upstream/mercurial-mirror Commit - r29577:9654ef41

sslutil: support defining cipher list...

Gregory Szorc -

r29577:9654ef41 default

parent child

mercurial/help/config.txt

0 +16 0

             The Mercurial system uses a set of configuration files to control
             aspects of its behavior.
             Troubleshooting
             ===============
             If you're having problems with your configuration,
             :hg:`config --debug` can help you understand what is introducing
             a setting into your environment.
             See :hg:`help config.syntax` and :hg:`help config.files`
             for information about how and where to override things.
             Structure
             =========
             The configuration files use a simple ini-file format. A configuration
             file consists of sections, led by a ``[section]`` header and followed
             by ``name = value`` entries::
               [ui]
               username = Firstname Lastname <firstname.lastname@example.net>
               verbose = True
             The above entries will be referred to as ``ui.username`` and
             ``ui.verbose``, respectively. See :hg:`help config.syntax`.
             Files
             =====
             Mercurial reads configuration data from several files, if they exist.
             These files do not exist by default and you will have to create the
             appropriate configuration files yourself:
             Local configuration is put into the per-repository ``<repo>/.hg/hgrc`` file.
             Global configuration like the username setting is typically put into:
             .. container:: windows
               - ``%USERPROFILE%\mercurial.ini`` (on Windows)
             .. container:: unix.plan9
               - ``$HOME/.hgrc`` (on Unix, Plan9)
             The names of these files depend on the system on which Mercurial is
             installed. ``*.rc`` files from a single directory are read in
             alphabetical order, later ones overriding earlier ones. Where multiple
             paths are given below, settings from earlier paths override later
             ones.
             .. container:: verbose.unix
               On Unix, the following files are consulted:
               - ``<repo>/.hg/hgrc`` (per-repository)
               - ``$HOME/.hgrc`` (per-user)
               - ``<install-root>/etc/mercurial/hgrc`` (per-installation)
               - ``<install-root>/etc/mercurial/hgrc.d/*.rc`` (per-installation)
               - ``/etc/mercurial/hgrc`` (per-system)
               - ``/etc/mercurial/hgrc.d/*.rc`` (per-system)
               - ``<internal>/default.d/*.rc`` (defaults)
             .. container:: verbose.windows
               On Windows, the following files are consulted:
               - ``<repo>/.hg/hgrc`` (per-repository)
               - ``%USERPROFILE%\.hgrc`` (per-user)
               - ``%USERPROFILE%\Mercurial.ini`` (per-user)
               - ``%HOME%\.hgrc`` (per-user)
               - ``%HOME%\Mercurial.ini`` (per-user)
               - ``HKEY_LOCAL_MACHINE\SOFTWARE\Mercurial`` (per-installation)
               - ``<install-dir>\hgrc.d\*.rc`` (per-installation)
               - ``<install-dir>\Mercurial.ini`` (per-installation)
               - ``<internal>/default.d/*.rc`` (defaults)
               .. note::
                The registry key ``HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mercurial``
                is used when running 32-bit Python on 64-bit Windows.
             .. container:: windows
               On Windows 9x, ``%HOME%`` is replaced by ``%APPDATA%``.
             .. container:: verbose.plan9
               On Plan9, the following files are consulted:
               - ``<repo>/.hg/hgrc`` (per-repository)
               - ``$home/lib/hgrc`` (per-user)
               - ``<install-root>/lib/mercurial/hgrc`` (per-installation)
               - ``<install-root>/lib/mercurial/hgrc.d/*.rc`` (per-installation)
               - ``/lib/mercurial/hgrc`` (per-system)
               - ``/lib/mercurial/hgrc.d/*.rc`` (per-system)
               - ``<internal>/default.d/*.rc`` (defaults)
             Per-repository configuration options only apply in a
             particular repository. This file is not version-controlled, and
             will not get transferred during a "clone" operation. Options in
             this file override options in all other configuration files.
             .. container:: unix.plan9
               On Plan 9 and Unix, most of this file will be ignored if it doesn't
               belong to a trusted user or to a trusted group. See
               :hg:`help config.trusted` for more details.
             Per-user configuration file(s) are for the user running Mercurial.  Options
             in these files apply to all Mercurial commands executed by this user in any
             directory. Options in these files override per-system and per-installation
             options.
             Per-installation configuration files are searched for in the
             directory where Mercurial is installed. ``<install-root>`` is the
             parent directory of the **hg** executable (or symlink) being run.
             .. container:: unix.plan9
               For example, if installed in ``/shared/tools/bin/hg``, Mercurial
               will look in ``/shared/tools/etc/mercurial/hgrc``. Options in these
               files apply to all Mercurial commands executed by any user in any
               directory.
             Per-installation configuration files are for the system on
             which Mercurial is running. Options in these files apply to all
             Mercurial commands executed by any user in any directory. Registry
             keys contain PATH-like strings, every part of which must reference
             a ``Mercurial.ini`` file or be a directory where ``*.rc`` files will
             be read.  Mercurial checks each of these locations in the specified
             order until one or more configuration files are detected.
             Per-system configuration files are for the system on which Mercurial
             is running. Options in these files apply to all Mercurial commands
             executed by any user in any directory. Options in these files
             override per-installation options.
             Mercurial comes with some default configuration. The default configuration
             files are installed with Mercurial and will be overwritten on upgrades. Default
             configuration files should never be edited by users or administrators but can
             be overridden in other configuration files. So far the directory only contains
             merge tool configuration but packagers can also put other default configuration
             there.
             Syntax
             ======
             A configuration file consists of sections, led by a ``[section]`` header
             and followed by ``name = value`` entries (sometimes called
             ``configuration keys``)::
                 [spam]
                 eggs=ham
                 green=
                    eggs
             Each line contains one entry. If the lines that follow are indented,
             they are treated as continuations of that entry. Leading whitespace is
             removed from values. Empty lines are skipped. Lines beginning with
             ``#`` or ``;`` are ignored and may be used to provide comments.
             Configuration keys can be set multiple times, in which case Mercurial
             will use the value that was configured last. As an example::
                 [spam]
                 eggs=large
                 ham=serrano
                 eggs=small
             This would set the configuration key named ``eggs`` to ``small``.
             It is also possible to define a section multiple times. A section can
             be redefined on the same and/or on different configuration files. For
             example::
                 [foo]
                 eggs=large
                 ham=serrano
                 eggs=small
                 [bar]
                 eggs=ham
                 green=
                    eggs
                 [foo]
                 ham=prosciutto
                 eggs=medium
                 bread=toasted
             This would set the ``eggs``, ``ham``, and ``bread`` configuration keys
             of the ``foo`` section to ``medium``, ``prosciutto``, and ``toasted``,
             respectively. As you can see there only thing that matters is the last
             value that was set for each of the configuration keys.
             If a configuration key is set multiple times in different
             configuration files the final value will depend on the order in which
             the different configuration files are read, with settings from earlier
             paths overriding later ones as described on the ``Files`` section
             above.
             A line of the form ``%include file`` will include ``file`` into the
             current configuration file. The inclusion is recursive, which means
             that included files can include other files. Filenames are relative to
             the configuration file in which the ``%include`` directive is found.
             Environment variables and ``~user`` constructs are expanded in
             ``file``. This lets you do something like::
               %include ~/.hgrc.d/$HOST.rc
             to include a different configuration file on each computer you use.
             A line with ``%unset name`` will remove ``name`` from the current
             section, if it has been set previously.
             The values are either free-form text strings, lists of text strings,
             or Boolean values. Boolean values can be set to true using any of "1",
             "yes", "true", or "on" and to false using "0", "no", "false", or "off"
             (all case insensitive).
             List values are separated by whitespace or comma, except when values are
             placed in double quotation marks::
               allow_read = "John Doe, PhD", brian, betty
             Quotation marks can be escaped by prefixing them with a backslash. Only
             quotation marks at the beginning of a word is counted as a quotation
             (e.g., ``foo"bar baz`` is the list of ``foo"bar`` and ``baz``).
             Sections
             ========
             This section describes the different sections that may appear in a
             Mercurial configuration file, the purpose of each section, its possible
             keys, and their possible values.
             ``alias``
             ---------
             Defines command aliases.
             Aliases allow you to define your own commands in terms of other
             commands (or aliases), optionally including arguments. Positional
             arguments in the form of ``$1``, ``$2``, etc. in the alias definition
             are expanded by Mercurial before execution. Positional arguments not
             already used by ``$N`` in the definition are put at the end of the
             command to be executed.
             Alias definitions consist of lines of the form::
                 <alias> = <command> [<argument>]...
             For example, this definition::
                 latest = log --limit 5
             creates a new command ``latest`` that shows only the five most recent
             changesets. You can define subsequent aliases using earlier ones::
                 stable5 = latest -b stable
             .. note::
                It is possible to create aliases with the same names as
                existing commands, which will then override the original
                definitions. This is almost always a bad idea!
             An alias can start with an exclamation point (``!``) to make it a
             shell alias. A shell alias is executed with the shell and will let you
             run arbitrary commands. As an example, ::
                echo = !echo $@
             will let you do ``hg echo foo`` to have ``foo`` printed in your
             terminal. A better example might be::
                purge = !$HG status --no-status --unknown -0 re: | xargs -0 rm
             which will make ``hg purge`` delete all unknown files in the
             repository in the same manner as the purge extension.
             Positional arguments like ``$1``, ``$2``, etc. in the alias definition
             expand to the command arguments. Unmatched arguments are
             removed. ``$0`` expands to the alias name and ``$@`` expands to all
             arguments separated by a space. ``"$@"`` (with quotes) expands to all
             arguments quoted individually and separated by a space. These expansions
             happen before the command is passed to the shell.
             Shell aliases are executed in an environment where ``$HG`` expands to
             the path of the Mercurial that was used to execute the alias. This is
             useful when you want to call further Mercurial commands in a shell
             alias, as was done above for the purge alias. In addition,
             ``$HG_ARGS`` expands to the arguments given to Mercurial. In the ``hg
             echo foo`` call above, ``$HG_ARGS`` would expand to ``echo foo``.
             .. note::
                Some global configuration options such as ``-R`` are
                processed before shell aliases and will thus not be passed to
                aliases.
             ``annotate``
             ------------
             Settings used when displaying file annotations. All values are
             Booleans and default to False. See :hg:`help config.diff` for
             related options for the diff command.
             ``ignorews``
                 Ignore white space when comparing lines.
             ``ignorewsamount``
                 Ignore changes in the amount of white space.
             ``ignoreblanklines``
                 Ignore changes whose lines are all blank.
             ``auth``
             --------
             Authentication credentials for HTTP authentication. This section
             allows you to store usernames and passwords for use when logging
             *into* HTTP servers. See :hg:`help config.web` if
             you want to configure *who* can login to your HTTP server.
             Each line has the following format::
                 <name>.<argument> = <value>
             where ``<name>`` is used to group arguments into authentication
             entries. Example::
                 foo.prefix = hg.intevation.de/mercurial
                 foo.username = foo
                 foo.password = bar
                 foo.schemes = http https
                 bar.prefix = secure.example.org
                 bar.key = path/to/file.key
                 bar.cert = path/to/file.cert
                 bar.schemes = https
             Supported arguments:
             ``prefix``
                 Either ``*`` or a URI prefix with or without the scheme part.
                 The authentication entry with the longest matching prefix is used
                 (where ``*`` matches everything and counts as a match of length
 ). If the prefix doesn't include a scheme, the match is performed
                 against the URI with its scheme stripped as well, and the schemes
                 argument, q.v., is then subsequently consulted.
             ``username``
                 Optional. Username to authenticate with. If not given, and the
                 remote site requires basic or digest authentication, the user will
                 be prompted for it. Environment variables are expanded in the
                 username letting you do ``foo.username = $USER``. If the URI
                 includes a username, only ``[auth]`` entries with a matching
                 username or without a username will be considered.
             ``password``
                 Optional. Password to authenticate with. If not given, and the
                 remote site requires basic or digest authentication, the user
                 will be prompted for it.
             ``key``
                 Optional. PEM encoded client certificate key file. Environment
                 variables are expanded in the filename.
             ``cert``
                 Optional. PEM encoded client certificate chain file. Environment
                 variables are expanded in the filename.
             ``schemes``
                 Optional. Space separated list of URI schemes to use this
                 authentication entry with. Only used if the prefix doesn't include
                 a scheme. Supported schemes are http and https. They will match
                 static-http and static-https respectively, as well.
                 (default: https)
             If no suitable authentication entry is found, the user is prompted
             for credentials as usual if required by the remote.
             ``committemplate``
             ------------------
             ``changeset``
                 String: configuration in this section is used as the template to
                 customize the text shown in the editor when committing.
             In addition to pre-defined template keywords, commit log specific one
             below can be used for customization:
             ``extramsg``
                 String: Extra message (typically 'Leave message empty to abort
                 commit.'). This may be changed by some commands or extensions.
             For example, the template configuration below shows as same text as
             one shown by default::
                 [committemplate]
                 changeset = {desc}\n\n
                     HG: Enter commit message.  Lines beginning with 'HG:' are removed.
                     HG: {extramsg}
                     HG: --
                     HG: user: {author}\n{ifeq(p2rev, "-1", "",
                    "HG: branch merge\n")
                    }HG: branch '{branch}'\n{if(activebookmark,
                    "HG: bookmark '{activebookmark}'\n")   }{subrepos %
                    "HG: subrepo {subrepo}\n"              }{file_adds %
                    "HG: added {file}\n"                   }{file_mods %
                    "HG: changed {file}\n"                 }{file_dels %
                    "HG: removed {file}\n"                 }{if(files, "",
                    "HG: no files changed\n")}
             .. note::
                For some problematic encodings (see :hg:`help win32mbcs` for
                detail), this customization should be configured carefully, to
                avoid showing broken characters.
                For example, if a multibyte character ending with backslash (0x5c) is
                followed by the ASCII character 'n' in the customized template,
                the sequence of backslash and 'n' is treated as line-feed unexpectedly
                (and the multibyte character is broken, too).
             Customized template is used for commands below (``--edit`` may be
             required):
             - :hg:`backout`
             - :hg:`commit`
             - :hg:`fetch` (for merge commit only)
             - :hg:`graft`
             - :hg:`histedit`
             - :hg:`import`
             - :hg:`qfold`, :hg:`qnew` and :hg:`qrefresh`
             - :hg:`rebase`
             - :hg:`shelve`
             - :hg:`sign`
             - :hg:`tag`
             - :hg:`transplant`
             Configuring items below instead of ``changeset`` allows showing
             customized message only for specific actions, or showing different
             messages for each action.
             - ``changeset.backout`` for :hg:`backout`
             - ``changeset.commit.amend.merge`` for :hg:`commit --amend` on merges
             - ``changeset.commit.amend.normal`` for :hg:`commit --amend` on other
             - ``changeset.commit.normal.merge`` for :hg:`commit` on merges
             - ``changeset.commit.normal.normal`` for :hg:`commit` on other
             - ``changeset.fetch`` for :hg:`fetch` (impling merge commit)
             - ``changeset.gpg.sign`` for :hg:`sign`
             - ``changeset.graft`` for :hg:`graft`
             - ``changeset.histedit.edit`` for ``edit`` of :hg:`histedit`
             - ``changeset.histedit.fold`` for ``fold`` of :hg:`histedit`
             - ``changeset.histedit.mess`` for ``mess`` of :hg:`histedit`
             - ``changeset.histedit.pick`` for ``pick`` of :hg:`histedit`
             - ``changeset.import.bypass`` for :hg:`import --bypass`
             - ``changeset.import.normal.merge`` for :hg:`import` on merges
             - ``changeset.import.normal.normal`` for :hg:`import` on other
             - ``changeset.mq.qnew`` for :hg:`qnew`
             - ``changeset.mq.qfold`` for :hg:`qfold`
             - ``changeset.mq.qrefresh`` for :hg:`qrefresh`
             - ``changeset.rebase.collapse`` for :hg:`rebase --collapse`
             - ``changeset.rebase.merge`` for :hg:`rebase` on merges
             - ``changeset.rebase.normal`` for :hg:`rebase` on other
             - ``changeset.shelve.shelve`` for :hg:`shelve`
             - ``changeset.tag.add`` for :hg:`tag` without ``--remove``
             - ``changeset.tag.remove`` for :hg:`tag --remove`
             - ``changeset.transplant.merge`` for :hg:`transplant` on merges
             - ``changeset.transplant.normal`` for :hg:`transplant` on other
             These dot-separated lists of names are treated as hierarchical ones.
             For example, ``changeset.tag.remove`` customizes the commit message
             only for :hg:`tag --remove`, but ``changeset.tag`` customizes the
             commit message for :hg:`tag` regardless of ``--remove`` option.
             When the external editor is invoked for a commit, the corresponding
             dot-separated list of names without the ``changeset.`` prefix
             (e.g. ``commit.normal.normal``) is in the ``HGEDITFORM`` environment
             variable.
             In this section, items other than ``changeset`` can be referred from
             others. For example, the configuration to list committed files up
             below can be referred as ``{listupfiles}``::
                 [committemplate]
                 listupfiles = {file_adds %
                    "HG: added {file}\n"     }{file_mods %
                    "HG: changed {file}\n"   }{file_dels %
                    "HG: removed {file}\n"   }{if(files, "",
                    "HG: no files changed\n")}
             ``decode/encode``
             -----------------
             Filters for transforming files on checkout/checkin. This would
             typically be used for newline processing or other
             localization/canonicalization of files.
             Filters consist of a filter pattern followed by a filter command.
             Filter patterns are globs by default, rooted at the repository root.
             For example, to match any file ending in ``.txt`` in the root
             directory only, use the pattern ``*.txt``. To match any file ending
             in ``.c`` anywhere in the repository, use the pattern ``**.c``.
             For each file only the first matching filter applies.
             The filter command can start with a specifier, either ``pipe:`` or
             ``tempfile:``. If no specifier is given, ``pipe:`` is used by default.
             A ``pipe:`` command must accept data on stdin and return the transformed
             data on stdout.
             Pipe example::
               [encode]
               # uncompress gzip files on checkin to improve delta compression
               # note: not necessarily a good idea, just an example
               *.gz = pipe: gunzip
               [decode]
               # recompress gzip files when writing them to the working dir (we
               # can safely omit "pipe:", because it's the default)
               *.gz = gzip
             A ``tempfile:`` command is a template. The string ``INFILE`` is replaced
             with the name of a temporary file that contains the data to be
             filtered by the command. The string ``OUTFILE`` is replaced with the name
             of an empty temporary file, where the filtered data must be written by
             the command.
             .. container:: windows
                .. note::
                  The tempfile mechanism is recommended for Windows systems,
                  where the standard shell I/O redirection operators often have
                  strange effects and may corrupt the contents of your files.
             This filter mechanism is used internally by the ``eol`` extension to
             translate line ending characters between Windows (CRLF) and Unix (LF)
             format. We suggest you use the ``eol`` extension for convenience.
             ``defaults``
             ------------
             (defaults are deprecated. Don't use them. Use aliases instead.)
             Use the ``[defaults]`` section to define command defaults, i.e. the
             default options/arguments to pass to the specified commands.
             The following example makes :hg:`log` run in verbose mode, and
             :hg:`status` show only the modified files, by default::
               [defaults]
               log = -v
               status = -m
             The actual commands, instead of their aliases, must be used when
             defining command defaults. The command defaults will also be applied
             to the aliases of the commands defined.
             ``diff``
             --------
             Settings used when displaying diffs. Everything except for ``unified``
             is a Boolean and defaults to False. See :hg:`help config.annotate`
             for related options for the annotate command.
             ``git``
                 Use git extended diff format.
             ``nobinary``
                 Omit git binary patches.
             ``nodates``
                 Don't include dates in diff headers.
             ``noprefix``
                 Omit 'a/' and 'b/' prefixes from filenames. Ignored in plain mode.
             ``showfunc``
                 Show which function each change is in.
             ``ignorews``
                 Ignore white space when comparing lines.
             ``ignorewsamount``
                 Ignore changes in the amount of white space.
             ``ignoreblanklines``
                 Ignore changes whose lines are all blank.
             ``unified``
                 Number of lines of context to show.
             ``email``
             ---------
             Settings for extensions that send email messages.
             ``from``
                 Optional. Email address to use in "From" header and SMTP envelope
                 of outgoing messages.
             ``to``
                 Optional. Comma-separated list of recipients' email addresses.
             ``cc``
                 Optional. Comma-separated list of carbon copy recipients'
                 email addresses.
             ``bcc``
                 Optional. Comma-separated list of blind carbon copy recipients'
                 email addresses.
             ``method``
                 Optional. Method to use to send email messages. If value is ``smtp``
                 (default), use SMTP (see the ``[smtp]`` section for configuration).
                 Otherwise, use as name of program to run that acts like sendmail
                 (takes ``-f`` option for sender, list of recipients on command line,
                 message on stdin). Normally, setting this to ``sendmail`` or
                 ``/usr/sbin/sendmail`` is enough to use sendmail to send messages.
             ``charsets``
                 Optional. Comma-separated list of character sets considered
                 convenient for recipients. Addresses, headers, and parts not
                 containing patches of outgoing messages will be encoded in the
                 first character set to which conversion from local encoding
                 (``$HGENCODING``, ``ui.fallbackencoding``) succeeds. If correct
                 conversion fails, the text in question is sent as is.
                 (default: '')
                 Order of outgoing email character sets:
 . ``us-ascii``: always first, regardless of settings
 . ``email.charsets``: in order given by user
 . ``ui.fallbackencoding``: if not in email.charsets
 . ``$HGENCODING``: if not in email.charsets
 . ``utf-8``: always last, regardless of settings
             Email example::
               [email]
               from = Joseph User <joe.user@example.com>
               method = /usr/sbin/sendmail
               # charsets for western Europeans
               # us-ascii, utf-8 omitted, as they are tried first and last
               charsets = iso-8859-1, iso-8859-15, windows-1252
             ``extensions``
             --------------
             Mercurial has an extension mechanism for adding new features. To
             enable an extension, create an entry for it in this section.
             If you know that the extension is already in Python's search path,
             you can give the name of the module, followed by ``=``, with nothing
             after the ``=``.
             Otherwise, give a name that you choose, followed by ``=``, followed by
             the path to the ``.py`` file (including the file name extension) that
             defines the extension.
             To explicitly disable an extension that is enabled in an hgrc of
             broader scope, prepend its path with ``!``, as in ``foo = !/ext/path``
             or ``foo = !`` when path is not supplied.
             Example for ``~/.hgrc``::
               [extensions]
               # (the color extension will get loaded from Mercurial's path)
               color =
               # (this extension will get loaded from the file specified)
               myfeature = ~/.hgext/myfeature.py
             ``format``
             ----------
             ``usegeneraldelta``
                 Enable or disable the "generaldelta" repository format which improves
                 repository compression by allowing "revlog" to store delta against arbitrary
                 revision instead of the previous stored one. This provides significant
                 improvement for repositories with branches.
                 Repositories with this on-disk format require Mercurial version 1.9.
                 Enabled by default.
             ``dotencode``
                 Enable or disable the "dotencode" repository format which enhances
                 the "fncache" repository format (which has to be enabled to use
                 dotencode) to avoid issues with filenames starting with ._ on
                 Mac OS X and spaces on Windows.
                 Repositories with this on-disk format require Mercurial version 1.7.
                 Enabled by default.
             ``usefncache``
                 Enable or disable the "fncache" repository format which enhances
                 the "store" repository format (which has to be enabled to use
                 fncache) to allow longer filenames and avoids using Windows
                 reserved names, e.g. "nul".
                 Repositories with this on-disk format require Mercurial version 1.1.
                 Enabled by default.
             ``usestore``
                 Enable or disable the "store" repository format which improves
                 compatibility with systems that fold case or otherwise mangle
                 filenames. Disabling this option will allow you to store longer filenames
                 in some situations at the expense of compatibility.
                 Repositories with this on-disk format require Mercurial version 0.9.4.
                 Enabled by default.
             ``graph``
             ---------
             Web graph view configuration. This section let you change graph
             elements display properties by branches, for instance to make the
             ``default`` branch stand out.
             Each line has the following format::
                 <branch>.<argument> = <value>
             where ``<branch>`` is the name of the branch being
             customized. Example::
                 [graph]
                 # 2px width
                 default.width = 2
                 # red color
                 default.color = FF0000
             Supported arguments:
             ``width``
                 Set branch edges width in pixels.
             ``color``
                 Set branch edges color in hexadecimal RGB notation.
             ``hooks``
             ---------
             Commands or Python functions that get automatically executed by
             various actions such as starting or finishing a commit. Multiple
             hooks can be run for the same action by appending a suffix to the
             action. Overriding a site-wide hook can be done by changing its
             value or setting it to an empty string.  Hooks can be prioritized
             by adding a prefix of ``priority.`` to the hook name on a new line
             and setting the priority. The default priority is 0.
             Example ``.hg/hgrc``::
               [hooks]
               # update working directory after adding changesets
               changegroup.update = hg update
               # do not use the site-wide hook
               incoming =
               incoming.email = /my/email/hook
               incoming.autobuild = /my/build/hook
               # force autobuild hook to run before other incoming hooks
               priority.incoming.autobuild = 1
             Most hooks are run with environment variables set that give useful
             additional information. For each hook below, the environment
             variables it is passed are listed with names of the form ``$HG_foo``.
             ``changegroup``
               Run after a changegroup has been added via push, pull or unbundle.  ID of the
               first new changeset is in ``$HG_NODE`` and last in ``$HG_NODE_LAST``. URL
               from which changes came is in ``$HG_URL``.
             ``commit``
               Run after a changeset has been created in the local repository. ID
               of the newly created changeset is in ``$HG_NODE``. Parent changeset
               IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
             ``incoming``
               Run after a changeset has been pulled, pushed, or unbundled into
               the local repository. The ID of the newly arrived changeset is in
               ``$HG_NODE``. URL that was source of changes came is in ``$HG_URL``.
             ``outgoing``
               Run after sending changes from local repository to another. ID of
               first changeset sent is in ``$HG_NODE``. Source of operation is in
               ``$HG_SOURCE``; Also see :hg:`help config.hooks.preoutgoing` hook.
             ``post-<command>``
               Run after successful invocations of the associated command. The
               contents of the command line are passed as ``$HG_ARGS`` and the result
               code in ``$HG_RESULT``. Parsed command line arguments are passed as
               ``$HG_PATS`` and ``$HG_OPTS``. These contain string representations of
               the python data internally passed to <command>. ``$HG_OPTS`` is a
               dictionary of options (with unspecified options set to their defaults).
               ``$HG_PATS`` is a list of arguments. Hook failure is ignored.
             ``fail-<command>``
               Run after a failed invocation of an associated command. The contents
               of the command line are passed as ``$HG_ARGS``. Parsed command line
               arguments are passed as ``$HG_PATS`` and ``$HG_OPTS``. These contain
               string representations of the python data internally passed to
               <command>. ``$HG_OPTS`` is a dictionary of options (with unspecified
               options set to their defaults). ``$HG_PATS`` is a list of arguments.
               Hook failure is ignored.
             ``pre-<command>``
               Run before executing the associated command. The contents of the
               command line are passed as ``$HG_ARGS``. Parsed command line arguments
               are passed as ``$HG_PATS`` and ``$HG_OPTS``. These contain string
               representations of the data internally passed to <command>. ``$HG_OPTS``
               is a dictionary of options (with unspecified options set to their
               defaults). ``$HG_PATS`` is a list of arguments. If the hook returns
               failure, the command doesn't execute and Mercurial returns the failure
               code.
             ``prechangegroup``
               Run before a changegroup is added via push, pull or unbundle. Exit
               status 0 allows the changegroup to proceed. Non-zero status will
               cause the push, pull or unbundle to fail. URL from which changes
               will come is in ``$HG_URL``.
             ``precommit``
               Run before starting a local commit. Exit status 0 allows the
               commit to proceed. Non-zero status will cause the commit to fail.
               Parent changeset IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
             ``prelistkeys``
               Run before listing pushkeys (like bookmarks) in the
               repository. Non-zero status will cause failure. The key namespace is
               in ``$HG_NAMESPACE``.
             ``preoutgoing``
               Run before collecting changes to send from the local repository to
               another. Non-zero status will cause failure. This lets you prevent
               pull over HTTP or SSH. Also prevents against local pull, push
               (outbound) or bundle commands, but not effective, since you can
               just copy files instead then. Source of operation is in
               ``$HG_SOURCE``. If "serve", operation is happening on behalf of remote
               SSH or HTTP repository. If "push", "pull" or "bundle", operation
               is happening on behalf of repository on same system.
             ``prepushkey``
               Run before a pushkey (like a bookmark) is added to the
               repository. Non-zero status will cause the key to be rejected. The
               key namespace is in ``$HG_NAMESPACE``, the key is in ``$HG_KEY``,
               the old value (if any) is in ``$HG_OLD``, and the new value is in
               ``$HG_NEW``.
             ``pretag``
               Run before creating a tag. Exit status 0 allows the tag to be
               created. Non-zero status will cause the tag to fail. ID of
               changeset to tag is in ``$HG_NODE``. Name of tag is in ``$HG_TAG``. Tag is
               local if ``$HG_LOCAL=1``, in repository if ``$HG_LOCAL=0``.
             ``pretxnopen``
               Run before any new repository transaction is open. The reason for the
               transaction will be in ``$HG_TXNNAME`` and a unique identifier for the
               transaction will be in ``HG_TXNID``. A non-zero status will prevent the
               transaction from being opened.
             ``pretxnclose``
               Run right before the transaction is actually finalized. Any repository change
               will be visible to the hook program. This lets you validate the transaction
               content or change it. Exit status 0 allows the commit to proceed. Non-zero
               status will cause the transaction to be rolled back. The reason for the
               transaction opening will be in ``$HG_TXNNAME`` and a unique identifier for
               the transaction will be in ``HG_TXNID``. The rest of the available data will
               vary according the transaction type. New changesets will add ``$HG_NODE`` (id
               of the first added changeset), ``$HG_NODE_LAST`` (id of the last added
               changeset), ``$HG_URL`` and ``$HG_SOURCE`` variables, bookmarks and phases
               changes will set ``HG_BOOKMARK_MOVED`` and ``HG_PHASES_MOVED`` to ``1``, etc.
             ``txnclose``
               Run after any repository transaction has been committed. At this
               point, the transaction can no longer be rolled back. The hook will run
               after the lock is released. See :hg:`help config.hooks.pretxnclose` docs for
               details about available variables.
             ``txnabort``
               Run when a transaction is aborted. See :hg:`help config.hooks.pretxnclose`
               docs for details about available variables.
             ``pretxnchangegroup``
               Run after a changegroup has been added via push, pull or unbundle, but before
               the transaction has been committed. Changegroup is visible to hook program.
               This lets you validate incoming changes before accepting them. Passed the ID
               of the first new changeset in ``$HG_NODE`` and last in ``$HG_NODE_LAST``.
               Exit status 0 allows the transaction to commit. Non-zero status will cause
               the transaction to be rolled back and the push, pull or unbundle will fail.
               URL that was source of changes is in ``$HG_URL``.
             ``pretxncommit``
               Run after a changeset has been created but the transaction not yet
               committed. Changeset is visible to hook program. This lets you
               validate commit message and changes. Exit status 0 allows the
               commit to proceed. Non-zero status will cause the transaction to
               be rolled back. ID of changeset is in ``$HG_NODE``. Parent changeset
               IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
             ``preupdate``
               Run before updating the working directory. Exit status 0 allows
               the update to proceed. Non-zero status will prevent the update.
               Changeset ID of first new parent is in ``$HG_PARENT1``. If merge, ID
               of second new parent is in ``$HG_PARENT2``.
             ``listkeys``
               Run after listing pushkeys (like bookmarks) in the repository. The
               key namespace is in ``$HG_NAMESPACE``. ``$HG_VALUES`` is a
               dictionary containing the keys and values.
             ``pushkey``
               Run after a pushkey (like a bookmark) is added to the
               repository. The key namespace is in ``$HG_NAMESPACE``, the key is in
               ``$HG_KEY``, the old value (if any) is in ``$HG_OLD``, and the new
               value is in ``$HG_NEW``.
             ``tag``
               Run after a tag is created. ID of tagged changeset is in ``$HG_NODE``.
               Name of tag is in ``$HG_TAG``. Tag is local if ``$HG_LOCAL=1``, in
               repository if ``$HG_LOCAL=0``.
             ``update``
               Run after updating the working directory. Changeset ID of first
               new parent is in ``$HG_PARENT1``. If merge, ID of second new parent is
               in ``$HG_PARENT2``. If the update succeeded, ``$HG_ERROR=0``. If the
               update failed (e.g. because conflicts not resolved), ``$HG_ERROR=1``.
             .. note::
                It is generally better to use standard hooks rather than the
                generic pre- and post- command hooks as they are guaranteed to be
                called in the appropriate contexts for influencing transactions.
                Also, hooks like "commit" will be called in all contexts that
                generate a commit (e.g. tag) and not just the commit command.
             .. note::
                Environment variables with empty values may not be passed to
                hooks on platforms such as Windows. As an example, ``$HG_PARENT2``
                will have an empty value under Unix-like platforms for non-merge
                changesets, while it will not be available at all under Windows.
             The syntax for Python hooks is as follows::
               hookname = python:modulename.submodule.callable
               hookname = python:/path/to/python/module.py:callable
             Python hooks are run within the Mercurial process. Each hook is
             called with at least three keyword arguments: a ui object (keyword
             ``ui``), a repository object (keyword ``repo``), and a ``hooktype``
             keyword that tells what kind of hook is used. Arguments listed as
             environment variables above are passed as keyword arguments, with no
             ``HG_`` prefix, and names in lower case.
             If a Python hook returns a "true" value or raises an exception, this
             is treated as a failure.
             ``hostfingerprints``
             --------------------
             (Deprecated. Use ``[hostsecurity]``'s ``fingerprints`` options instead.)
             Fingerprints of the certificates of known HTTPS servers.
             A HTTPS connection to a server with a fingerprint configured here will
             only succeed if the servers certificate matches the fingerprint.
             This is very similar to how ssh known hosts works.
             The fingerprint is the SHA-1 hash value of the DER encoded certificate.
             Multiple values can be specified (separated by spaces or commas). This can
             be used to define both old and new fingerprints while a host transitions
             to a new certificate.
             The CA chain and web.cacerts is not used for servers with a fingerprint.
             For example::
                 [hostfingerprints]
                 hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
                 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
             ``hostsecurity``
             ----------------
             Used to specify global and per-host security settings for connecting to
             other machines.
             The following options control default behavior for all hosts.
+            ``ciphers``
+                Defines the cryptographic ciphers to use for connections.
+                Value must be a valid OpenSSL Cipher List Format as documented at
+                https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-LIST-FORMAT.
+                This setting is for advanced users only. Setting to incorrect values
+                can significantly lower connection security or decrease performance.
+                You have been warned.
+                This option requires Python 2.7.
             ``minimumprotocol``
                 Defines the minimum channel encryption protocol to use.
                 By default, the highest version of TLS supported by both client and server
                 is used.
                 Allowed values are: ``tls1.0``, ``tls1.1``, ``tls1.2``.
                 When running on an old Python version, only ``tls1.0`` is allowed since
                 old versions of Python only support up to TLS 1.0.
                 When running a Python that supports modern TLS versions, the default is
                 ``tls1.1``. ``tls1.0`` can still be used to allow TLS 1.0. However, this
                 weakens security and should only be used as a feature of last resort if
                 a server does not support TLS 1.1+.
             Options in the ``[hostsecurity]`` section can have the form
             ``hostname``:``setting``. This allows multiple settings to be defined on a
             per-host basis.
             The following per-host settings can be defined.
+            ``ciphers``
+                This behaves like ``ciphers`` as described above except it only applies
+                to the host on which it is defined.
             ``fingerprints``
                 A list of hashes of the DER encoded peer/remote certificate. Values have
                 the form ``algorithm``:``fingerprint``. e.g.
                 ``sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2``.
                 The following algorithms/prefixes are supported: ``sha1``, ``sha256``,
                 ``sha512``.
                 Use of ``sha256`` or ``sha512`` is preferred.
                 If a fingerprint is specified, the CA chain is not validated for this
                 host and Mercurial will require the remote certificate to match one
                 of the fingerprints specified. This means if the server updates its
                 certificate, Mercurial will abort until a new fingerprint is defined.
                 This can provide stronger security than traditional CA-based validation
                 at the expense of convenience.
                 This option takes precedence over ``verifycertsfile``.
             ``minimumprotocol``
                 This behaves like ``minimumprotocol`` as described above except it
                 only applies to the host on which it is defined.
             ``verifycertsfile``
                 Path to file a containing a list of PEM encoded certificates used to
                 verify the server certificate. Environment variables and ``~user``
                 constructs are expanded in the filename.
                 The server certificate or the certificate's certificate authority (CA)
                 must match a certificate from this file or certificate verification
                 will fail and connections to the server will be refused.
                 If defined, only certificates provided by this file will be used:
                 ``web.cacerts`` and any system/default certificates will not be
                 used.
                 This option has no effect if the per-host ``fingerprints`` option
                 is set.
                 The format of the file is as follows:
                     -----BEGIN CERTIFICATE-----
                     ... (certificate in base64 PEM encoding) ...
                     -----END CERTIFICATE-----
                     -----BEGIN CERTIFICATE-----
                     ... (certificate in base64 PEM encoding) ...
                     -----END CERTIFICATE-----
             For example::
                 [hostsecurity]
                 hg.example.com:fingerprints = sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2
                 hg2.example.com:fingerprints = sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
                 foo.example.com:verifycertsfile = /etc/ssl/trusted-ca-certs.pem
             To change the default minimum protocol version to TLS 1.2 but to allow TLS 1.1
             when connecting to ``hg.example.com``::
                 [hostsecurity]
                 minimumprotocol = tls1.2
                 hg.example.com:minimumprotocol = tls1.1
             ``http_proxy``
             --------------
             Used to access web-based Mercurial repositories through a HTTP
             proxy.
             ``host``
                 Host name and (optional) port of the proxy server, for example
                 "myproxy:8000".
             ``no``
                 Optional. Comma-separated list of host names that should bypass
                 the proxy.
             ``passwd``
                 Optional. Password to authenticate with at the proxy server.
             ``user``
                 Optional. User name to authenticate with at the proxy server.
             ``always``
                 Optional. Always use the proxy, even for localhost and any entries
                 in ``http_proxy.no``. (default: False)
             ``merge``
             ---------
             This section specifies behavior during merges and updates.
             ``checkignored``
                Controls behavior when an ignored file on disk has the same name as a tracked
                file in the changeset being merged or updated to, and has different
                contents. Options are ``abort``, ``warn`` and ``ignore``. With ``abort``,
                abort on such files. With ``warn``, warn on such files and back them up as
                ``.orig``. With ``ignore``, don't print a warning and back them up as
                ``.orig``. (default: ``abort``)
             ``checkunknown``
                Controls behavior when an unknown file that isn't ignored has the same name
                as a tracked file in the changeset being merged or updated to, and has
                different contents. Similar to ``merge.checkignored``, except for files that
                are not ignored. (default: ``abort``)
             ``merge-patterns``
             ------------------
             This section specifies merge tools to associate with particular file
             patterns. Tools matched here will take precedence over the default
             merge tool. Patterns are globs by default, rooted at the repository
             root.
             Example::
               [merge-patterns]
               **.c = kdiff3
               **.jpg = myimgmerge
             ``merge-tools``
             ---------------
             This section configures external merge tools to use for file-level
             merges. This section has likely been preconfigured at install time.
             Use :hg:`config merge-tools` to check the existing configuration.
             Also see :hg:`help merge-tools` for more details.
             Example ``~/.hgrc``::
               [merge-tools]
               # Override stock tool location
               kdiff3.executable = ~/bin/kdiff3
               # Specify command line
               kdiff3.args = $base $local $other -o $output
               # Give higher priority
               kdiff3.priority = 1
               # Changing the priority of preconfigured tool
               meld.priority = 0
               # Disable a preconfigured tool
               vimdiff.disabled = yes
               # Define new tool
               myHtmlTool.args = -m $local $other $base $output
               myHtmlTool.regkey = Software\FooSoftware\HtmlMerge
               myHtmlTool.priority = 1
             Supported arguments:
             ``priority``
               The priority in which to evaluate this tool.
               (default: 0)
             ``executable``
               Either just the name of the executable or its pathname.
               .. container:: windows
                 On Windows, the path can use environment variables with ${ProgramFiles}
                 syntax.
               (default: the tool name)
             ``args``
               The arguments to pass to the tool executable. You can refer to the
               files being merged as well as the output file through these
               variables: ``$base``, ``$local``, ``$other``, ``$output``. The meaning
               of ``$local`` and ``$other`` can vary depending on which action is being
               performed. During and update or merge, ``$local`` represents the original
               state of the file, while ``$other`` represents the commit you are updating
               to or the commit you are merging with. During a rebase ``$local``
               represents the destination of the rebase, and ``$other`` represents the
               commit being rebased.
               (default: ``$local $base $other``)
             ``premerge``
               Attempt to run internal non-interactive 3-way merge tool before
               launching external tool.  Options are ``true``, ``false``, ``keep`` or
               ``keep-merge3``. The ``keep`` option will leave markers in the file if the
               premerge fails. The ``keep-merge3`` will do the same but include information
               about the base of the merge in the marker (see internal :merge3 in
               :hg:`help merge-tools`).
               (default: True)
             ``binary``
               This tool can merge binary files. (default: False, unless tool
               was selected by file pattern match)
             ``symlink``
               This tool can merge symlinks. (default: False)
             ``check``
               A list of merge success-checking options:
               ``changed``
                 Ask whether merge was successful when the merged file shows no changes.
               ``conflicts``
                 Check whether there are conflicts even though the tool reported success.
               ``prompt``
                 Always prompt for merge success, regardless of success reported by tool.
             ``fixeol``
               Attempt to fix up EOL changes caused by the merge tool.
               (default: False)
             ``gui``
               This tool requires a graphical interface to run. (default: False)
             .. container:: windows
               ``regkey``
                 Windows registry key which describes install location of this
                 tool. Mercurial will search for this key first under
                 ``HKEY_CURRENT_USER`` and then under ``HKEY_LOCAL_MACHINE``.
                 (default: None)
               ``regkeyalt``
                 An alternate Windows registry key to try if the first key is not
                 found.  The alternate key uses the same ``regname`` and ``regappend``
                 semantics of the primary key.  The most common use for this key
                 is to search for 32bit applications on 64bit operating systems.
                 (default: None)
               ``regname``
                 Name of value to read from specified registry key.
                 (default: the unnamed (default) value)
               ``regappend``
                 String to append to the value read from the registry, typically
                 the executable name of the tool.
                 (default: None)
             ``patch``
             ---------
             Settings used when applying patches, for instance through the 'import'
             command or with Mercurial Queues extension.
             ``eol``
                 When set to 'strict' patch content and patched files end of lines
                 are preserved. When set to ``lf`` or ``crlf``, both files end of
                 lines are ignored when patching and the result line endings are
                 normalized to either LF (Unix) or CRLF (Windows). When set to
                 ``auto``, end of lines are again ignored while patching but line
                 endings in patched files are normalized to their original setting
                 on a per-file basis. If target file does not exist or has no end
                 of line, patch line endings are preserved.
                 (default: strict)
             ``fuzz``
                 The number of lines of 'fuzz' to allow when applying patches. This
                 controls how much context the patcher is allowed to ignore when
                 trying to apply a patch.
                 (default: 2)
             ``paths``
             ---------
             Assigns symbolic names and behavior to repositories.
             Options are symbolic names defining the URL or directory that is the
             location of the repository. Example::
                 [paths]
                 my_server = https://example.com/my_repo
                 local_path = /home/me/repo
             These symbolic names can be used from the command line. To pull
             from ``my_server``: :hg:`pull my_server`. To push to ``local_path``:
             :hg:`push local_path`.
             Options containing colons (``:``) denote sub-options that can influence
             behavior for that specific path. Example::
                 [paths]
                 my_server = https://example.com/my_path
                 my_server:pushurl = ssh://example.com/my_path
             The following sub-options can be defined:
             ``pushurl``
                The URL to use for push operations. If not defined, the location
                defined by the path's main entry is used.
             ``pushrev``
                A revset defining which revisions to push by default.
                When :hg:`push` is executed without a ``-r`` argument, the revset
                defined by this sub-option is evaluated to determine what to push.
                For example, a value of ``.`` will push the working directory's
                revision by default.
                Revsets specifying bookmarks will not result in the bookmark being
                pushed.
             The following special named paths exist:
             ``default``
                The URL or directory to use when no source or remote is specified.
                :hg:`clone` will automatically define this path to the location the
                repository was cloned from.
             ``default-push``
                (deprecated) The URL or directory for the default :hg:`push` location.
                ``default:pushurl`` should be used instead.
             ``phases``
             ----------
             Specifies default handling of phases. See :hg:`help phases` for more
             information about working with phases.
             ``publish``
                 Controls draft phase behavior when working as a server. When true,
                 pushed changesets are set to public in both client and server and
                 pulled or cloned changesets are set to public in the client.
                 (default: True)
             ``new-commit``
                 Phase of newly-created commits.
                 (default: draft)
             ``checksubrepos``
                 Check the phase of the current revision of each subrepository. Allowed
                 values are "ignore", "follow" and "abort". For settings other than
                 "ignore", the phase of the current revision of each subrepository is
                 checked before committing the parent repository. If any of those phases is
                 greater than the phase of the parent repository (e.g. if a subrepo is in a
                 "secret" phase while the parent repo is in "draft" phase), the commit is
                 either aborted (if checksubrepos is set to "abort") or the higher phase is
                 used for the parent repository commit (if set to "follow").
                 (default: follow)
             ``profiling``
             -------------
             Specifies profiling type, format, and file output. Two profilers are
             supported: an instrumenting profiler (named ``ls``), and a sampling
             profiler (named ``stat``).
             In this section description, 'profiling data' stands for the raw data
             collected during profiling, while 'profiling report' stands for a
             statistical text report generated from the profiling data. The
             profiling is done using lsprof.
             ``type``
                 The type of profiler to use.
                 (default: ls)
                 ``ls``
                   Use Python's built-in instrumenting profiler. This profiler
                   works on all platforms, but each line number it reports is the
                   first line of a function. This restriction makes it difficult to
                   identify the expensive parts of a non-trivial function.
                 ``stat``
                   Use a third-party statistical profiler, statprof. This profiler
                   currently runs only on Unix systems, and is most useful for
                   profiling commands that run for longer than about 0.1 seconds.
             ``format``
                 Profiling format.  Specific to the ``ls`` instrumenting profiler.
                 (default: text)
                 ``text``
                   Generate a profiling report. When saving to a file, it should be
                   noted that only the report is saved, and the profiling data is
                   not kept.
                 ``kcachegrind``
                   Format profiling data for kcachegrind use: when saving to a
                   file, the generated file can directly be loaded into
                   kcachegrind.
             ``frequency``
                 Sampling frequency.  Specific to the ``stat`` sampling profiler.
                 (default: 1000)
             ``output``
                 File path where profiling data or report should be saved. If the
                 file exists, it is replaced. (default: None, data is printed on
                 stderr)
             ``sort``
                 Sort field.  Specific to the ``ls`` instrumenting profiler.
                 One of ``callcount``, ``reccallcount``, ``totaltime`` and
                 ``inlinetime``.
                 (default: inlinetime)
             ``limit``
                 Number of lines to show. Specific to the ``ls`` instrumenting profiler.
                 (default: 30)
             ``nested``
                 Show at most this number of lines of drill-down info after each main entry.
                 This can help explain the difference between Total and Inline.
                 Specific to the ``ls`` instrumenting profiler.
                 (default: 5)
             ``progress``
             ------------
             Mercurial commands can draw progress bars that are as informative as
             possible. Some progress bars only offer indeterminate information, while others
             have a definite end point.
             ``delay``
                 Number of seconds (float) before showing the progress bar. (default: 3)
             ``changedelay``
                 Minimum delay before showing a new topic. When set to less than 3 * refresh,
                 that value will be used instead. (default: 1)
             ``refresh``
                 Time in seconds between refreshes of the progress bar. (default: 0.1)
             ``format``
                 Format of the progress bar.
                 Valid entries for the format field are ``topic``, ``bar``, ``number``,
                 ``unit``, ``estimate``, ``speed``, and ``item``. ``item`` defaults to the
                 last 20 characters of the item, but this can be changed by adding either
                 ``-<num>`` which would take the last num characters, or ``+<num>`` for the
                 first num characters.
                 (default: topic bar number estimate)
             ``width``
                 If set, the maximum width of the progress information (that is, min(width,
                 term width) will be used).
             ``clear-complete``
                 Clear the progress bar after it's done. (default: True)
             ``disable``
                 If true, don't show a progress bar.
             ``assume-tty``
                 If true, ALWAYS show a progress bar, unless disable is given.
             ``rebase``
             ----------
             ``allowdivergence``
                 Default to False, when True allow creating divergence when performing
                 rebase of obsolete changesets.
             ``revsetalias``
             ---------------
             Alias definitions for revsets. See :hg:`help revsets` for details.
             ``server``
             ----------
             Controls generic server settings.
             ``uncompressed``
                 Whether to allow clients to clone a repository using the
                 uncompressed streaming protocol. This transfers about 40% more
                 data than a regular clone, but uses less memory and CPU on both
                 server and client. Over a LAN (100 Mbps or better) or a very fast
                 WAN, an uncompressed streaming clone is a lot faster (~10x) than a
                 regular clone. Over most WAN connections (anything slower than
                 about 6 Mbps), uncompressed streaming is slower, because of the
                 extra data transfer overhead. This mode will also temporarily hold
                 the write lock while determining what data to transfer.
                 (default: True)
             ``preferuncompressed``
                 When set, clients will try to use the uncompressed streaming
                 protocol. (default: False)
             ``validate``
                 Whether to validate the completeness of pushed changesets by
                 checking that all new file revisions specified in manifests are
                 present. (default: False)
             ``maxhttpheaderlen``
                 Instruct HTTP clients not to send request headers longer than this
                 many bytes. (default: 1024)
             ``bundle1``
                 Whether to allow clients to push and pull using the legacy bundle1
                 exchange format. (default: True)
             ``bundle1gd``
                 Like ``bundle1`` but only used if the repository is using the
                 *generaldelta* storage format. (default: True)
             ``bundle1.push``
                 Whether to allow clients to push using the legacy bundle1 exchange
                 format. (default: True)
             ``bundle1gd.push``
                 Like ``bundle1.push`` but only used if the repository is using the
                 *generaldelta* storage format. (default: True)
             ``bundle1.pull``
                 Whether to allow clients to pull using the legacy bundle1 exchange
                 format. (default: True)
             ``bundle1gd.pull``
                 Like ``bundle1.pull`` but only used if the repository is using the
                 *generaldelta* storage format. (default: True)
                 Large repositories using the *generaldelta* storage format should
                 consider setting this option because converting *generaldelta*
                 repositories to the exchange format required by the bundle1 data
                 format can consume a lot of CPU.
             ``smtp``
             --------
             Configuration for extensions that need to send email messages.
             ``host``
                 Host name of mail server, e.g. "mail.example.com".
             ``port``
                 Optional. Port to connect to on mail server. (default: 465 if
                 ``tls`` is smtps; 25 otherwise)
             ``tls``
                 Optional. Method to enable TLS when connecting to mail server: starttls,
                 smtps or none. (default: none)
             ``username``
                 Optional. User name for authenticating with the SMTP server.
                 (default: None)
             ``password``
                 Optional. Password for authenticating with the SMTP server. If not
                 specified, interactive sessions will prompt the user for a
                 password; non-interactive sessions will fail. (default: None)
             ``local_hostname``
                 Optional. The hostname that the sender can use to identify
                 itself to the MTA.
             ``subpaths``
             ------------
             Subrepository source URLs can go stale if a remote server changes name
             or becomes temporarily unavailable. This section lets you define
             rewrite rules of the form::
                 <pattern> = <replacement>
             where ``pattern`` is a regular expression matching a subrepository
             source URL and ``replacement`` is the replacement string used to
             rewrite it. Groups can be matched in ``pattern`` and referenced in
             ``replacements``. For instance::
                 http://server/(.*)-hg/ = http://hg.server/\1/
             rewrites ``http://server/foo-hg/`` into ``http://hg.server/foo/``.
             Relative subrepository paths are first made absolute, and the
             rewrite rules are then applied on the full (absolute) path. If ``pattern``
             doesn't match the full path, an attempt is made to apply it on the
             relative path alone. The rules are applied in definition order.
             ``templatealias``
             -----------------
             Alias definitions for templates. See :hg:`help templates` for details.
             ``trusted``
             -----------
             Mercurial will not use the settings in the
             ``.hg/hgrc`` file from a repository if it doesn't belong to a trusted
             user or to a trusted group, as various hgrc features allow arbitrary
             commands to be run. This issue is often encountered when configuring
             hooks or extensions for shared repositories or servers. However,
             the web interface will use some safe settings from the ``[web]``
             section.
             This section specifies what users and groups are trusted. The
             current user is always trusted. To trust everybody, list a user or a
             group with name ``*``. These settings must be placed in an
             *already-trusted file* to take effect, such as ``$HOME/.hgrc`` of the
             user or service running Mercurial.
             ``users``
               Comma-separated list of trusted users.
             ``groups``
               Comma-separated list of trusted groups.
             ``ui``
             ------
             User interface controls.
             ``archivemeta``
                 Whether to include the .hg_archival.txt file containing meta data
                 (hashes for the repository base and for tip) in archives created
                 by the :hg:`archive` command or downloaded via hgweb.
                 (default: True)
             ``askusername``
                 Whether to prompt for a username when committing. If True, and
                 neither ``$HGUSER`` nor ``$EMAIL`` has been specified, then the user will
                 be prompted to enter a username. If no username is entered, the
                 default ``USER@HOST`` is used instead.
                 (default: False)
             ``clonebundles``
                 Whether the "clone bundles" feature is enabled.
                 When enabled, :hg:`clone` may download and apply a server-advertised
                 bundle file from a URL instead of using the normal exchange mechanism.
                 This can likely result in faster and more reliable clones.
                 (default: True)
             ``clonebundlefallback``
                 Whether failure to apply an advertised "clone bundle" from a server
                 should result in fallback to a regular clone.
                 This is disabled by default because servers advertising "clone
                 bundles" often do so to reduce server load. If advertised bundles
                 start mass failing and clients automatically fall back to a regular
                 clone, this would add significant and unexpected load to the server
                 since the server is expecting clone operations to be offloaded to
                 pre-generated bundles. Failing fast (the default behavior) ensures
                 clients don't overwhelm the server when "clone bundle" application
                 fails.
                 (default: False)
             ``clonebundleprefers``
                 Defines preferences for which "clone bundles" to use.
                 Servers advertising "clone bundles" may advertise multiple available
                 bundles. Each bundle may have different attributes, such as the bundle
                 type and compression format. This option is used to prefer a particular
                 bundle over another.
                 The following keys are defined by Mercurial:
                 BUNDLESPEC
                    A bundle type specifier. These are strings passed to :hg:`bundle -t`.
                    e.g. ``gzip-v2`` or ``bzip2-v1``.
                 COMPRESSION
                    The compression format of the bundle. e.g. ``gzip`` and ``bzip2``.
                 Server operators may define custom keys.
                 Example values: ``COMPRESSION=bzip2``,
                 ``BUNDLESPEC=gzip-v2, COMPRESSION=gzip``.
                 By default, the first bundle advertised by the server is used.
             ``commitsubrepos``
                 Whether to commit modified subrepositories when committing the
                 parent repository. If False and one subrepository has uncommitted
                 changes, abort the commit.
                 (default: False)
             ``debug``
                 Print debugging information. (default: False)
             ``editor``
                 The editor to use during a commit. (default: ``$EDITOR`` or ``vi``)
             ``fallbackencoding``
                 Encoding to try if it's not possible to decode the changelog using
                 UTF-8. (default: ISO-8859-1)
             ``graphnodetemplate``
                 The template used to print changeset nodes in an ASCII revision graph.
                 (default: ``{graphnode}``)
             ``ignore``
                 A file to read per-user ignore patterns from. This file should be
                 in the same format as a repository-wide .hgignore file. Filenames
                 are relative to the repository root. This option supports hook syntax,
                 so if you want to specify multiple ignore files, you can do so by
                 setting something like ``ignore.other = ~/.hgignore2``. For details
                 of the ignore file format, see the ``hgignore(5)`` man page.
             ``interactive``
                 Allow to prompt the user. (default: True)
             ``interface``
                 Select the default interface for interactive features (default: text).
                 Possible values are 'text' and 'curses'.
             ``interface.chunkselector``
                 Select the interface for change recording (e.g. :hg:`commit` -i).
                 Possible values are 'text' and 'curses'.
                 This config overrides the interface specified by ui.interface.
             ``logtemplate``
                 Template string for commands that print changesets.
             ``merge``
                 The conflict resolution program to use during a manual merge.
                 For more information on merge tools see :hg:`help merge-tools`.
                 For configuring merge tools see the ``[merge-tools]`` section.
             ``mergemarkers``
                 Sets the merge conflict marker label styling. The ``detailed``
                 style uses the ``mergemarkertemplate`` setting to style the labels.
                 The ``basic`` style just uses 'local' and 'other' as the marker label.
                 One of ``basic`` or ``detailed``.
                 (default: ``basic``)
             ``mergemarkertemplate``
                 The template used to print the commit description next to each conflict
                 marker during merge conflicts. See :hg:`help templates` for the template
                 format.
                 Defaults to showing the hash, tags, branches, bookmarks, author, and
                 the first line of the commit description.
                 If you use non-ASCII characters in names for tags, branches, bookmarks,
                 authors, and/or commit descriptions, you must pay attention to encodings of
                 managed files. At template expansion, non-ASCII characters use the encoding
                 specified by the ``--encoding`` global option, ``HGENCODING`` or other
                 environment variables that govern your locale. If the encoding of the merge
                 markers is different from the encoding of the merged files,
                 serious problems may occur.
             ``origbackuppath``
                 The path to a directory used to store generated .orig files. If the path is
                 not a directory, one will be created.
             ``patch``
                 An optional external tool that ``hg import`` and some extensions
                 will use for applying patches. By default Mercurial uses an
                 internal patch utility. The external tool must work as the common
                 Unix ``patch`` program. In particular, it must accept a ``-p``
                 argument to strip patch headers, a ``-d`` argument to specify the
                 current directory, a file name to patch, and a patch file to take
                 from stdin.
                 It is possible to specify a patch tool together with extra
                 arguments. For example, setting this option to ``patch --merge``
                 will use the ``patch`` program with its 2-way merge option.
             ``portablefilenames``
                 Check for portable filenames. Can be ``warn``, ``ignore`` or ``abort``.
                 (default: ``warn``)
                 ``warn``
                   Print a warning message on POSIX platforms, if a file with a non-portable
                   filename is added (e.g. a file with a name that can't be created on
                   Windows because it contains reserved parts like ``AUX``, reserved
                   characters like ``:``, or would cause a case collision with an existing
                   file).
                 ``ignore``
                   Don't print a warning.
                 ``abort``
                   The command is aborted.
                 ``true``
                   Alias for ``warn``.
                 ``false``
                   Alias for ``ignore``.
                 .. container:: windows
                   On Windows, this configuration option is ignored and the command aborted.
             ``quiet``
                 Reduce the amount of output printed.
                 (default: False)
             ``remotecmd``
                 Remote command to use for clone/push/pull operations.
                 (default: ``hg``)
             ``report_untrusted``
                 Warn if a ``.hg/hgrc`` file is ignored due to not being owned by a
                 trusted user or group.
                 (default: True)
             ``slash``
                 Display paths using a slash (``/``) as the path separator. This
                 only makes a difference on systems where the default path
                 separator is not the slash character (e.g. Windows uses the
                 backslash character (``\``)).
                 (default: False)
             ``statuscopies``
                 Display copies in the status command.
             ``ssh``
                 Command to use for SSH connections. (default: ``ssh``)
             ``strict``
                 Require exact command names, instead of allowing unambiguous
                 abbreviations. (default: False)
             ``style``
                 Name of style to use for command output.
             ``supportcontact``
                 A URL where users should report a Mercurial traceback. Use this if you are a
                 large organisation with its own Mercurial deployment process and crash
                 reports should be addressed to your internal support.
             ``textwidth``
                 Maximum width of help text. A longer line generated by ``hg help`` or
                 ``hg subcommand --help`` will be broken after white space to get this
                 width or the terminal width, whichever comes first.
                 A non-positive value will disable this and the terminal width will be
                 used. (default: 78)
             ``timeout``
                 The timeout used when a lock is held (in seconds), a negative value
                 means no timeout. (default: 600)
             ``traceback``
                 Mercurial always prints a traceback when an unknown exception
                 occurs. Setting this to True will make Mercurial print a traceback
                 on all exceptions, even those recognized by Mercurial (such as
                 IOError or MemoryError). (default: False)
             ``username``
                 The committer of a changeset created when running "commit".
                 Typically a person's name and email address, e.g. ``Fred Widget
                 <fred@example.com>``. Environment variables in the
                 username are expanded.
                 (default: ``$EMAIL`` or ``username@hostname``. If the username in
                 hgrc is empty, e.g. if the system admin set ``username =`` in the
                 system hgrc, it has to be specified manually or in a different
                 hgrc file)
             ``verbose``
                 Increase the amount of output printed. (default: False)
             ``web``
             -------
             Web interface configuration. The settings in this section apply to
             both the builtin webserver (started by :hg:`serve`) and the script you
             run through a webserver (``hgweb.cgi`` and the derivatives for FastCGI
             and WSGI).
             The Mercurial webserver does no authentication (it does not prompt for
             usernames and passwords to validate *who* users are), but it does do
             authorization (it grants or denies access for *authenticated users*
             based on settings in this section). You must either configure your
             webserver to do authentication for you, or disable the authorization
             checks.
             For a quick setup in a trusted environment, e.g., a private LAN, where
             you want it to accept pushes from anybody, you can use the following
             command line::
                 $ hg --config web.allow_push=* --config web.push_ssl=False serve
             Note that this will allow anybody to push anything to the server and
             that this should not be used for public servers.
             The full set of options is:
             ``accesslog``
                 Where to output the access log. (default: stdout)
             ``address``
                 Interface address to bind to. (default: all)
             ``allow_archive``
                 List of archive format (bz2, gz, zip) allowed for downloading.
                 (default: empty)
             ``allowbz2``
                 (DEPRECATED) Whether to allow .tar.bz2 downloading of repository
                 revisions.
                 (default: False)
             ``allowgz``
                 (DEPRECATED) Whether to allow .tar.gz downloading of repository
                 revisions.
                 (default: False)
             ``allowpull``
                 Whether to allow pulling from the repository. (default: True)
             ``allow_push``
                 Whether to allow pushing to the repository. If empty or not set,
                 pushing is not allowed. If the special value ``*``, any remote
                 user can push, including unauthenticated users. Otherwise, the
                 remote user must have been authenticated, and the authenticated
                 user name must be present in this list. The contents of the
                 allow_push list are examined after the deny_push list.
             ``allow_read``
                 If the user has not already been denied repository access due to
                 the contents of deny_read, this list determines whether to grant
                 repository access to the user. If this list is not empty, and the
                 user is unauthenticated or not present in the list, then access is
                 denied for the user. If the list is empty or not set, then access
                 is permitted to all users by default. Setting allow_read to the
                 special value ``*`` is equivalent to it not being set (i.e. access
                 is permitted to all users). The contents of the allow_read list are
                 examined after the deny_read list.
             ``allowzip``
                 (DEPRECATED) Whether to allow .zip downloading of repository
                 revisions. This feature creates temporary files.
                 (default: False)
             ``archivesubrepos``
                 Whether to recurse into subrepositories when archiving.
                 (default: False)
             ``baseurl``
                 Base URL to use when publishing URLs in other locations, so
                 third-party tools like email notification hooks can construct
                 URLs. Example: ``http://hgserver/repos/``.
             ``cacerts``
                 Path to file containing a list of PEM encoded certificate
                 authority certificates. Environment variables and ``~user``
                 constructs are expanded in the filename. If specified on the
                 client, then it will verify the identity of remote HTTPS servers
                 with these certificates.
                 To disable SSL verification temporarily, specify ``--insecure`` from
                 command line.
                 You can use OpenSSL's CA certificate file if your platform has
                 one. On most Linux systems this will be
                 ``/etc/ssl/certs/ca-certificates.crt``. Otherwise you will have to
                 generate this file manually. The form must be as follows::
                     -----BEGIN CERTIFICATE-----
                     ... (certificate in base64 PEM encoding) ...
                     -----END CERTIFICATE-----
                     -----BEGIN CERTIFICATE-----
                     ... (certificate in base64 PEM encoding) ...
                     -----END CERTIFICATE-----
             ``cache``
                 Whether to support caching in hgweb. (default: True)
             ``certificate``
                 Certificate to use when running :hg:`serve`.
             ``collapse``
                 With ``descend`` enabled, repositories in subdirectories are shown at
                 a single level alongside repositories in the current path. With
                 ``collapse`` also enabled, repositories residing at a deeper level than
                 the current path are grouped behind navigable directory entries that
                 lead to the locations of these repositories. In effect, this setting
                 collapses each collection of repositories found within a subdirectory
                 into a single entry for that subdirectory. (default: False)
             ``comparisoncontext``
                 Number of lines of context to show in side-by-side file comparison. If
                 negative or the value ``full``, whole files are shown. (default: 5)
                 This setting can be overridden by a ``context`` request parameter to the
                 ``comparison`` command, taking the same values.
             ``contact``
                 Name or email address of the person in charge of the repository.
                 (default: ui.username or ``$EMAIL`` or "unknown" if unset or empty)
             ``deny_push``
                 Whether to deny pushing to the repository. If empty or not set,
                 push is not denied. If the special value ``*``, all remote users are
                 denied push. Otherwise, unauthenticated users are all denied, and
                 any authenticated user name present in this list is also denied. The
                 contents of the deny_push list are examined before the allow_push list.
             ``deny_read``
                 Whether to deny reading/viewing of the repository. If this list is
                 not empty, unauthenticated users are all denied, and any
                 authenticated user name present in this list is also denied access to
                 the repository. If set to the special value ``*``, all remote users
                 are denied access (rarely needed ;). If deny_read is empty or not set,
                 the determination of repository access depends on the presence and
                 content of the allow_read list (see description). If both
                 deny_read and allow_read are empty or not set, then access is
                 permitted to all users by default. If the repository is being
                 served via hgwebdir, denied users will not be able to see it in
                 the list of repositories. The contents of the deny_read list have
                 priority over (are examined before) the contents of the allow_read
                 list.
             ``descend``
                 hgwebdir indexes will not descend into subdirectories. Only repositories
                 directly in the current path will be shown (other repositories are still
                 available from the index corresponding to their containing path).
             ``description``
                 Textual description of the repository's purpose or contents.
                 (default: "unknown")
             ``encoding``
                 Character encoding name. (default: the current locale charset)
                 Example: "UTF-8".
             ``errorlog``
                 Where to output the error log. (default: stderr)
             ``guessmime``
                 Control MIME types for raw download of file content.
                 Set to True to let hgweb guess the content type from the file
                 extension. This will serve HTML files as ``text/html`` and might
                 allow cross-site scripting attacks when serving untrusted
                 repositories. (default: False)
             ``hidden``
                 Whether to hide the repository in the hgwebdir index.
                 (default: False)
             ``ipv6``
                 Whether to use IPv6. (default: False)
             ``labels``
                 List of string *labels* associated with the repository.
                 Labels are exposed as a template keyword and can be used to customize
                 output. e.g. the ``index`` template can group or filter repositories
                 by labels and the ``summary`` template can display additional content
                 if a specific label is present.
             ``logoimg``
                 File name of the logo image that some templates display on each page.
                 The file name is relative to ``staticurl``. That is, the full path to
                 the logo image is "staticurl/logoimg".
                 If unset, ``hglogo.png`` will be used.
             ``logourl``
                 Base URL to use for logos. If unset, ``https://mercurial-scm.org/``
                 will be used.
             ``maxchanges``
                 Maximum number of changes to list on the changelog. (default: 10)
             ``maxfiles``
                 Maximum number of files to list per changeset. (default: 10)
             ``maxshortchanges``
                 Maximum number of changes to list on the shortlog, graph or filelog
                 pages. (default: 60)
             ``name``
                 Repository name to use in the web interface.
                 (default: current working directory)
             ``port``
                 Port to listen on. (default: 8000)
             ``prefix``
                 Prefix path to serve from. (default: '' (server root))
             ``push_ssl``
                 Whether to require that inbound pushes be transported over SSL to
                 prevent password sniffing. (default: True)
             ``refreshinterval``
                 How frequently directory listings re-scan the filesystem for new
                 repositories, in seconds. This is relevant when wildcards are used
                 to define paths. Depending on how much filesystem traversal is
                 required, refreshing may negatively impact performance.
                 Values less than or equal to 0 always refresh.
                 (default: 20)
             ``staticurl``
                 Base URL to use for static files. If unset, static files (e.g. the
                 hgicon.png favicon) will be served by the CGI script itself. Use
                 this setting to serve them directly with the HTTP server.
                 Example: ``http://hgserver/static/``.
             ``stripes``
                 How many lines a "zebra stripe" should span in multi-line output.
                 Set to 0 to disable. (default: 1)
             ``style``
                 Which template map style to use. The available options are the names of
                 subdirectories in the HTML templates path. (default: ``paper``)
                 Example: ``monoblue``.
             ``templates``
                 Where to find the HTML templates. The default path to the HTML templates
                 can be obtained from ``hg debuginstall``.
             ``websub``
             ----------
             Web substitution filter definition. You can use this section to
             define a set of regular expression substitution patterns which
             let you automatically modify the hgweb server output.
             The default hgweb templates only apply these substitution patterns
             on the revision description fields. You can apply them anywhere
             you want when you create your own templates by adding calls to the
             "websub" filter (usually after calling the "escape" filter).
             This can be used, for example, to convert issue references to links
             to your issue tracker, or to convert "markdown-like" syntax into
             HTML (see the examples below).
             Each entry in this section names a substitution filter.
             The value of each entry defines the substitution expression itself.
             The websub expressions follow the old interhg extension syntax,
             which in turn imitates the Unix sed replacement syntax::
                 patternname = s/SEARCH_REGEX/REPLACE_EXPRESSION/[i]
             You can use any separator other than "/". The final "i" is optional
             and indicates that the search must be case insensitive.
             Examples::
                 [websub]
                 issues = s|issue(\d+)|<a href="http://bts.example.org/issue\1">issue\1</a>|i
                 italic = s/\b_(\S+)_\b/<i>\1<\/i>/
                 bold = s/\*\b(\S+)\b\*/<b>\1<\/b>/
             ``worker``
             ----------
             Parallel master/worker configuration. We currently perform working
             directory updates in parallel on Unix-like systems, which greatly
             helps performance.
             ``numcpus``
                 Number of CPUs to use for parallel operations. A zero or
                 negative value is treated as ``use the default``.
                 (default: 4 or the number of CPUs on the system, whichever is larger)
             ``backgroundclose``
                 Whether to enable closing file handles on background threads during certain
                 operations. Some platforms aren't very efficient at closing file
                 handles that have been written or appended to. By performing file closing
                 on background threads, file write rate can increase substantially.
                 (default: true on Windows, false elsewhere)
             ``backgroundcloseminfilecount``
                 Minimum number of files required to trigger background file closing.
                 Operations not writing this many files won't start background close
                 threads.
                 (default: 2048)
             ``backgroundclosemaxqueue``
                 The maximum number of opened file handles waiting to be closed in the
                 background. This option only has an effect if ``backgroundclose`` is
                 enabled.
                 (default: 384)
             ``backgroundclosethreadcount``
                 Number of threads to process background file closes. Only relevant if
                 ``backgroundclose`` is enabled.
                 (default: 4)

mercurial/sslutil.py

0 +19 -1

             # sslutil.py - SSL handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             from __future__ import absolute_import
             import hashlib
             import os
             import re
             import ssl
             import sys
             from .i18n import _
             from . import (
                 error,
                 util,
             )
             # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
             # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
             # all exposed via the "ssl" module.
             #
             # Depending on the version of Python being used, SSL/TLS support is either
             # modern/secure or legacy/insecure. Many operations in this module have
             # separate code paths depending on support in Python.
             configprotocols = set([
                 'tls1.0',
                 'tls1.1',
                 'tls1.2',
             ])
             hassni = getattr(ssl, 'HAS_SNI', False)
             try:
                 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
                 # SSL/TLS features are available.
                 SSLContext = ssl.SSLContext
                 modernssl = True
                 _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
             except AttributeError:
                 modernssl = False
                 _canloaddefaultcerts = False
                 # We implement SSLContext using the interface from the standard library.
                 class SSLContext(object):
                     # ssl.wrap_socket gained the "ciphers" named argument in 2.7.
                     _supportsciphers = sys.version_info >= (2, 7)
                     def __init__(self, protocol):
                         # From the public interface of SSLContext
                         self.protocol = protocol
                         self.check_hostname = False
                         self.options = 0
                         self.verify_mode = ssl.CERT_NONE
                         # Used by our implementation.
                         self._certfile = None
                         self._keyfile = None
                         self._certpassword = None
                         self._cacerts = None
                         self._ciphers = None
                     def load_cert_chain(self, certfile, keyfile=None, password=None):
                         self._certfile = certfile
                         self._keyfile = keyfile
                         self._certpassword = password
                     def load_default_certs(self, purpose=None):
                         pass
                     def load_verify_locations(self, cafile=None, capath=None, cadata=None):
                         if capath:
                             raise error.Abort(_('capath not supported'))
                         if cadata:
                             raise error.Abort(_('cadata not supported'))
                         self._cacerts = cafile
                     def set_ciphers(self, ciphers):
                         if not self._supportsciphers:
-                            raise error.Abort(_('setting ciphers not supported'))
+                            raise error.Abort(_('setting ciphers in [hostsecurity] is not '
+                                                'supported by this version of Python'),
+                                              hint=_('remove the config option or run '
+                                                     'Mercurial with a modern Python '
+                                                     'version (preferred)'))
                         self._ciphers = ciphers
                     def wrap_socket(self, socket, server_hostname=None, server_side=False):
                         # server_hostname is unique to SSLContext.wrap_socket and is used
                         # for SNI in that context. So there's nothing for us to do with it
                         # in this legacy code since we don't support SNI.
                         args = {
                             'keyfile': self._keyfile,
                             'certfile': self._certfile,
                             'server_side': server_side,
                             'cert_reqs': self.verify_mode,
                             'ssl_version': self.protocol,
                             'ca_certs': self._cacerts,
                         }
                         if self._supportsciphers:
                             args['ciphers'] = self._ciphers
                         return ssl.wrap_socket(socket, **args)
             def _hostsettings(ui, hostname):
                 """Obtain security settings for a hostname.
                 Returns a dict of settings relevant to that hostname.
                 """
                 s = {
                     # Whether we should attempt to load default/available CA certs
                     # if an explicit ``cafile`` is not defined.
                     'allowloaddefaultcerts': True,
                     # List of 2-tuple of (hash algorithm, hash).
                     'certfingerprints': [],
                     # Path to file containing concatenated CA certs. Used by
                     # SSLContext.load_verify_locations().
                     'cafile': None,
                     # Whether certificate verification should be disabled.
                     'disablecertverification': False,
                     # Whether the legacy [hostfingerprints] section has data for this host.
                     'legacyfingerprint': False,
                     # PROTOCOL_* constant to use for SSLContext.__init__.
                     'protocol': None,
                     # ssl.CERT_* constant used by SSLContext.verify_mode.
                     'verifymode': None,
                     # Defines extra ssl.OP* bitwise options to set.
                     'ctxoptions': None,
+                    # OpenSSL Cipher List to use (instead of default).
+                    'ciphers': None,
                 }
                 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
                 # that both ends support, including TLS protocols. On legacy stacks,
                 # the highest it likely goes is TLS 1.0. On modern stacks, it can
                 # support TLS 1.2.
                 #
                 # The PROTOCOL_TLSv* constants select a specific TLS version
                 # only (as opposed to multiple versions). So the method for
                 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
                 # disable protocols via SSLContext.options and OP_NO_* constants.
                 # However, SSLContext.options doesn't work unless we have the
                 # full/real SSLContext available to us.
                 # Allow minimum TLS protocol to be specified in the config.
                 def validateprotocol(protocol, key):
                     if protocol not in configprotocols:
                         raise error.Abort(
                             _('unsupported protocol from hostsecurity.%s: %s') %
                             (key, protocol),
                             hint=_('valid protocols: %s') %
                                  ' '.join(sorted(configprotocols)))
                 # Legacy Python can only do TLS 1.0. We default to TLS 1.1+ where we
                 # can because TLS 1.0 has known vulnerabilities (like BEAST and POODLE).
                 # We allow users to downgrade to TLS 1.0+ via config options in case a
                 # legacy server is encountered.
                 if modernssl:
                     defaultprotocol = 'tls1.1'
                 else:
                     # Let people on legacy Python versions know they are borderline
                     # secure.
                     # We don't document this config option because we want people to see
                     # the bold warnings on the web site.
                     # internal config: hostsecurity.disabletls10warning
                     if not ui.configbool('hostsecurity', 'disabletls10warning'):
                         ui.warn(_('warning: connecting to %s using legacy security '
                                   'technology (TLS 1.0); see '
                                   'https://mercurial-scm.org/wiki/SecureConnections for '
                                   'more info\n') % hostname)
                     defaultprotocol = 'tls1.0'
                 key = 'minimumprotocol'
                 protocol = ui.config('hostsecurity', key, defaultprotocol)
                 validateprotocol(protocol, key)
                 key = '%s:minimumprotocol' % hostname
                 protocol = ui.config('hostsecurity', key, protocol)
                 validateprotocol(protocol, key)
                 s['protocol'], s['ctxoptions'] = protocolsettings(protocol)
+                ciphers = ui.config('hostsecurity', 'ciphers')
+                ciphers = ui.config('hostsecurity', '%s:ciphers' % hostname, ciphers)
+                s['ciphers'] = ciphers
                 # Look for fingerprints in [hostsecurity] section. Value is a list
                 # of <alg>:<fingerprint> strings.
                 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
                                              [])
                 for fingerprint in fingerprints:
                     if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
                         raise error.Abort(_('invalid fingerprint for %s: %s') % (
                                             hostname, fingerprint),
                                           hint=_('must begin with "sha1:", "sha256:", '
                                                  'or "sha512:"'))
                     alg, fingerprint = fingerprint.split(':', 1)
                     fingerprint = fingerprint.replace(':', '').lower()
                     s['certfingerprints'].append((alg, fingerprint))
                 # Fingerprints from [hostfingerprints] are always SHA-1.
                 for fingerprint in ui.configlist('hostfingerprints', hostname, []):
                     fingerprint = fingerprint.replace(':', '').lower()
                     s['certfingerprints'].append(('sha1', fingerprint))
                     s['legacyfingerprint'] = True
                 # If a host cert fingerprint is defined, it is the only thing that
                 # matters. No need to validate CA certs.
                 if s['certfingerprints']:
                     s['verifymode'] = ssl.CERT_NONE
                     s['allowloaddefaultcerts'] = False
                 # If --insecure is used, don't take CAs into consideration.
                 elif ui.insecureconnections:
                     s['disablecertverification'] = True
                     s['verifymode'] = ssl.CERT_NONE
                     s['allowloaddefaultcerts'] = False
                 if ui.configbool('devel', 'disableloaddefaultcerts'):
                     s['allowloaddefaultcerts'] = False
                 # If both fingerprints and a per-host ca file are specified, issue a warning
                 # because users should not be surprised about what security is or isn't
                 # being performed.
                 cafile = ui.config('hostsecurity', '%s:verifycertsfile' % hostname)
                 if s['certfingerprints'] and cafile:
                     ui.warn(_('(hostsecurity.%s:verifycertsfile ignored when host '
                               'fingerprints defined; using host fingerprints for '
                               'verification)\n') % hostname)
                 # Try to hook up CA certificate validation unless something above
                 # makes it not necessary.
                 if s['verifymode'] is None:
                     # Look at per-host ca file first.
                     if cafile:
                         cafile = util.expandpath(cafile)
                         if not os.path.exists(cafile):
                             raise error.Abort(_('path specified by %s does not exist: %s') %
                                               ('hostsecurity.%s:verifycertsfile' % hostname,
                                                cafile))
                         s['cafile'] = cafile
                     else:
                         # Find global certificates file in config.
                         cafile = ui.config('web', 'cacerts')
                         if cafile:
                             cafile = util.expandpath(cafile)
                             if not os.path.exists(cafile):
                                 raise error.Abort(_('could not find web.cacerts: %s') %
                                                   cafile)
                         elif s['allowloaddefaultcerts']:
                             # CAs not defined in config. Try to find system bundles.
                             cafile = _defaultcacerts(ui)
                             if cafile:
                                 ui.debug('using %s for CA file\n' % cafile)
                         s['cafile'] = cafile
                     # Require certificate validation if CA certs are being loaded and
                     # verification hasn't been disabled above.
                     if cafile or (_canloaddefaultcerts and s['allowloaddefaultcerts']):
                         s['verifymode'] = ssl.CERT_REQUIRED
                     else:
                         # At this point we don't have a fingerprint, aren't being
                         # explicitly insecure, and can't load CA certs. Connecting
                         # is insecure. We allow the connection and abort during
                         # validation (once we have the fingerprint to print to the
                         # user).
                         s['verifymode'] = ssl.CERT_NONE
                 assert s['protocol'] is not None
                 assert s['ctxoptions'] is not None
                 assert s['verifymode'] is not None
                 return s
             def protocolsettings(protocol):
                 """Resolve the protocol and context options for a config value."""
                 if protocol not in configprotocols:
                     raise ValueError('protocol value not supported: %s' % protocol)
                 # Legacy ssl module only supports up to TLS 1.0. Ideally we'd use
                 # PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However,
                 # SSLContext.options doesn't work in our implementation since we use
                 # a fake SSLContext on these Python versions.
                 if not modernssl:
                     if protocol != 'tls1.0':
                         raise error.Abort(_('current Python does not support protocol '
                                             'setting %s') % protocol,
                                           hint=_('upgrade Python or disable setting since '
                                                  'only TLS 1.0 is supported'))
                     return ssl.PROTOCOL_TLSv1, 0
                 # WARNING: returned options don't work unless the modern ssl module
                 # is available. Be careful when adding options here.
                 # SSLv2 and SSLv3 are broken. We ban them outright.
                 options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
                 if protocol == 'tls1.0':
                     # Defaults above are to use TLS 1.0+
                     pass
                 elif protocol == 'tls1.1':
                     options |= ssl.OP_NO_TLSv1
                 elif protocol == 'tls1.2':
                     options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
                 else:
                     raise error.Abort(_('this should not happen'))
                 # Prevent CRIME.
                 # There is no guarantee this attribute is defined on the module.
                 options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
                 return ssl.PROTOCOL_SSLv23, options
             def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
                 """Add SSL/TLS to a socket.
                 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
                 choices based on what security options are available.
                 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
                 the following additional arguments:
                 * serverhostname - The expected hostname of the remote server. If the
                   server (and client) support SNI, this tells the server which certificate
                   to use.
                 """
                 if not serverhostname:
                     raise error.Abort(_('serverhostname argument is required'))
                 settings = _hostsettings(ui, serverhostname)
                 # We can't use ssl.create_default_context() because it calls
                 # load_default_certs() unless CA arguments are passed to it. We want to
                 # have explicit control over CA loading because implicitly loading
                 # CAs may undermine the user's intent. For example, a user may define a CA
                 # bundle with a specific CA cert removed. If the system/default CA bundle
                 # is loaded and contains that removed CA, you've just undone the user's
                 # choice.
                 sslcontext = SSLContext(settings['protocol'])
                 # This is a no-op unless using modern ssl.
                 sslcontext.options |= settings['ctxoptions']
                 # This still works on our fake SSLContext.
                 sslcontext.verify_mode = settings['verifymode']
+                if settings['ciphers']:
+                    try:
+                        sslcontext.set_ciphers(settings['ciphers'])
+                    except ssl.SSLError as e:
+                        raise error.Abort(_('could not set ciphers: %s') % e.args[0],
+                                          hint=_('change cipher string (%s) in config') %
+                                               settings['ciphers'])
                 if certfile is not None:
                     def password():
                         f = keyfile or certfile
                         return ui.getpass(_('passphrase for %s: ') % f, '')
                     sslcontext.load_cert_chain(certfile, keyfile, password)
                 if settings['cafile'] is not None:
                     try:
                         sslcontext.load_verify_locations(cafile=settings['cafile'])
                     except ssl.SSLError as e:
                         raise error.Abort(_('error loading CA file %s: %s') % (
                                           settings['cafile'], e.args[1]),
                                           hint=_('file is empty or malformed?'))
                     caloaded = True
                 elif settings['allowloaddefaultcerts']:
                     # This is a no-op on old Python.
                     sslcontext.load_default_certs()
                     caloaded = True
                 else:
                     caloaded = False
                 try:
                     sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
                 except ssl.SSLError as e:
                     # If we're doing certificate verification and no CA certs are loaded,
                     # that is almost certainly the reason why verification failed. Provide
                     # a hint to the user.
                     # Only modern ssl module exposes SSLContext.get_ca_certs() so we can
                     # only show this warning if modern ssl is available.
                     if (caloaded and settings['verifymode'] == ssl.CERT_REQUIRED and
                         modernssl and not sslcontext.get_ca_certs()):
                         ui.warn(_('(an attempt was made to load CA certificates but none '
                                   'were loaded; see '
                                   'https://mercurial-scm.org/wiki/SecureConnections for '
                                   'how to configure Mercurial to avoid this error)\n'))
                     # Try to print more helpful error messages for known failures.
                     if util.safehasattr(e, 'reason'):
                         if e.reason == 'UNSUPPORTED_PROTOCOL':
                             ui.warn(_('(could not negotiate a common protocol; see '
                                       'https://mercurial-scm.org/wiki/SecureConnections '
                                       'for how to configure Mercurial to avoid this '
                                       'error)\n'))
                     raise
                 # check if wrap_socket failed silently because socket had been
                 # closed
                 # - see http://bugs.python.org/issue13721
                 if not sslsocket.cipher():
                     raise error.Abort(_('ssl connection failed'))
                 sslsocket._hgstate = {
                     'caloaded': caloaded,
                     'hostname': serverhostname,
                     'settings': settings,
                     'ui': ui,
                 }
                 return sslsocket
             def wrapserversocket(sock, ui, certfile=None, keyfile=None, cafile=None,
                                  requireclientcert=False):
                 """Wrap a socket for use by servers.
                 ``certfile`` and ``keyfile`` specify the files containing the certificate's
                 public and private keys, respectively. Both keys can be defined in the same
                 file via ``certfile`` (the private key must come first in the file).
                 ``cafile`` defines the path to certificate authorities.
                 ``requireclientcert`` specifies whether to require client certificates.
                 Typically ``cafile`` is only defined if ``requireclientcert`` is true.
                 """
                 protocol, options = protocolsettings('tls1.0')
                 # This config option is intended for use in tests only. It is a giant
                 # footgun to kill security. Don't define it.
                 exactprotocol = ui.config('devel', 'serverexactprotocol')
                 if exactprotocol == 'tls1.0':
                     protocol = ssl.PROTOCOL_TLSv1
                 elif exactprotocol == 'tls1.1':
                     protocol = ssl.PROTOCOL_TLSv1_1
                 elif exactprotocol == 'tls1.2':
                     protocol = ssl.PROTOCOL_TLSv1_2
                 elif exactprotocol:
                     raise error.Abort(_('invalid value for serverexactprotocol: %s') %
                                       exactprotocol)
                 if modernssl:
                     # We /could/ use create_default_context() here since it doesn't load
                     # CAs when configured for client auth. However, it is hard-coded to
                     # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
                     sslcontext = SSLContext(protocol)
                     sslcontext.options |= options
                     # Improve forward secrecy.
                     sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
                     sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
                     # Use the list of more secure ciphers if found in the ssl module.
                     if util.safehasattr(ssl, '_RESTRICTED_SERVER_CIPHERS'):
                         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
                         sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
                 else:
                     sslcontext = SSLContext(ssl.PROTOCOL_TLSv1)
                 if requireclientcert:
                     sslcontext.verify_mode = ssl.CERT_REQUIRED
                 else:
                     sslcontext.verify_mode = ssl.CERT_NONE
                 if certfile or keyfile:
                     sslcontext.load_cert_chain(certfile=certfile, keyfile=keyfile)
                 if cafile:
                     sslcontext.load_verify_locations(cafile=cafile)
                 return sslcontext.wrap_socket(sock, server_side=True)
             class wildcarderror(Exception):
                 """Represents an error parsing wildcards in DNS name."""
             def _dnsnamematch(dn, hostname, maxwildcards=1):
                 """Match DNS names according RFC 6125 section 6.4.3.
                 This code is effectively copied from CPython's ssl._dnsname_match.
                 Returns a bool indicating whether the expected hostname matches
                 the value in ``dn``.
                 """
                 pats = []
                 if not dn:
                     return False
                 pieces = dn.split(r'.')
                 leftmost = pieces[0]
                 remainder = pieces[1:]
                 wildcards = leftmost.count('*')
                 if wildcards > maxwildcards:
                     raise wildcarderror(
                         _('too many wildcards in certificate DNS name: %s') % dn)
                 # speed up common case w/o wildcards
                 if not wildcards:
                     return dn.lower() == hostname.lower()
                 # RFC 6125, section 6.4.3, subitem 1.
                 # The client SHOULD NOT attempt to match a presented identifier in which
                 # the wildcard character comprises a label other than the left-most label.
                 if leftmost == '*':
                     # When '*' is a fragment by itself, it matches a non-empty dotless
                     # fragment.
                     pats.append('[^.]+')
                 elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
                     # RFC 6125, section 6.4.3, subitem 3.
                     # The client SHOULD NOT attempt to match a presented identifier
                     # where the wildcard character is embedded within an A-label or
                     # U-label of an internationalized domain name.
                     pats.append(re.escape(leftmost))
                 else:
                     # Otherwise, '*' matches any dotless string, e.g. www*
                     pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
                 # add the remaining fragments, ignore any wildcards
                 for frag in remainder:
                     pats.append(re.escape(frag))
                 pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
                 return pat.match(hostname) is not None
             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
                 CRLs is not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsnames = []
                 san = cert.get('subjectAltName', [])
                 for key, value in san:
                     if key == 'DNS':
                         try:
                             if _dnsnamematch(value, hostname):
                                 return
                         except wildcarderror as e:
                             return e.args[0]
                         dnsnames.append(value)
                 if not dnsnames:
                     # The subject is only checked when there is no DNS in subjectAltName.
                     for sub in cert.get('subject', []):
                         for key, value in sub:
                             # According to RFC 2818 the most specific Common Name must
                             # be used.
                             if key == 'commonName':
                                 # 'subject' entries are unicide.
                                 try:
                                     value = value.encode('ascii')
                                 except UnicodeEncodeError:
                                     return _('IDN in certificate not supported')
                                 try:
                                     if _dnsnamematch(value, hostname):
                                         return
                                 except wildcarderror as e:
                                     return e.args[0]
                                 dnsnames.append(value)
                 if len(dnsnames) > 1:
                     return _('certificate is for %s') % ', '.join(dnsnames)
                 elif len(dnsnames) == 1:
                     return _('certificate is for %s') % dnsnames[0]
                 else:
                     return _('no commonName or subjectAltName found in certificate')
             def _plainapplepython():
                 """return true if this seems to be a pure Apple Python that
                 * is unfrozen and presumably has the whole mercurial module in the file
                   system
                 * presumably is an Apple Python that uses Apple OpenSSL which has patches
                   for using system certificate store CAs in addition to the provided
                   cacerts file
                 """
                 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
                     return False
                 exe = os.path.realpath(sys.executable).lower()
                 return (exe.startswith('/usr/bin/python') or
                         exe.startswith('/system/library/frameworks/python.framework/'))
             _systemcacertpaths = [
                 # RHEL, CentOS, and Fedora
                 '/etc/pki/tls/certs/ca-bundle.trust.crt',
                 # Debian, Ubuntu, Gentoo
                 '/etc/ssl/certs/ca-certificates.crt',
             ]
             def _defaultcacerts(ui):
                 """return path to default CA certificates or None.
                 It is assumed this function is called when the returned certificates
                 file will actually be used to validate connections. Therefore this
                 function may print warnings or debug messages assuming this usage.
                 We don't print a message when the Python is able to load default
                 CA certs because this scenario is detected at socket connect time.
                 """
                 # The "certifi" Python package provides certificates. If it is installed,
                 # assume the user intends it to be used and use it.
                 try:
                     import certifi
                     certs = certifi.where()
                     ui.debug('using ca certificates from certifi\n')
                     return certs
                 except ImportError:
                     pass
                 # On Windows, only the modern ssl module is capable of loading the system
                 # CA certificates. If we're not capable of doing that, emit a warning
                 # because we'll get a certificate verification error later and the lack
                 # of loaded CA certificates will be the reason why.
                 # Assertion: this code is only called if certificates are being verified.
                 if os.name == 'nt':
                     if not _canloaddefaultcerts:
                         ui.warn(_('(unable to load Windows CA certificates; see '
                                   'https://mercurial-scm.org/wiki/SecureConnections for '
                                   'how to configure Mercurial to avoid this message)\n'))
                     return None
                 # Apple's OpenSSL has patches that allow a specially constructed certificate
                 # to load the system CA store. If we're running on Apple Python, use this
                 # trick.
                 if _plainapplepython():
                     dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
                     if os.path.exists(dummycert):
                         return dummycert
                 # The Apple OpenSSL trick isn't available to us. If Python isn't able to
                 # load system certs, we're out of luck.
                 if sys.platform == 'darwin':
                     # FUTURE Consider looking for Homebrew or MacPorts installed certs
                     # files. Also consider exporting the keychain certs to a file during
                     # Mercurial install.
                     if not _canloaddefaultcerts:
                         ui.warn(_('(unable to load CA certificates; see '
                                   'https://mercurial-scm.org/wiki/SecureConnections for '
                                   'how to configure Mercurial to avoid this message)\n'))
                     return None
                 # / is writable on Windows. Out of an abundance of caution make sure
                 # we're not on Windows because paths from _systemcacerts could be installed
                 # by non-admin users.
                 assert os.name != 'nt'
                 # Try to find CA certificates in well-known locations. We print a warning
                 # when using a found file because we don't want too much silent magic
                 # for security settings. The expectation is that proper Mercurial
                 # installs will have the CA certs path defined at install time and the
                 # installer/packager will make an appropriate decision on the user's
                 # behalf. We only get here and perform this setting as a feature of
                 # last resort.
                 if not _canloaddefaultcerts:
                     for path in _systemcacertpaths:
                         if os.path.isfile(path):
                             ui.warn(_('(using CA certificates from %s; if you see this '
                                       'message, your Mercurial install is not properly '
                                       'configured; see '
                                       'https://mercurial-scm.org/wiki/SecureConnections '
                                       'for how to configure Mercurial to avoid this '
                                       'message)\n') % path)
                             return path
                     ui.warn(_('(unable to load CA certificates; see '
                               'https://mercurial-scm.org/wiki/SecureConnections for '
                               'how to configure Mercurial to avoid this message)\n'))
                 return None
             def validatesocket(sock):
                 """Validate a socket meets security requiremnets.
                 The passed socket must have been created with ``wrapsocket()``.
                 """
                 host = sock._hgstate['hostname']
                 ui = sock._hgstate['ui']
                 settings = sock._hgstate['settings']
                 try:
                     peercert = sock.getpeercert(True)
                     peercert2 = sock.getpeercert()
                 except AttributeError:
                     raise error.Abort(_('%s ssl connection error') % host)
                 if not peercert:
                     raise error.Abort(_('%s certificate error: '
                                        'no certificate received') % host)
                 if settings['disablecertverification']:
                     # We don't print the certificate fingerprint because it shouldn't
                     # be necessary: if the user requested certificate verification be
                     # disabled, they presumably already saw a message about the inability
                     # to verify the certificate and this message would have printed the
                     # fingerprint. So printing the fingerprint here adds little to no
                     # value.
                     ui.warn(_('warning: connection security to %s is disabled per current '
                               'settings; communication is susceptible to eavesdropping '
                               'and tampering\n') % host)
                     return
                 # If a certificate fingerprint is pinned, use it and only it to
                 # validate the remote cert.
                 peerfingerprints = {
                     'sha1': hashlib.sha1(peercert).hexdigest(),
                     'sha256': hashlib.sha256(peercert).hexdigest(),
                     'sha512': hashlib.sha512(peercert).hexdigest(),
                 }
                 def fmtfingerprint(s):
                     return ':'.join([s[x:x + 2] for x in range(0, len(s), 2)])
                 nicefingerprint = 'sha256:%s' % fmtfingerprint(peerfingerprints['sha256'])
                 if settings['certfingerprints']:
                     for hash, fingerprint in settings['certfingerprints']:
                         if peerfingerprints[hash].lower() == fingerprint:
                             ui.debug('%s certificate matched fingerprint %s:%s\n' %
                                      (host, hash, fmtfingerprint(fingerprint)))
                             return
                     # Pinned fingerprint didn't match. This is a fatal error.
                     if settings['legacyfingerprint']:
                         section = 'hostfingerprint'
                         nice = fmtfingerprint(peerfingerprints['sha1'])
                     else:
                         section = 'hostsecurity'
                         nice = '%s:%s' % (hash, fmtfingerprint(peerfingerprints[hash]))
                     raise error.Abort(_('certificate for %s has unexpected '
                                         'fingerprint %s') % (host, nice),
                                       hint=_('check %s configuration') % section)
                 # Security is enabled but no CAs are loaded. We can't establish trust
                 # for the cert so abort.
                 if not sock._hgstate['caloaded']:
                     raise error.Abort(
                         _('unable to verify security of %s (no loaded CA certificates); '
                           'refusing to connect') % host,
                         hint=_('see https://mercurial-scm.org/wiki/SecureConnections for '
                                'how to configure Mercurial to avoid this error or set '
                                'hostsecurity.%s:fingerprints=%s to trust this server') %
                                (host, nicefingerprint))
                 msg = _verifycert(peercert2, host)
                 if msg:
                     raise error.Abort(_('%s certificate error: %s') % (host, msg),
                                      hint=_('set hostsecurity.%s:certfingerprints=%s '
                                             'config setting or use --insecure to connect '
                                             'insecurely') %
                                           (host, nicefingerprint))

tests/test-https.t

0 +42 0

             #require serve ssl
             Proper https client requires the built-in ssl from Python 2.6.
             Make server certificates:
               $ CERTSDIR="$TESTDIR/sslcerts"
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
             #if windows
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT':
               [255]
             #else
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
             #endif
               $ cd ..
             Our test cert is not signed by a trusted CA. It should fail to verify if
             we are able to load CA certs.
             #if sslcontext defaultcacerts no-defaultcacertsloaded
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             #if no-sslcontext defaultcacerts
               $ hg clone https://localhost:$HGPORT/ copy-pull
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             #if no-sslcontext windows
               $ hg clone https://localhost:$HGPORT/ copy-pull
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
               (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             #if no-sslcontext osx
               $ hg clone https://localhost:$HGPORT/ copy-pull
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
               (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
               abort: localhost certificate error: no certificate received
               (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
               [255]
             #endif
             #if defaultcacertsloaded
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             #if no-defaultcacerts
               $ hg clone https://localhost:$HGPORT/ copy-pull
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
               abort: localhost certificate error: no certificate received
               (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
               [255]
             #endif
             Specifying a per-host certificate file that doesn't exist will abort
               $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
               [255]
             A malformed per-host certificate file will raise an error
               $ echo baddata > badca.pem
             #if sslcontext
               $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
               abort: error loading CA file badca.pem: * (glob)
               (file is empty or malformed?)
               [255]
             #else
               $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: error: * (glob)
               [255]
             #endif
             A per-host certificate mismatching the server will fail verification
             (modern ssl is able to discern whether the loaded cert is a CA cert)
             #if sslcontext
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
               (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *certificate verify failed* (glob)
               [255]
             #else
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             A per-host certificate matching the server's cert will be accepted
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
             A per-host certificate with multiple certs and one matching will be accepted
               $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
               $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
             Defining both per-host certificate and a fingerprint will print a warning
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
             Inability to verify peer certificate will result in abort
               $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
               (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
               [255]
               $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
               $ hg pull $DISABLECACERTS
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
               (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
               [255]
               $ hg pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P="$CERTSDIR" hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               searching for changes
               no changes found
               $ P="$CERTSDIR" hg -R copy-pull pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             empty cacert file
               $ touch emptycafile
             #if sslcontext
               $ hg --config web.cacerts=emptycafile -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               abort: error loading CA file emptycafile: * (glob)
               (file is empty or malformed?)
               [255]
             #else
               $ hg --config web.cacerts=emptycafile -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: error: * (glob)
               [255]
             #endif
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/ (glob)
               warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: 127.0.0.1 certificate error: certificate is for localhost (glob)
               (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://127.0.0.1:$HGPORT/ --insecure
               pulling from https://127.0.0.1:$HGPORT/ (glob)
               warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: error: *certificate verify failed* (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
               > --insecure
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
               > https://localhost:$HGPORT1/
               pulling from https://localhost:$HGPORT1/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: error: *certificate verify failed* (glob)
               [255]
             Test server cert which no longer is valid
               $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
               > https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: error: *certificate verify failed* (glob)
               [255]
             Disabling the TLS 1.0 warning works
               $ hg -R copy-pull id https://localhost:$HGPORT/ \
               > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
               > --config hostsecurity.disabletls10warning=true
 fed3813f7f5
+            #if no-sslcontext no-py27+
+            Setting ciphers doesn't work in Python 2.6
+              $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
+              warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
+              abort: setting ciphers in [hostsecurity] is not supported by this version of Python
+              (remove the config option or run Mercurial with a modern Python version (preferred))
+              [255]
+            #endif
+            Setting ciphers works in Python 2.7+ but the error message is different on
+            legacy ssl. We test legacy once and do more feature checking on modern
+            configs.
+            #if py27+ no-sslcontext
+              $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
+              warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
+              abort: *No cipher can be selected. (glob)
+              [255]
+              $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
+              warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
+fed3813f7f5
+            #endif
+            #if sslcontext
+            Setting ciphers to an invalid value aborts
+              $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
+              abort: could not set ciphers: No cipher can be selected.
+              (change cipher string (invalid) in config)
+              [255]
+              $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
+              abort: could not set ciphers: No cipher can be selected.
+              (change cipher string (invalid) in config)
+              [255]
+            Changing the cipher string works
+              $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
+fed3813f7f5
+            #endif
             Fingerprints
             - works without cacerts (hostkeyfingerprints)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 fed3813f7f5
             - works without cacerts (hostsecurity)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 fed3813f7f5
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 fed3813f7f5
             - multiple fingerprints specified and first matches
               $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 fed3813f7f5
             - multiple fingerprints specified and last matches
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 fed3813f7f5
             - multiple fingerprints specified and none match
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
               (check hostfingerprint configuration)
               [255]
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
               (check hostsecurity configuration)
               [255]
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
               (check hostfingerprint configuration)
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
               warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 fed3813f7f5
             Ports used by next test. Kill servers.
               $ killdaemons.py hg0.pid
               $ killdaemons.py hg1.pid
               $ killdaemons.py hg2.pid
             #if sslcontext
             Start servers running supported TLS versions
               $ cd test
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
               > --config devel.serverexactprotocol=tls1.0
               $ cat ../hg0.pid >> $DAEMON_PIDS
               $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
               > --config devel.serverexactprotocol=tls1.1
               $ cat ../hg1.pid >> $DAEMON_PIDS
               $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
               > --config devel.serverexactprotocol=tls1.2
               $ cat ../hg2.pid >> $DAEMON_PIDS
               $ cd ..
             Clients talking same TLS versions work
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
 fed3813f7f5
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
 fed3813f7f5
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
 fed3813f7f5
             Clients requiring newer TLS version than what server supports fail
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
               (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *unsupported protocol* (glob)
               [255]
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
               (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *unsupported protocol* (glob)
               [255]
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
               (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *unsupported protocol* (glob)
               [255]
               $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
               (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *unsupported protocol* (glob)
               [255]
             The per-host config option overrides the default
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config hostsecurity.minimumprotocol=tls1.2 \
               > --config hostsecurity.localhost:minimumprotocol=tls1.0
 fed3813f7f5
             The per-host config option by itself works
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config hostsecurity.localhost:minimumprotocol=tls1.2
               (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *unsupported protocol* (glob)
               [255]
               $ killdaemons.py hg0.pid
               $ killdaemons.py hg1.pid
               $ killdaemons.py hg2.pid
             #endif
             Prepare for connecting through proxy
               $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
               $ cat hg0.pid >> $DAEMON_PIDS
               $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
             tinyproxy.py doesn't fully detach, so killing it may result in extra output
             from the shell. So don't kill it.
               $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
               $ while [ ! -f proxy.pid ]; do sleep 0; done
               $ cat proxy.pid >> $DAEMON_PIDS
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub.pem"
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
               pulling from https://127.0.0.1:$HGPORT/ (glob)
               warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: error: *certificate verify failed* (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
               abort: error: *certificate verify failed* (glob)
               [255]
               $ killdaemons.py hg0.pid
             #if sslcontext
             Start hgweb that requires client certificates:
               $ cd test
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
               > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
               $ cat ../hg0.pid >> $DAEMON_PIDS
               $ cd ..
             without client certificate:
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: *handshake failure* (glob)
               [255]
             with client certificate:
               $ cat << EOT >> $HGRCPATH
               > [auth]
               > l.prefix = localhost
               > l.cert = $CERTSDIR/client-cert.pem
               > l.key = $CERTSDIR/client-key.pem
               > EOT
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
 fed3813f7f5
               $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config ui.interactive=True --config ui.nontty=True
               passphrase for */client-key.pem: 5fed3813f7f5 (glob)
               $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages