upstream/mercurial-mirror Commit - r13654:a1dae38a

1

Proper https client requires the built-in ssl from Python 2.6.

1

Proper https client requires the built-in ssl from Python 2.6.

2

3

$ "$TESTDIR/hghave" ssl || exit 80

3

$ "$TESTDIR/hghave" ssl || exit 80

4

5

Certificates created with:

5

Certificates created with:

6

printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

6

printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \

7

openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

7

openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem

8

Can be dumped with:

8

Can be dumped with:

9

openssl x509 -in pub.pem -text

9

openssl x509 -in pub.pem -text

10

11

$ cat << EOT > priv.pem

11

$ cat << EOT > priv.pem

12

> -----BEGIN PRIVATE KEY-----

12

> -----BEGIN PRIVATE KEY-----

13

> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

13

> MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH

14

> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

14

> aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8

15

> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

15

> j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc

16

> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

16

> EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG

17

> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

17

> MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR

18

> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

18

> +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy

19

> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

19

> aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh

20

> HY8gUVkVRVs=

20

> HY8gUVkVRVs=

21

> -----END PRIVATE KEY-----

21

> -----END PRIVATE KEY-----

22

> EOT

22

> EOT

23

24

$ cat << EOT > pub.pem

24

$ cat << EOT > pub.pem

25

> -----BEGIN CERTIFICATE-----

25

> -----BEGIN CERTIFICATE-----

26

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

26

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

27

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

27

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

28

> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

28

> MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0

29

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

29

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

30

> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

30

> ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX

31

> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

31

> 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm

32

> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

32

> r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw

33

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

33

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl

34

> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

34

> t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=

35

> -----END CERTIFICATE-----

35

> -----END CERTIFICATE-----

36

> EOT

36

> EOT

37

$ cat priv.pem pub.pem >> server.pem

37

$ cat priv.pem pub.pem >> server.pem

38

$ PRIV=`pwd`/server.pem

38

$ PRIV=`pwd`/server.pem

39

40

$ cat << EOT > pub-other.pem

40

$ cat << EOT > pub-other.pem

41

> -----BEGIN CERTIFICATE-----

41

> -----BEGIN CERTIFICATE-----

42

> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

42

> MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV

43

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

43

> BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw

44

> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

44

> MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0

45

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

45

> MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL

46

> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

46

> ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo

47

> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

47

> K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN

48

> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

48

> y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw

49

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

49

> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6

50

> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

50

> bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=

51

> -----END CERTIFICATE-----

51

> -----END CERTIFICATE-----

52

> EOT

52

> EOT

53

54

pub.pem patched with other notBefore / notAfter:

54

pub.pem patched with other notBefore / notAfter:

55

56

$ cat << EOT > pub-not-yet.pem

56

$ cat << EOT > pub-not-yet.pem

57

> -----BEGIN CERTIFICATE-----

57

> -----BEGIN CERTIFICATE-----

58

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

58

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

59

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

59

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw

60

> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

60

> NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

61

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

61

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

62

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

62

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

63

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

63

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

64

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

64

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb

65

> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

65

> /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=

66

> -----END CERTIFICATE-----

66

> -----END CERTIFICATE-----

67

> EOT

67

> EOT

68

$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

68

$ cat priv.pem pub-not-yet.pem > server-not-yet.pem

69

70

$ cat << EOT > pub-expired.pem

70

$ cat << EOT > pub-expired.pem

71

> -----BEGIN CERTIFICATE-----

71

> -----BEGIN CERTIFICATE-----

72

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

72

> MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs

73

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

73

> aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx

74

> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

74

> NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv

75

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

75

> c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK

76

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

76

> EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA

77

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

77

> +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T

78

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

78

> BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt

79

> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

79

> 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=

80

> -----END CERTIFICATE-----

80

> -----END CERTIFICATE-----

81

> EOT

81

> EOT

82

$ cat priv.pem pub-expired.pem > server-expired.pem

82

$ cat priv.pem pub-expired.pem > server-expired.pem

83

84

$ hg init test

84

$ hg init test

85

$ cd test

85

$ cd test

86

$ echo foo>foo

86

$ echo foo>foo

87

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

87

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

88

$ echo foo>foo.d/foo

88

$ echo foo>foo.d/foo

89

$ echo bar>foo.d/bAr.hg.d/BaR

89

$ echo bar>foo.d/bAr.hg.d/BaR

90

$ echo bar>foo.d/baR.d.hg/bAR

90

$ echo bar>foo.d/baR.d.hg/bAR

91

$ hg commit -A -m 1

91

$ hg commit -A -m 1

92

adding foo

92

adding foo

93

adding foo.d/bAr.hg.d/BaR

93

adding foo.d/bAr.hg.d/BaR

94

adding foo.d/baR.d.hg/bAR

94

adding foo.d/baR.d.hg/bAR

95

adding foo.d/foo

95

adding foo.d/foo

96

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

96

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

97

$ cat ../hg0.pid >> $DAEMON_PIDS

97

$ cat ../hg0.pid >> $DAEMON_PIDS

98

99

cacert not found

99

cacert not found

100

101

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

101

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

102

abort: could not find web.cacerts: no-such.pem

102

abort: could not find web.cacerts: no-such.pem

103

[255]

103

[255]

104

105

Test server address cannot be reused

105

Test server address cannot be reused

106

107

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

107

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

108

abort: cannot start server at ':$HGPORT': Address already in use

108

abort: cannot start server at ':$HGPORT': Address already in use

109

[255]

109

[255]

110

$ cd ..

110

$ cd ..

111

112

clone via pull

112

clone via pull

113

114

$ hg clone https://localhost:$HGPORT/ copy-pull

114

$ hg clone https://localhost:$HGPORT/ copy-pull

115

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

115

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

116

requesting all changes

116

requesting all changes

117

adding changesets

117

adding changesets

118

adding manifests

118

adding manifests

119

adding file changes

119

adding file changes

120

added 1 changesets with 4 changes to 4 files

120

added 1 changesets with 4 changes to 4 files

121

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

122

updating to branch default

121

updating to branch default

123

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

122

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

124

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

123

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

125

$ hg verify -R copy-pull

124

$ hg verify -R copy-pull

126

checking changesets

125

checking changesets

127

checking manifests

126

checking manifests

128

crosschecking files in changesets and manifests

127

crosschecking files in changesets and manifests

129

checking files

128

checking files

130

4 files, 1 changesets, 4 total revisions

129

4 files, 1 changesets, 4 total revisions

131

$ cd test

130

$ cd test

132

$ echo bar > bar

131

$ echo bar > bar

133

$ hg commit -A -d '1 0' -m 2

132

$ hg commit -A -d '1 0' -m 2

134

adding bar

133

adding bar

135

$ cd ..

134

$ cd ..

136

135

137

pull without cacert

136

pull without cacert

138

137

139

$ cd copy-pull

138

$ cd copy-pull

140

$ echo '[hooks]' >> .hg/hgrc

139

$ echo '[hooks]' >> .hg/hgrc

141

$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc

140

$ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc

142

$ hg pull

141

$ hg pull

143

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

142

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

144

pulling from https://localhost:$HGPORT/

143

pulling from https://localhost:$HGPORT/

145

searching for changes

144

searching for changes

146

adding changesets

145

adding changesets

147

adding manifests

146

adding manifests

148

adding file changes

147

adding file changes

149

added 1 changesets with 1 changes to 1 files

148

added 1 changesets with 1 changes to 1 files

150

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/

149

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/

151

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

150

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

152

(run 'hg update' to get a working copy)

151

(run 'hg update' to get a working copy)

153

$ cd ..

152

$ cd ..

154

153

155

cacert configured in local repo

154

cacert configured in local repo

156

155

157

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

156

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

158

$ echo "[web]" >> copy-pull/.hg/hgrc

157

$ echo "[web]" >> copy-pull/.hg/hgrc

159

$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

158

$ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc

160

$ hg -R copy-pull pull --traceback

159

$ hg -R copy-pull pull --traceback

161

pulling from https://localhost:$HGPORT/

160

pulling from https://localhost:$HGPORT/

162

searching for changes

161

searching for changes

163

no changes found

162

no changes found

164

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

163

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

165

164

166

cacert configured globally, also testing expansion of environment

165

cacert configured globally, also testing expansion of environment

167

variables in the filename

166

variables in the filename

168

167

169

$ echo "[web]" >> $HGRCPATH

168

$ echo "[web]" >> $HGRCPATH

170

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

169

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

171

$ P=`pwd` hg -R copy-pull pull

170

$ P=`pwd` hg -R copy-pull pull

172

pulling from https://localhost:$HGPORT/

171

pulling from https://localhost:$HGPORT/

173

searching for changes

172

searching for changes

174

no changes found

173

no changes found

175

$ P=`pwd` hg -R copy-pull pull --insecure

174

$ P=`pwd` hg -R copy-pull pull --insecure

176

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

175

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

177

pulling from https://localhost:$HGPORT/

176

pulling from https://localhost:$HGPORT/

178

searching for changes

177

searching for changes

179

no changes found

178

no changes found

180

179

181

cacert mismatch

180

cacert mismatch

182

181

183

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

182

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/

184

abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)

183

abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)

185

[255]

184

[255]

186

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

185

$ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure

187

warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

186

warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

188

pulling from https://127.0.0.1:$HGPORT/

187

pulling from https://127.0.0.1:$HGPORT/

189

searching for changes

188

searching for changes

190

no changes found

189

no changes found

191

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem

190

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem

192

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

191

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

193

[255]

192

[255]

194

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

193

$ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure

195

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

194

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

196

pulling from https://localhost:$HGPORT/

195

pulling from https://localhost:$HGPORT/

197

searching for changes

196

searching for changes

198

no changes found

197

no changes found

199

198

200

Test server cert which isn't valid yet

199

Test server cert which isn't valid yet

201

200

202

$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

201

$ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

203

$ cat hg1.pid >> $DAEMON_PIDS

202

$ cat hg1.pid >> $DAEMON_PIDS

204

$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

203

$ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/

205

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

204

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

206

[255]

205

[255]

207

206

208

Test server cert which no longer is valid

207

Test server cert which no longer is valid

209

208

210

$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

209

$ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

211

$ cat hg2.pid >> $DAEMON_PIDS

210

$ cat hg2.pid >> $DAEMON_PIDS

212

$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

211

$ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

213

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

212

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

214

[255]

213

[255]

215

214

216

Fingerprints

215

Fingerprints

217

216

218

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

217

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

219

$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

218

$ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc

220

$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

219

$ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

221

220

222

- works without cacerts

221

- works without cacerts

223

$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=

222

$ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=

224

5fed3813f7f5

223

5fed3813f7f5

225

224

226

- fails when cert doesn't match hostname (port is ignored)

225

- fails when cert doesn't match hostname (port is ignored)

227

$ hg -R copy-pull id https://localhost:$HGPORT1/

226

$ hg -R copy-pull id https://localhost:$HGPORT1/

228

abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

227

abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

229

[255]

228

[255]

230

229

231

- ignores that certificate doesn't match hostname

230

- ignores that certificate doesn't match hostname

232

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/

231

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/

233

5fed3813f7f5

232

5fed3813f7f5

234

233

235

Prepare for connecting through proxy

234

Prepare for connecting through proxy

236

235

237

$ kill `cat hg1.pid`

236

$ kill `cat hg1.pid`

238

$ sleep 1

237

$ sleep 1

239

238

240

$ ("$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log 2>&1 </dev/null &

239

$ ("$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log 2>&1 </dev/null &

241

$ echo $! > proxy.pid)

240

$ echo $! > proxy.pid)

242

$ cat proxy.pid >> $DAEMON_PIDS

241

$ cat proxy.pid >> $DAEMON_PIDS

243

$ sleep 2

242

$ sleep 2

244

243

245

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

244

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

246

$ echo "always=True" >> copy-pull/.hg/hgrc

245

$ echo "always=True" >> copy-pull/.hg/hgrc

247

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

246

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

248

$ echo "localhost =" >> copy-pull/.hg/hgrc

247

$ echo "localhost =" >> copy-pull/.hg/hgrc

249

248

250

Test unvalidated https through proxy

249

Test unvalidated https through proxy

251

250

252

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

251

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

253

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

252

warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)

254

pulling from https://localhost:$HGPORT/

253

pulling from https://localhost:$HGPORT/

255

searching for changes

254

searching for changes

256

no changes found

255

no changes found

257

256

258

Test https with cacert and fingerprint through proxy

257

Test https with cacert and fingerprint through proxy

259

258

260

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

259

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem

261

pulling from https://localhost:$HGPORT/

260

pulling from https://localhost:$HGPORT/

262

searching for changes

261

searching for changes

263

no changes found

262

no changes found

264

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

263

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/

265

pulling from https://127.0.0.1:$HGPORT/

264

pulling from https://127.0.0.1:$HGPORT/

266

searching for changes

265

searching for changes

267

no changes found

266

no changes found

268

267

269

Test https with cert problems through proxy

268

Test https with cert problems through proxy

270

269

271

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

270

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem

272

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

271

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

273

[255]

272

[255]

274

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

273

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/

275

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

274

abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)

276

[255]

275

[255]

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             Proper https client requires the built-in ssl from Python 2.6.
               $ "$TESTDIR/hghave" ssl || exit 80
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat << EOT > pub-other.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
               > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
               > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
               > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
               > -----END CERTIFICATE-----
               > EOT
             pub.pem patched with other notBefore / notAfter:
               $ cat << EOT > pub-not-yet.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
               > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
               > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
               $ cat << EOT > pub-expired.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
               > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
               > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-expired.pem > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
               $ cd ..
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
-              warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
               $ hg pull
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P=`pwd` hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P=`pwd` hg -R copy-pull pull --insecure
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost (use --insecure to connect insecurely)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
               warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which no longer is valid
               $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Fingerprints
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
               $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
             - works without cacerts
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
 fed3813f7f5
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/
               abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/
 fed3813f7f5
             Prepare for connecting through proxy
               $ kill `cat hg1.pid`
               $ sleep 1
               $ ("$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log 2>&1 </dev/null &
               $ echo $! > proxy.pid)
               $ cat proxy.pid >> $DAEMON_PIDS
               $ sleep 2
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]