upstream/mercurial-mirror Commit - r12741:949dfdb3

1

Proper https client requires the built-in ssl from Python 2.6,

1

Proper https client requires the built-in ssl from Python 2.6,

2

and https serve requires the full OpenSSL module.

2

and https serve requires the full OpenSSL module.

3

4

$ "$TESTDIR/hghave" ssl || exit 80

4

$ "$TESTDIR/hghave" ssl || exit 80

5

6

HTTPS serve seems to be broken on Python 2.7:

6

HTTPS serve seems to be broken on Python 2.7:

7

8

$ [ "`python -c 'import sys; print sys.version_info[:2]'`" = '(2, 6)' ] || exit 80

8

$ [ "`python -c 'import sys; print sys.version_info[:2]'`" = '(2, 6)' ] || exit 80

9

10

Certificates created with:

10

Certificates created with:

11

printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

11

printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

12

openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

12

openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

13

Can be dumped with:

13

Can be dumped with:

14

openssl x509 -in pub.pem -text

14

openssl x509 -in pub.pem -text

15

16

$ cat << EOT > priv.pem

16

$ cat << EOT > priv.pem

17

> -----BEGIN PRIVATE KEY-----

17

> -----BEGIN PRIVATE KEY-----

18

> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

18

> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

19

> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

19

> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

20

> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

20

> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

21

> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

21

> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

22

> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

22

> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

23

> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

23

> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

24

> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

24

> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

25

> HY8gUVkVRVs=

25

> HY8gUVkVRVs=

26

> -----END PRIVATE KEY-----

26

> -----END PRIVATE KEY-----

27

> EOT

27

> EOT

28

29

$ cat << EOT > pub.pem

29

$ cat << EOT > pub.pem

30

> -----BEGIN CERTIFICATE-----

30

> -----BEGIN CERTIFICATE-----

31

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

31

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

32

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

32

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

33

> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

33

> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

34

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

34

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

35

> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

35

> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

36

> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

36

> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

37

> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

37

> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

38

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

38

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

39

> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

39

> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

40

> -----END CERTIFICATE-----

40

> -----END CERTIFICATE-----

41

> EOT

41

> EOT

42

$ cat priv.pem pub.pem >> server.pem

42

$ cat priv.pem pub.pem >> server.pem

43

$ PRIV=`pwd`/server.pem

43

$ PRIV=`pwd`/server.pem

44

45

$ cat << EOT > pub-other.pem

46

> -----BEGIN CERTIFICATE-----

47

> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

48

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

49

> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

50

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

51

> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

52

> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

53

> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

54

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

55

> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

56

> -----END CERTIFICATE-----

57

> EOT

58

59

pub.pem patched with other notBefore / notAfter:

60

61

$ cat << EOT > pub-not-yet.pem

62

> -----BEGIN CERTIFICATE-----

63

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

64

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

65

> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

66

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

67

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

68

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

69

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

70

> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

71

> -----END CERTIFICATE-----

72

> EOT

73

$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

74

75

$ cat << EOT > pub-expired.pem

76

> -----BEGIN CERTIFICATE-----

77

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

78

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

79

> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

80

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

81

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

82

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

83

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

84

> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

85

> -----END CERTIFICATE-----

86

> EOT

87

$ cat priv.pem pub-expired.pem > server-expired.pem

88

45

$ hg init test

89

$ hg init test

46

$ cd test

90

$ cd test

47

$ echo foo>foo

91

$ echo foo>foo

48

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

92

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

49

$ echo foo>foo.d/foo

93

$ echo foo>foo.d/foo

50

$ echo bar>foo.d/bAr.hg.d/BaR

94

$ echo bar>foo.d/bAr.hg.d/BaR

51

$ echo bar>foo.d/baR.d.hg/bAR

95

$ echo bar>foo.d/baR.d.hg/bAR

52

$ hg commit -A -m 1

96

$ hg commit -A -m 1

53

adding foo

97

adding foo

54

adding foo.d/bAr.hg.d/BaR

98

adding foo.d/bAr.hg.d/BaR

55

adding foo.d/baR.d.hg/bAR

99

adding foo.d/baR.d.hg/bAR

56

adding foo.d/foo

100

adding foo.d/foo

57

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

101

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

58

$ cat ../hg0.pid >> $DAEMON_PIDS

102

$ cat ../hg0.pid >> $DAEMON_PIDS

59

103

60

Test server address cannot be reused

104

Test server address cannot be reused

61

105

62

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

106

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

63

abort: cannot start server at ':$HGPORT': Address already in use

107

abort: cannot start server at ':$HGPORT': Address already in use

64

[255]

108

[255]

65

$ cd ..

109

$ cd ..

66

110

67

clone via pull

111

clone via pull

68

112

69

$ hg clone https://localhost:$HGPORT/ copy-pull

113

$ hg clone https://localhost:$HGPORT/ copy-pull

70

requesting all changes

114

requesting all changes

71

adding changesets

115

adding changesets

72

adding manifests

116

adding manifests

73

adding file changes

117

adding file changes

74

added 1 changesets with 4 changes to 4 files

118

added 1 changesets with 4 changes to 4 files

75

updating to branch default

119

updating to branch default

76

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

120

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

77

$ hg verify -R copy-pull

121

$ hg verify -R copy-pull

78

checking changesets

122

checking changesets

79

checking manifests

123

checking manifests

80

crosschecking files in changesets and manifests

124

crosschecking files in changesets and manifests

81

checking files

125

checking files

82

4 files, 1 changesets, 4 total revisions

126

4 files, 1 changesets, 4 total revisions

83

$ cd test

127

$ cd test

84

$ echo bar > bar

128

$ echo bar > bar

85

$ hg commit -A -d '1 0' -m 2

129

$ hg commit -A -d '1 0' -m 2

86

adding bar

130

adding bar

87

$ cd ..

131

$ cd ..

88

132

89

pull

133

pull

90

134

91

$ cd copy-pull

135

$ cd copy-pull

92

$ echo '[hooks]' >> .hg/hgrc

136

$ echo '[hooks]' >> .hg/hgrc

93

$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc

137

$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc

94

$ hg pull

138

$ hg pull

95

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/

139

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/

96

pulling from https://localhost:$HGPORT/

140

pulling from https://localhost:$HGPORT/

97

searching for changes

141

searching for changes

98

adding changesets

142

adding changesets

99

adding manifests

143

adding manifests

100

adding file changes

144

adding file changes

101

added 1 changesets with 1 changes to 1 files

145

added 1 changesets with 1 changes to 1 files

102

(run 'hg update' to get a working copy)

146

(run 'hg update' to get a working copy)

103

$ cd ..

147

$ cd ..

148

149

cacert

150

151

$ hg -R copy-pull pull --config web.cacerts=pub.pem

152

pulling from https://localhost:$HGPORT/

153

searching for changes

154

no changes found

155

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

156

abort: 127.0.0.1 certificate error: certificate is for localhost

157

[255]

158

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem

159

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

160

[255]

161

162

Test server cert which isn't valid yet

163

164

$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

165

$ cat hg1.pid >> $DAEMON_PIDS

166

$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

167

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

168

[255]

169

170

Test server cert which no longer is valid

171

172

$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

173

$ cat hg2.pid >> $DAEMON_PIDS

174

$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

175

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

176

[255]

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             Proper https client requires the built-in ssl from Python 2.6,
             and https serve requires the full OpenSSL module.
               $ "$TESTDIR/hghave" ssl || exit 80
             HTTPS serve seems to be broken on Python 2.7:
               $ [ "`python -c 'import sys; print sys.version_info[:2]'`" = '(2, 6)' ] || exit 80
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
+              $ cat << EOT > pub-other.pem
+              > -----BEGIN CERTIFICATE-----
+              > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
+              > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
+              > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
+              > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
+              > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
+              > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
+              > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
+              > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
+              > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
+              > -----END CERTIFICATE-----
+              > EOT
+            pub.pem patched with other notBefore / notAfter:
+              $ cat << EOT > pub-not-yet.pem
+              > -----BEGIN CERTIFICATE-----
+              > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
+              > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
+              > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
+              > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
+              > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
+              > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
+              > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
+              > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
+              > -----END CERTIFICATE-----
+              > EOT
+              $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
+              $ cat << EOT > pub-expired.pem
+              > -----BEGIN CERTIFICATE-----
+              > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
+              > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
+              > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
+              > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
+              > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
+              > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
+              > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
+              > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
+              > -----END CERTIFICATE-----
+              > EOT
+              $ cat priv.pem pub-expired.pem > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             Test server address cannot be reused
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
               $ cd ..
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
               $ hg pull
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
               pulling from https://localhost:$HGPORT/
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               (run 'hg update' to get a working copy)
               $ cd ..
+            cacert
+              $ hg -R copy-pull pull --config web.cacerts=pub.pem
+              pulling from https://localhost:$HGPORT/
+              searching for changes
+              no changes found
+              $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
+              abort: 127.0.0.1 certificate error: certificate is for localhost
+              [255]
+              $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
+              abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
+              [255]
+            Test server cert which isn't valid yet
+              $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
+              $ cat hg1.pid >> $DAEMON_PIDS
+              $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
+              abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
+              [255]
+            Test server cert which no longer is valid
+              $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
+              $ cat hg2.pid >> $DAEMON_PIDS
+              $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
+              abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
+              [255]