##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

test-https: test web.cacerts functionality
Mads Kiilerich -
r12741:949dfdb3 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,103 +1,176 b''
1 1 Proper https client requires the built-in ssl from Python 2.6,
2 2 and https serve requires the full OpenSSL module.
3 3
4 4 $ "$TESTDIR/hghave" ssl || exit 80
5 5
6 6 HTTPS serve seems to be broken on Python 2.7:
7 7
8 8 $ [ "`python -c 'import sys; print sys.version_info[:2]'`" = '(2, 6)' ] || exit 80
9 9
10 10 Certificates created with:
11 11 printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
12 12 openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
13 13 Can be dumped with:
14 14 openssl x509 -in pub.pem -text
15 15
16 16 $ cat << EOT > priv.pem
17 17 > -----BEGIN PRIVATE KEY-----
18 18 > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
19 19 > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
20 20 > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
21 21 > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
22 22 > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
23 23 > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
24 24 > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
25 25 > HY8gUVkVRVs=
26 26 > -----END PRIVATE KEY-----
27 27 > EOT
28 28
29 29 $ cat << EOT > pub.pem
30 30 > -----BEGIN CERTIFICATE-----
31 31 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
32 32 > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
33 33 > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
34 34 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
35 35 > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
36 36 > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
37 37 > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
38 38 > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
39 39 > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
40 40 > -----END CERTIFICATE-----
41 41 > EOT
42 42 $ cat priv.pem pub.pem >> server.pem
43 43 $ PRIV=`pwd`/server.pem
44 44
45 $ cat << EOT > pub-other.pem
46 > -----BEGIN CERTIFICATE-----
47 > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
48 > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
49 > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
50 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
51 > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
52 > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
53 > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
54 > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
55 > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
56 > -----END CERTIFICATE-----
57 > EOT
58
59 pub.pem patched with other notBefore / notAfter:
60
61 $ cat << EOT > pub-not-yet.pem
62 > -----BEGIN CERTIFICATE-----
63 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
64 > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
65 > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
66 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
67 > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
68 > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
69 > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
70 > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
71 > -----END CERTIFICATE-----
72 > EOT
73 $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
74
75 $ cat << EOT > pub-expired.pem
76 > -----BEGIN CERTIFICATE-----
77 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
78 > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
79 > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
80 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
81 > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
82 > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
83 > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
84 > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
85 > -----END CERTIFICATE-----
86 > EOT
87 $ cat priv.pem pub-expired.pem > server-expired.pem
88
45 89 $ hg init test
46 90 $ cd test
47 91 $ echo foo>foo
48 92 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
49 93 $ echo foo>foo.d/foo
50 94 $ echo bar>foo.d/bAr.hg.d/BaR
51 95 $ echo bar>foo.d/baR.d.hg/bAR
52 96 $ hg commit -A -m 1
53 97 adding foo
54 98 adding foo.d/bAr.hg.d/BaR
55 99 adding foo.d/baR.d.hg/bAR
56 100 adding foo.d/foo
57 101 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
58 102 $ cat ../hg0.pid >> $DAEMON_PIDS
59 103
60 104 Test server address cannot be reused
61 105
62 106 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
63 107 abort: cannot start server at ':$HGPORT': Address already in use
64 108 [255]
65 109 $ cd ..
66 110
67 111 clone via pull
68 112
69 113 $ hg clone https://localhost:$HGPORT/ copy-pull
70 114 requesting all changes
71 115 adding changesets
72 116 adding manifests
73 117 adding file changes
74 118 added 1 changesets with 4 changes to 4 files
75 119 updating to branch default
76 120 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
77 121 $ hg verify -R copy-pull
78 122 checking changesets
79 123 checking manifests
80 124 crosschecking files in changesets and manifests
81 125 checking files
82 126 4 files, 1 changesets, 4 total revisions
83 127 $ cd test
84 128 $ echo bar > bar
85 129 $ hg commit -A -d '1 0' -m 2
86 130 adding bar
87 131 $ cd ..
88 132
89 133 pull
90 134
91 135 $ cd copy-pull
92 136 $ echo '[hooks]' >> .hg/hgrc
93 137 $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
94 138 $ hg pull
95 139 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
96 140 pulling from https://localhost:$HGPORT/
97 141 searching for changes
98 142 adding changesets
99 143 adding manifests
100 144 adding file changes
101 145 added 1 changesets with 1 changes to 1 files
102 146 (run 'hg update' to get a working copy)
103 147 $ cd ..
148
149 cacert
150
151 $ hg -R copy-pull pull --config web.cacerts=pub.pem
152 pulling from https://localhost:$HGPORT/
153 searching for changes
154 no changes found
155 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
156 abort: 127.0.0.1 certificate error: certificate is for localhost
157 [255]
158 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
159 abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
160 [255]
161
162 Test server cert which isn't valid yet
163
164 $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
165 $ cat hg1.pid >> $DAEMON_PIDS
166 $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
167 abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
168 [255]
169
170 Test server cert which no longer is valid
171
172 $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
173 $ cat hg2.pid >> $DAEMON_PIDS
174 $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
175 abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
176 [255]
General Comments 0
You need to be logged in to leave comments. Login now