Show More
@@ -1,103 +1,176 b'' | |||
|
1 | 1 | Proper https client requires the built-in ssl from Python 2.6, |
|
2 | 2 | and https serve requires the full OpenSSL module. |
|
3 | 3 | |
|
4 | 4 | $ "$TESTDIR/hghave" ssl || exit 80 |
|
5 | 5 | |
|
6 | 6 | HTTPS serve seems to be broken on Python 2.7: |
|
7 | 7 | |
|
8 | 8 | $ [ "`python -c 'import sys; print sys.version_info[:2]'`" = '(2, 6)' ] || exit 80 |
|
9 | 9 | |
|
10 | 10 | Certificates created with: |
|
11 | 11 | printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ |
|
12 | 12 | openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem |
|
13 | 13 | Can be dumped with: |
|
14 | 14 | openssl x509 -in pub.pem -text |
|
15 | 15 | |
|
16 | 16 | $ cat << EOT > priv.pem |
|
17 | 17 | > -----BEGIN PRIVATE KEY----- |
|
18 | 18 | > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH |
|
19 | 19 | > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8 |
|
20 | 20 | > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc |
|
21 | 21 | > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG |
|
22 | 22 | > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR |
|
23 | 23 | > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy |
|
24 | 24 | > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh |
|
25 | 25 | > HY8gUVkVRVs= |
|
26 | 26 | > -----END PRIVATE KEY----- |
|
27 | 27 | > EOT |
|
28 | 28 | |
|
29 | 29 | $ cat << EOT > pub.pem |
|
30 | 30 | > -----BEGIN CERTIFICATE----- |
|
31 | 31 | > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV |
|
32 | 32 | > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw |
|
33 | 33 | > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0 |
|
34 | 34 | > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL |
|
35 | 35 | > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX |
|
36 | 36 | > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm |
|
37 | 37 | > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw |
|
38 | 38 | > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl |
|
39 | 39 | > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c= |
|
40 | 40 | > -----END CERTIFICATE----- |
|
41 | 41 | > EOT |
|
42 | 42 | $ cat priv.pem pub.pem >> server.pem |
|
43 | 43 | $ PRIV=`pwd`/server.pem |
|
44 | 44 | |
|
45 | $ cat << EOT > pub-other.pem | |
|
46 | > -----BEGIN CERTIFICATE----- | |
|
47 | > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV | |
|
48 | > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw | |
|
49 | > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0 | |
|
50 | > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL | |
|
51 | > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo | |
|
52 | > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN | |
|
53 | > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw | |
|
54 | > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6 | |
|
55 | > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig= | |
|
56 | > -----END CERTIFICATE----- | |
|
57 | > EOT | |
|
58 | ||
|
59 | pub.pem patched with other notBefore / notAfter: | |
|
60 | ||
|
61 | $ cat << EOT > pub-not-yet.pem | |
|
62 | > -----BEGIN CERTIFICATE----- | |
|
63 | > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs | |
|
64 | > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw | |
|
65 | > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv | |
|
66 | > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK | |
|
67 | > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA | |
|
68 | > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T | |
|
69 | > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb | |
|
70 | > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0= | |
|
71 | > -----END CERTIFICATE----- | |
|
72 | > EOT | |
|
73 | $ cat priv.pem pub-not-yet.pem > server-not-yet.pem | |
|
74 | ||
|
75 | $ cat << EOT > pub-expired.pem | |
|
76 | > -----BEGIN CERTIFICATE----- | |
|
77 | > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs | |
|
78 | > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx | |
|
79 | > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv | |
|
80 | > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK | |
|
81 | > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA | |
|
82 | > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T | |
|
83 | > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt | |
|
84 | > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ= | |
|
85 | > -----END CERTIFICATE----- | |
|
86 | > EOT | |
|
87 | $ cat priv.pem pub-expired.pem > server-expired.pem | |
|
88 | ||
|
45 | 89 | $ hg init test |
|
46 | 90 | $ cd test |
|
47 | 91 | $ echo foo>foo |
|
48 | 92 | $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg |
|
49 | 93 | $ echo foo>foo.d/foo |
|
50 | 94 | $ echo bar>foo.d/bAr.hg.d/BaR |
|
51 | 95 | $ echo bar>foo.d/baR.d.hg/bAR |
|
52 | 96 | $ hg commit -A -m 1 |
|
53 | 97 | adding foo |
|
54 | 98 | adding foo.d/bAr.hg.d/BaR |
|
55 | 99 | adding foo.d/baR.d.hg/bAR |
|
56 | 100 | adding foo.d/foo |
|
57 | 101 | $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV |
|
58 | 102 | $ cat ../hg0.pid >> $DAEMON_PIDS |
|
59 | 103 | |
|
60 | 104 | Test server address cannot be reused |
|
61 | 105 | |
|
62 | 106 | $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
|
63 | 107 | abort: cannot start server at ':$HGPORT': Address already in use |
|
64 | 108 | [255] |
|
65 | 109 | $ cd .. |
|
66 | 110 | |
|
67 | 111 | clone via pull |
|
68 | 112 | |
|
69 | 113 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
70 | 114 | requesting all changes |
|
71 | 115 | adding changesets |
|
72 | 116 | adding manifests |
|
73 | 117 | adding file changes |
|
74 | 118 | added 1 changesets with 4 changes to 4 files |
|
75 | 119 | updating to branch default |
|
76 | 120 | 4 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
77 | 121 | $ hg verify -R copy-pull |
|
78 | 122 | checking changesets |
|
79 | 123 | checking manifests |
|
80 | 124 | crosschecking files in changesets and manifests |
|
81 | 125 | checking files |
|
82 | 126 | 4 files, 1 changesets, 4 total revisions |
|
83 | 127 | $ cd test |
|
84 | 128 | $ echo bar > bar |
|
85 | 129 | $ hg commit -A -d '1 0' -m 2 |
|
86 | 130 | adding bar |
|
87 | 131 | $ cd .. |
|
88 | 132 | |
|
89 | 133 | pull |
|
90 | 134 | |
|
91 | 135 | $ cd copy-pull |
|
92 | 136 | $ echo '[hooks]' >> .hg/hgrc |
|
93 | 137 | $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc |
|
94 | 138 | $ hg pull |
|
95 | 139 | changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/ |
|
96 | 140 | pulling from https://localhost:$HGPORT/ |
|
97 | 141 | searching for changes |
|
98 | 142 | adding changesets |
|
99 | 143 | adding manifests |
|
100 | 144 | adding file changes |
|
101 | 145 | added 1 changesets with 1 changes to 1 files |
|
102 | 146 | (run 'hg update' to get a working copy) |
|
103 | 147 | $ cd .. |
|
148 | ||
|
149 | cacert | |
|
150 | ||
|
151 | $ hg -R copy-pull pull --config web.cacerts=pub.pem | |
|
152 | pulling from https://localhost:$HGPORT/ | |
|
153 | searching for changes | |
|
154 | no changes found | |
|
155 | $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ | |
|
156 | abort: 127.0.0.1 certificate error: certificate is for localhost | |
|
157 | [255] | |
|
158 | $ hg -R copy-pull pull --config web.cacerts=pub-other.pem | |
|
159 | abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob) | |
|
160 | [255] | |
|
161 | ||
|
162 | Test server cert which isn't valid yet | |
|
163 | ||
|
164 | $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem | |
|
165 | $ cat hg1.pid >> $DAEMON_PIDS | |
|
166 | $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/ | |
|
167 | abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob) | |
|
168 | [255] | |
|
169 | ||
|
170 | Test server cert which no longer is valid | |
|
171 | ||
|
172 | $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem | |
|
173 | $ cat hg2.pid >> $DAEMON_PIDS | |
|
174 | $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/ | |
|
175 | abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob) | |
|
176 | [255] |
General Comments 0
You need to be logged in to leave comments.
Login now