

284

pulling from https://localhost:$HGPORT/

284

pulling from https://localhost:$HGPORT/

285

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

285

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

286

searching for changes

286

searching for changes

287

no changes found

287

no changes found

288

289

Test https with cacert and fingerprint through proxy

289

Test https with cacert and fingerprint through proxy

290

291

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

291

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

292

> --config web.cacerts="$CERTSDIR/pub.pem"

292

> --config web.cacerts="$CERTSDIR/pub.pem"

293

pulling from https://localhost:$HGPORT/

293

pulling from https://localhost:$HGPORT/

294

searching for changes

294

searching for changes

295

no changes found

295

no changes found

296

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca

296

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca

297

pulling from https://127.0.0.1:$HGPORT/

297

pulling from https://127.0.0.1:$HGPORT/

298

searching for changes

298

searching for changes

299

no changes found

299

no changes found

300

301

Test https with cert problems through proxy

301

Test https with cert problems through proxy

302

303

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

303

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

304

> --config web.cacerts="$CERTSDIR/pub-other.pem"

304

> --config web.cacerts="$CERTSDIR/pub-other.pem"

305

pulling from https://localhost:$HGPORT/

305

pulling from https://localhost:$HGPORT/

306

abort: error: *certificate verify failed* (glob)

306

abort: error: *certificate verify failed* (glob)

307

[255]

307

[255]

308

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

308

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

309

> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/

309

> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/

310

pulling from https://localhost:$HGPORT2/

310

pulling from https://localhost:$HGPORT2/

311

abort: error: *certificate verify failed* (glob)

311

abort: error: *certificate verify failed* (glob)

312

[255]

312

[255]

313

314

315

$ killdaemons.py hg0.pid

315

$ killdaemons.py hg0.pid

316

317

#if sslcontext

317

#if sslcontext

318

319

Start patched hgweb that requires client certificates:

319

Start patched hgweb that requires client certificates:

320

321

$ cat << EOT > reqclientcert.py

321

$ cat << EOT > reqclientcert.py

322

> import ssl

322

> import ssl

323

> from mercurial.hgweb import server

323

> from mercurial.hgweb import server

324

> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):

324

> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):

325

> @staticmethod

325

> @staticmethod

326

> def preparehttpserver(httpserver, ssl_cert):

326

> def preparehttpserver(httpserver, ssl_cert):

327

> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

327

> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

328

> sslcontext.verify_mode = ssl.CERT_REQUIRED

328

> sslcontext.verify_mode = ssl.CERT_REQUIRED

329

> sslcontext.load_cert_chain(ssl_cert)

329

> sslcontext.load_cert_chain(ssl_cert)

330

> # verify clients by server certificate

330

> # verify clients by server certificate

331

> sslcontext.load_verify_locations(ssl_cert)

331

> sslcontext.load_verify_locations(ssl_cert)

332

> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,

332

> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,

333

> server_side=True)

333

> server_side=True)

334

> server._httprequesthandlerssl = _httprequesthandlersslclientcert

334

> server._httprequesthandlerssl = _httprequesthandlersslclientcert

335

> EOT

335

> EOT

336

$ cd test

336

$ cd test

337

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

337

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

338

> --config extensions.reqclientcert=../reqclientcert.py

338

> --config extensions.reqclientcert=../reqclientcert.py

339

$ cat ../hg0.pid >> $DAEMON_PIDS

339

$ cat ../hg0.pid >> $DAEMON_PIDS

340

$ cd ..

340

$ cd ..

341

342

without client certificate:

342

without client certificate:

343

344

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/

344

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/

345

abort: error: *handshake failure* (glob)

345

abort: error: *handshake failure* (glob)

346

[255]

346

[255]

347

348

with client certificate:

348

with client certificate:

349

350

$ cat << EOT >> $HGRCPATH

350

$ cat << EOT >> $HGRCPATH

351

> [auth]

351

> [auth]

352

> l.prefix = localhost

352

> l.prefix = localhost

353

> l.cert = $CERTSDIR/client-cert.pem

353

> l.cert = $CERTSDIR/client-cert.pem

354

> l.key = $CERTSDIR/client-key.pem

354

> l.key = $CERTSDIR/client-key.pem

355

> EOT

355

> EOT

356

357

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

357

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

358

> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"

358

> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"

359

5fed3813f7f5

359

5fed3813f7f5

360

361

$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

361

$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

362

> --config ui.interactive=True --config ui.nontty=True

362

> --config ui.interactive=True --config ui.nontty=True

363

passphrase for */client-key.pem: 5fed3813f7f5 (glob)

363

passphrase for */client-key.pem: 5fed3813f7f5 (glob)

364

365

$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/

365

$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/

366

abort: error: * (glob)

366

abort: error: * (glob)

367

[255]

367

[255]

368

369

#endif

369

#endif

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #require serve ssl
             Proper https client requires the built-in ssl from Python 2.6.
             Make server certificates:
               $ CERTSDIR="$TESTDIR/sslcerts"
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
             #if windows
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT':
               [255]
             #else
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
             #endif
               $ cd ..
             Our test cert is not signed by a trusted CA. It should fail to verify if
             we are able to load CA certs.
             #if defaultcacerts
               $ hg clone https://localhost:$HGPORT/ copy-pull
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             Specifying a per-host certificate file that doesn't exist will abort
               $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
               abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
               [255]
             A malformed per-host certificate file will raise an error
               $ echo baddata > badca.pem
               $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
-              abort: error: unknown error* (glob)
+              abort: error: * (glob)
               [255]
             A per-host certificate mismatching the server will fail verification
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
             A per-host certificate matching the server's cert will be accepted
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
             A per-host certificate with multiple certs and one matching will be accepted
               $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
               $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
             Defining both per-host certificate and a fingerprint will print a warning
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning
               (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
               warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
               $ hg pull $DISABLECACERTS
               pulling from https://localhost:$HGPORT/
               warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P="$CERTSDIR" hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P="$CERTSDIR" hg -R copy-pull pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost
               (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
               [255]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://127.0.0.1:$HGPORT/ --insecure
               pulling from https://127.0.0.1:$HGPORT/
               warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
               > --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
               > https://localhost:$HGPORT1/
               pulling from https://localhost:$HGPORT1/
               abort: error: *certificate verify failed* (glob)
               [255]
             Test server cert which no longer is valid
               $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
               > https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
             Fingerprints
             - works without cacerts (hostkeyfingerprints)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
 fed3813f7f5
             - works without cacerts (hostsecurity)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
 fed3813f7f5
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
 fed3813f7f5
             - multiple fingerprints specified and first matches
               $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             - multiple fingerprints specified and last matches
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             - multiple fingerprints specified and none match
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
               abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
               (check hostfingerprint configuration)
               [255]
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
               abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
               (check hostsecurity configuration)
               [255]
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
               abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
               (check hostfingerprint configuration)
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
 fed3813f7f5
             HGPORT1 is reused below for tinyproxy tests. Kill that server.
               $ killdaemons.py hg1.pid
             Prepare for connecting through proxy
               $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
               $ while [ ! -f proxy.pid ]; do sleep 0; done
               $ cat proxy.pid >> $DAEMON_PIDS
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub.pem"
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ killdaemons.py hg0.pid
             #if sslcontext
             Start patched hgweb that requires client certificates:
               $ cat << EOT > reqclientcert.py
               > import ssl
               > from mercurial.hgweb import server
               > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
               >     @staticmethod
               >     def preparehttpserver(httpserver, ssl_cert):
               >         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
               >         sslcontext.verify_mode = ssl.CERT_REQUIRED
               >         sslcontext.load_cert_chain(ssl_cert)
               >         # verify clients by server certificate
               >         sslcontext.load_verify_locations(ssl_cert)
               >         httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
               >                                                    server_side=True)
               > server._httprequesthandlerssl = _httprequesthandlersslclientcert
               > EOT
               $ cd test
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
               > --config extensions.reqclientcert=../reqclientcert.py
               $ cat ../hg0.pid >> $DAEMON_PIDS
               $ cd ..
             without client certificate:
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: *handshake failure* (glob)
               [255]
             with client certificate:
               $ cat << EOT >> $HGRCPATH
               > [auth]
               > l.prefix = localhost
               > l.cert = $CERTSDIR/client-cert.pem
               > l.key = $CERTSDIR/client-key.pem
               > EOT
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
 fed3813f7f5
               $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config ui.interactive=True --config ui.nontty=True
               passphrase for */client-key.pem: 5fed3813f7f5 (glob)
               $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif