##// END OF EJS Templates
tests: remove test targeting Python 2.6...
Gregory Szorc -
r32230:ab89d2f7 default
parent child Browse files
Show More
@@ -1,645 +1,634
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Make server certificates:
5 Make server certificates:
6
6
7 $ CERTSDIR="$TESTDIR/sslcerts"
7 $ CERTSDIR="$TESTDIR/sslcerts"
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
9 $ PRIV=`pwd`/server.pem
9 $ PRIV=`pwd`/server.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
12
12
13 $ hg init test
13 $ hg init test
14 $ cd test
14 $ cd test
15 $ echo foo>foo
15 $ echo foo>foo
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
17 $ echo foo>foo.d/foo
17 $ echo foo>foo.d/foo
18 $ echo bar>foo.d/bAr.hg.d/BaR
18 $ echo bar>foo.d/bAr.hg.d/BaR
19 $ echo bar>foo.d/baR.d.hg/bAR
19 $ echo bar>foo.d/baR.d.hg/bAR
20 $ hg commit -A -m 1
20 $ hg commit -A -m 1
21 adding foo
21 adding foo
22 adding foo.d/bAr.hg.d/BaR
22 adding foo.d/bAr.hg.d/BaR
23 adding foo.d/baR.d.hg/bAR
23 adding foo.d/baR.d.hg/bAR
24 adding foo.d/foo
24 adding foo.d/foo
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
26 $ cat ../hg0.pid >> $DAEMON_PIDS
26 $ cat ../hg0.pid >> $DAEMON_PIDS
27
27
28 cacert not found
28 cacert not found
29
29
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32 abort: could not find web.cacerts: no-such.pem
32 abort: could not find web.cacerts: no-such.pem
33 [255]
33 [255]
34
34
35 Test server address cannot be reused
35 Test server address cannot be reused
36
36
37 #if windows
37 #if windows
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
40 [255]
40 [255]
41 #else
41 #else
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
44 [255]
44 [255]
45 #endif
45 #endif
46 $ cd ..
46 $ cd ..
47
47
48 Our test cert is not signed by a trusted CA. It should fail to verify if
48 Our test cert is not signed by a trusted CA. It should fail to verify if
49 we are able to load CA certs.
49 we are able to load CA certs.
50
50
51 #if sslcontext defaultcacerts no-defaultcacertsloaded
51 #if sslcontext defaultcacerts no-defaultcacertsloaded
52 $ hg clone https://localhost:$HGPORT/ copy-pull
52 $ hg clone https://localhost:$HGPORT/ copy-pull
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
54 abort: error: *certificate verify failed* (glob)
54 abort: error: *certificate verify failed* (glob)
55 [255]
55 [255]
56 #endif
56 #endif
57
57
58 #if no-sslcontext defaultcacerts
58 #if no-sslcontext defaultcacerts
59 $ hg clone https://localhost:$HGPORT/ copy-pull
59 $ hg clone https://localhost:$HGPORT/ copy-pull
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
62 abort: error: *certificate verify failed* (glob)
62 abort: error: *certificate verify failed* (glob)
63 [255]
63 [255]
64 #endif
64 #endif
65
65
66 #if no-sslcontext windows
66 #if no-sslcontext windows
67 $ hg clone https://localhost:$HGPORT/ copy-pull
67 $ hg clone https://localhost:$HGPORT/ copy-pull
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
70 abort: error: *certificate verify failed* (glob)
70 abort: error: *certificate verify failed* (glob)
71 [255]
71 [255]
72 #endif
72 #endif
73
73
74 #if no-sslcontext osx
74 #if no-sslcontext osx
75 $ hg clone https://localhost:$HGPORT/ copy-pull
75 $ hg clone https://localhost:$HGPORT/ copy-pull
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
78 abort: localhost certificate error: no certificate received
78 abort: localhost certificate error: no certificate received
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
80 [255]
80 [255]
81 #endif
81 #endif
82
82
83 #if defaultcacertsloaded
83 #if defaultcacertsloaded
84 $ hg clone https://localhost:$HGPORT/ copy-pull
84 $ hg clone https://localhost:$HGPORT/ copy-pull
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
87 abort: error: *certificate verify failed* (glob)
87 abort: error: *certificate verify failed* (glob)
88 [255]
88 [255]
89 #endif
89 #endif
90
90
91 #if no-defaultcacerts
91 #if no-defaultcacerts
92 $ hg clone https://localhost:$HGPORT/ copy-pull
92 $ hg clone https://localhost:$HGPORT/ copy-pull
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
95 abort: localhost certificate error: no certificate received
95 abort: localhost certificate error: no certificate received
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
97 [255]
97 [255]
98 #endif
98 #endif
99
99
100 Specifying a per-host certificate file that doesn't exist will abort. The full
100 Specifying a per-host certificate file that doesn't exist will abort. The full
101 C:/path/to/msysroot will print on Windows.
101 C:/path/to/msysroot will print on Windows.
102
102
103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
106 [255]
106 [255]
107
107
108 A malformed per-host certificate file will raise an error
108 A malformed per-host certificate file will raise an error
109
109
110 $ echo baddata > badca.pem
110 $ echo baddata > badca.pem
111 #if sslcontext
111 #if sslcontext
112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
114 abort: error loading CA file badca.pem: * (glob)
114 abort: error loading CA file badca.pem: * (glob)
115 (file is empty or malformed?)
115 (file is empty or malformed?)
116 [255]
116 [255]
117 #else
117 #else
118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
120 abort: error: * (glob)
120 abort: error: * (glob)
121 [255]
121 [255]
122 #endif
122 #endif
123
123
124 A per-host certificate mismatching the server will fail verification
124 A per-host certificate mismatching the server will fail verification
125
125
126 (modern ssl is able to discern whether the loaded cert is a CA cert)
126 (modern ssl is able to discern whether the loaded cert is a CA cert)
127 #if sslcontext
127 #if sslcontext
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
131 abort: error: *certificate verify failed* (glob)
131 abort: error: *certificate verify failed* (glob)
132 [255]
132 [255]
133 #else
133 #else
134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
136 abort: error: *certificate verify failed* (glob)
136 abort: error: *certificate verify failed* (glob)
137 [255]
137 [255]
138 #endif
138 #endif
139
139
140 A per-host certificate matching the server's cert will be accepted
140 A per-host certificate matching the server's cert will be accepted
141
141
142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
144 requesting all changes
144 requesting all changes
145 adding changesets
145 adding changesets
146 adding manifests
146 adding manifests
147 adding file changes
147 adding file changes
148 added 1 changesets with 4 changes to 4 files
148 added 1 changesets with 4 changes to 4 files
149
149
150 A per-host certificate with multiple certs and one matching will be accepted
150 A per-host certificate with multiple certs and one matching will be accepted
151
151
152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
155 requesting all changes
155 requesting all changes
156 adding changesets
156 adding changesets
157 adding manifests
157 adding manifests
158 adding file changes
158 adding file changes
159 added 1 changesets with 4 changes to 4 files
159 added 1 changesets with 4 changes to 4 files
160
160
161 Defining both per-host certificate and a fingerprint will print a warning
161 Defining both per-host certificate and a fingerprint will print a warning
162
162
163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
166 requesting all changes
166 requesting all changes
167 adding changesets
167 adding changesets
168 adding manifests
168 adding manifests
169 adding file changes
169 adding file changes
170 added 1 changesets with 4 changes to 4 files
170 added 1 changesets with 4 changes to 4 files
171
171
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
173
173
174 Inability to verify peer certificate will result in abort
174 Inability to verify peer certificate will result in abort
175
175
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
180 [255]
180 [255]
181
181
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
185 requesting all changes
185 requesting all changes
186 adding changesets
186 adding changesets
187 adding manifests
187 adding manifests
188 adding file changes
188 adding file changes
189 added 1 changesets with 4 changes to 4 files
189 added 1 changesets with 4 changes to 4 files
190 updating to branch default
190 updating to branch default
191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
192 $ hg verify -R copy-pull
192 $ hg verify -R copy-pull
193 checking changesets
193 checking changesets
194 checking manifests
194 checking manifests
195 crosschecking files in changesets and manifests
195 crosschecking files in changesets and manifests
196 checking files
196 checking files
197 4 files, 1 changesets, 4 total revisions
197 4 files, 1 changesets, 4 total revisions
198 $ cd test
198 $ cd test
199 $ echo bar > bar
199 $ echo bar > bar
200 $ hg commit -A -d '1 0' -m 2
200 $ hg commit -A -d '1 0' -m 2
201 adding bar
201 adding bar
202 $ cd ..
202 $ cd ..
203
203
204 pull without cacert
204 pull without cacert
205
205
206 $ cd copy-pull
206 $ cd copy-pull
207 $ cat >> .hg/hgrc <<EOF
207 $ cat >> .hg/hgrc <<EOF
208 > [hooks]
208 > [hooks]
209 > changegroup = sh -c "printenv.py changegroup"
209 > changegroup = sh -c "printenv.py changegroup"
210 > EOF
210 > EOF
211 $ hg pull $DISABLECACERTS
211 $ hg pull $DISABLECACERTS
212 pulling from https://localhost:$HGPORT/
212 pulling from https://localhost:$HGPORT/
213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
216 [255]
216 [255]
217
217
218 $ hg pull --insecure
218 $ hg pull --insecure
219 pulling from https://localhost:$HGPORT/
219 pulling from https://localhost:$HGPORT/
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
222 searching for changes
222 searching for changes
223 adding changesets
223 adding changesets
224 adding manifests
224 adding manifests
225 adding file changes
225 adding file changes
226 added 1 changesets with 1 changes to 1 files
226 added 1 changesets with 1 changes to 1 files
227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
228 (run 'hg update' to get a working copy)
228 (run 'hg update' to get a working copy)
229 $ cd ..
229 $ cd ..
230
230
231 cacert configured in local repo
231 cacert configured in local repo
232
232
233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
234 $ echo "[web]" >> copy-pull/.hg/hgrc
234 $ echo "[web]" >> copy-pull/.hg/hgrc
235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
236 $ hg -R copy-pull pull
236 $ hg -R copy-pull pull
237 pulling from https://localhost:$HGPORT/
237 pulling from https://localhost:$HGPORT/
238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
239 searching for changes
239 searching for changes
240 no changes found
240 no changes found
241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
242
242
243 cacert configured globally, also testing expansion of environment
243 cacert configured globally, also testing expansion of environment
244 variables in the filename
244 variables in the filename
245
245
246 $ echo "[web]" >> $HGRCPATH
246 $ echo "[web]" >> $HGRCPATH
247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
248 $ P="$CERTSDIR" hg -R copy-pull pull
248 $ P="$CERTSDIR" hg -R copy-pull pull
249 pulling from https://localhost:$HGPORT/
249 pulling from https://localhost:$HGPORT/
250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
251 searching for changes
251 searching for changes
252 no changes found
252 no changes found
253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
254 pulling from https://localhost:$HGPORT/
254 pulling from https://localhost:$HGPORT/
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
257 searching for changes
257 searching for changes
258 no changes found
258 no changes found
259
259
260 empty cacert file
260 empty cacert file
261
261
262 $ touch emptycafile
262 $ touch emptycafile
263
263
264 #if sslcontext
264 #if sslcontext
265 $ hg --config web.cacerts=emptycafile -R copy-pull pull
265 $ hg --config web.cacerts=emptycafile -R copy-pull pull
266 pulling from https://localhost:$HGPORT/
266 pulling from https://localhost:$HGPORT/
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
268 abort: error loading CA file emptycafile: * (glob)
268 abort: error loading CA file emptycafile: * (glob)
269 (file is empty or malformed?)
269 (file is empty or malformed?)
270 [255]
270 [255]
271 #else
271 #else
272 $ hg --config web.cacerts=emptycafile -R copy-pull pull
272 $ hg --config web.cacerts=emptycafile -R copy-pull pull
273 pulling from https://localhost:$HGPORT/
273 pulling from https://localhost:$HGPORT/
274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
275 abort: error: * (glob)
275 abort: error: * (glob)
276 [255]
276 [255]
277 #endif
277 #endif
278
278
279 cacert mismatch
279 cacert mismatch
280
280
281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
282 > https://$LOCALIP:$HGPORT/
282 > https://$LOCALIP:$HGPORT/
283 pulling from https://*:$HGPORT/ (glob)
283 pulling from https://*:$HGPORT/ (glob)
284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
285 abort: $LOCALIP certificate error: certificate is for localhost (glob)
285 abort: $LOCALIP certificate error: certificate is for localhost (glob)
286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
287 [255]
287 [255]
288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
289 > https://$LOCALIP:$HGPORT/ --insecure
289 > https://$LOCALIP:$HGPORT/ --insecure
290 pulling from https://*:$HGPORT/ (glob)
290 pulling from https://*:$HGPORT/ (glob)
291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
293 searching for changes
293 searching for changes
294 no changes found
294 no changes found
295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
296 pulling from https://localhost:$HGPORT/
296 pulling from https://localhost:$HGPORT/
297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
298 abort: error: *certificate verify failed* (glob)
298 abort: error: *certificate verify failed* (glob)
299 [255]
299 [255]
300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
301 > --insecure
301 > --insecure
302 pulling from https://localhost:$HGPORT/
302 pulling from https://localhost:$HGPORT/
303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
305 searching for changes
305 searching for changes
306 no changes found
306 no changes found
307
307
308 Test server cert which isn't valid yet
308 Test server cert which isn't valid yet
309
309
310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
311 $ cat hg1.pid >> $DAEMON_PIDS
311 $ cat hg1.pid >> $DAEMON_PIDS
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
313 > https://localhost:$HGPORT1/
313 > https://localhost:$HGPORT1/
314 pulling from https://localhost:$HGPORT1/
314 pulling from https://localhost:$HGPORT1/
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
316 abort: error: *certificate verify failed* (glob)
316 abort: error: *certificate verify failed* (glob)
317 [255]
317 [255]
318
318
319 Test server cert which no longer is valid
319 Test server cert which no longer is valid
320
320
321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
322 $ cat hg2.pid >> $DAEMON_PIDS
322 $ cat hg2.pid >> $DAEMON_PIDS
323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
324 > https://localhost:$HGPORT2/
324 > https://localhost:$HGPORT2/
325 pulling from https://localhost:$HGPORT2/
325 pulling from https://localhost:$HGPORT2/
326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
327 abort: error: *certificate verify failed* (glob)
327 abort: error: *certificate verify failed* (glob)
328 [255]
328 [255]
329
329
330 Disabling the TLS 1.0 warning works
330 Disabling the TLS 1.0 warning works
331 $ hg -R copy-pull id https://localhost:$HGPORT/ \
331 $ hg -R copy-pull id https://localhost:$HGPORT/ \
332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
333 > --config hostsecurity.disabletls10warning=true
333 > --config hostsecurity.disabletls10warning=true
334 5fed3813f7f5
334 5fed3813f7f5
335
335
336 #if no-sslcontext no-py27+
336 Error message for setting ciphers is different depending on SSLContext support
337 Setting ciphers doesn't work in Python 2.6
338 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
339 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
340 abort: setting ciphers in [hostsecurity] is not supported by this version of Python
341 (remove the config option or run Mercurial with a modern Python version (preferred))
342 [255]
343 #endif
344
337
345 Setting ciphers works in Python 2.7+ but the error message is different on
338 #if no-sslcontext
346 legacy ssl. We test legacy once and do more feature checking on modern
347 configs.
348
349 #if py27+ no-sslcontext
350 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
339 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
351 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
340 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
352 abort: *No cipher can be selected. (glob)
341 abort: *No cipher can be selected. (glob)
353 [255]
342 [255]
354
343
355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
344 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
356 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
357 5fed3813f7f5
346 5fed3813f7f5
358 #endif
347 #endif
359
348
360 #if sslcontext
349 #if sslcontext
361 Setting ciphers to an invalid value aborts
350 Setting ciphers to an invalid value aborts
362 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
351 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
352 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
364 abort: could not set ciphers: No cipher can be selected.
353 abort: could not set ciphers: No cipher can be selected.
365 (change cipher string (invalid) in config)
354 (change cipher string (invalid) in config)
366 [255]
355 [255]
367
356
368 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
357 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
369 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
358 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
370 abort: could not set ciphers: No cipher can be selected.
359 abort: could not set ciphers: No cipher can be selected.
371 (change cipher string (invalid) in config)
360 (change cipher string (invalid) in config)
372 [255]
361 [255]
373
362
374 Changing the cipher string works
363 Changing the cipher string works
375
364
376 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
365 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
377 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
366 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
378 5fed3813f7f5
367 5fed3813f7f5
379 #endif
368 #endif
380
369
381 Fingerprints
370 Fingerprints
382
371
383 - works without cacerts (hostfingerprints)
372 - works without cacerts (hostfingerprints)
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
373 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
374 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
386 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
375 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
387 5fed3813f7f5
376 5fed3813f7f5
388
377
389 - works without cacerts (hostsecurity)
378 - works without cacerts (hostsecurity)
390 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
379 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
391 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
380 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
392 5fed3813f7f5
381 5fed3813f7f5
393
382
394 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
383 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
395 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
384 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
396 5fed3813f7f5
385 5fed3813f7f5
397
386
398 - multiple fingerprints specified and first matches
387 - multiple fingerprints specified and first matches
399 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
388 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
389 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
401 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
390 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
402 5fed3813f7f5
391 5fed3813f7f5
403
392
404 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
393 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
405 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
406 5fed3813f7f5
395 5fed3813f7f5
407
396
408 - multiple fingerprints specified and last matches
397 - multiple fingerprints specified and last matches
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
398 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
411 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
400 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
412 5fed3813f7f5
401 5fed3813f7f5
413
402
414 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
403 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
416 5fed3813f7f5
405 5fed3813f7f5
417
406
418 - multiple fingerprints specified and none match
407 - multiple fingerprints specified and none match
419
408
420 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
422 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
411 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
423 (check hostfingerprint configuration)
412 (check hostfingerprint configuration)
424 [255]
413 [255]
425
414
426 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
415 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
427 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
416 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
428 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
417 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
429 (check hostsecurity configuration)
418 (check hostsecurity configuration)
430 [255]
419 [255]
431
420
432 - fails when cert doesn't match hostname (port is ignored)
421 - fails when cert doesn't match hostname (port is ignored)
433 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
422 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
434 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
423 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
435 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
424 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
436 (check hostfingerprint configuration)
425 (check hostfingerprint configuration)
437 [255]
426 [255]
438
427
439
428
440 - ignores that certificate doesn't match hostname
429 - ignores that certificate doesn't match hostname
441 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
430 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
442 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
431 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
443 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
432 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
444 5fed3813f7f5
433 5fed3813f7f5
445
434
446 Ports used by next test. Kill servers.
435 Ports used by next test. Kill servers.
447
436
448 $ killdaemons.py hg0.pid
437 $ killdaemons.py hg0.pid
449 $ killdaemons.py hg1.pid
438 $ killdaemons.py hg1.pid
450 $ killdaemons.py hg2.pid
439 $ killdaemons.py hg2.pid
451
440
452 #if sslcontext tls1.2
441 #if sslcontext tls1.2
453 Start servers running supported TLS versions
442 Start servers running supported TLS versions
454
443
455 $ cd test
444 $ cd test
456 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
445 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
457 > --config devel.serverexactprotocol=tls1.0
446 > --config devel.serverexactprotocol=tls1.0
458 $ cat ../hg0.pid >> $DAEMON_PIDS
447 $ cat ../hg0.pid >> $DAEMON_PIDS
459 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
448 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
460 > --config devel.serverexactprotocol=tls1.1
449 > --config devel.serverexactprotocol=tls1.1
461 $ cat ../hg1.pid >> $DAEMON_PIDS
450 $ cat ../hg1.pid >> $DAEMON_PIDS
462 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
451 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
463 > --config devel.serverexactprotocol=tls1.2
452 > --config devel.serverexactprotocol=tls1.2
464 $ cat ../hg2.pid >> $DAEMON_PIDS
453 $ cat ../hg2.pid >> $DAEMON_PIDS
465 $ cd ..
454 $ cd ..
466
455
467 Clients talking same TLS versions work
456 Clients talking same TLS versions work
468
457
469 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
458 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
470 5fed3813f7f5
459 5fed3813f7f5
471 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
460 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
472 5fed3813f7f5
461 5fed3813f7f5
473 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
462 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
474 5fed3813f7f5
463 5fed3813f7f5
475
464
476 Clients requiring newer TLS version than what server supports fail
465 Clients requiring newer TLS version than what server supports fail
477
466
478 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
467 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
468 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
469 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
470 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
482 abort: error: *unsupported protocol* (glob)
471 abort: error: *unsupported protocol* (glob)
483 [255]
472 [255]
484
473
485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
474 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
486 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
475 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
476 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
477 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
489 abort: error: *unsupported protocol* (glob)
478 abort: error: *unsupported protocol* (glob)
490 [255]
479 [255]
491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
481 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
482 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
483 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
495 abort: error: *unsupported protocol* (glob)
484 abort: error: *unsupported protocol* (glob)
496 [255]
485 [255]
497 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
486 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
498 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
487 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
499 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
488 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
500 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
489 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
501 abort: error: *unsupported protocol* (glob)
490 abort: error: *unsupported protocol* (glob)
502 [255]
491 [255]
503
492
504 --insecure will allow TLS 1.0 connections and override configs
493 --insecure will allow TLS 1.0 connections and override configs
505
494
506 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
495 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
507 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
496 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
508 5fed3813f7f5
497 5fed3813f7f5
509
498
510 The per-host config option overrides the default
499 The per-host config option overrides the default
511
500
512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
501 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
513 > --config hostsecurity.minimumprotocol=tls1.2 \
502 > --config hostsecurity.minimumprotocol=tls1.2 \
514 > --config hostsecurity.localhost:minimumprotocol=tls1.0
503 > --config hostsecurity.localhost:minimumprotocol=tls1.0
515 5fed3813f7f5
504 5fed3813f7f5
516
505
517 The per-host config option by itself works
506 The per-host config option by itself works
518
507
519 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
508 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
520 > --config hostsecurity.localhost:minimumprotocol=tls1.2
509 > --config hostsecurity.localhost:minimumprotocol=tls1.2
521 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
510 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
522 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
511 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
523 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
512 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
524 abort: error: *unsupported protocol* (glob)
513 abort: error: *unsupported protocol* (glob)
525 [255]
514 [255]
526
515
527 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
516 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
528
517
529 $ cat >> copy-pull/.hg/hgrc << EOF
518 $ cat >> copy-pull/.hg/hgrc << EOF
530 > [hostsecurity]
519 > [hostsecurity]
531 > localhost:minimumprotocol=tls1.2
520 > localhost:minimumprotocol=tls1.2
532 > EOF
521 > EOF
533 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
522 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
534 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
523 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
535 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
524 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
536 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
525 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
537 abort: error: *unsupported protocol* (glob)
526 abort: error: *unsupported protocol* (glob)
538 [255]
527 [255]
539
528
540 $ killdaemons.py hg0.pid
529 $ killdaemons.py hg0.pid
541 $ killdaemons.py hg1.pid
530 $ killdaemons.py hg1.pid
542 $ killdaemons.py hg2.pid
531 $ killdaemons.py hg2.pid
543 #endif
532 #endif
544
533
545 Prepare for connecting through proxy
534 Prepare for connecting through proxy
546
535
547 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
536 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
548 $ cat hg0.pid >> $DAEMON_PIDS
537 $ cat hg0.pid >> $DAEMON_PIDS
549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
538 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
550 $ cat hg2.pid >> $DAEMON_PIDS
539 $ cat hg2.pid >> $DAEMON_PIDS
551 tinyproxy.py doesn't fully detach, so killing it may result in extra output
540 tinyproxy.py doesn't fully detach, so killing it may result in extra output
552 from the shell. So don't kill it.
541 from the shell. So don't kill it.
553 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
542 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
554 $ while [ ! -f proxy.pid ]; do sleep 0; done
543 $ while [ ! -f proxy.pid ]; do sleep 0; done
555 $ cat proxy.pid >> $DAEMON_PIDS
544 $ cat proxy.pid >> $DAEMON_PIDS
556
545
557 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
546 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
558 $ echo "always=True" >> copy-pull/.hg/hgrc
547 $ echo "always=True" >> copy-pull/.hg/hgrc
559 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
548 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
560 $ echo "localhost =" >> copy-pull/.hg/hgrc
549 $ echo "localhost =" >> copy-pull/.hg/hgrc
561
550
562 Test unvalidated https through proxy
551 Test unvalidated https through proxy
563
552
564 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
553 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
565 pulling from https://localhost:$HGPORT/
554 pulling from https://localhost:$HGPORT/
566 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
555 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
567 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
556 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
568 searching for changes
557 searching for changes
569 no changes found
558 no changes found
570
559
571 Test https with cacert and fingerprint through proxy
560 Test https with cacert and fingerprint through proxy
572
561
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
562 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
574 > --config web.cacerts="$CERTSDIR/pub.pem"
563 > --config web.cacerts="$CERTSDIR/pub.pem"
575 pulling from https://localhost:$HGPORT/
564 pulling from https://localhost:$HGPORT/
576 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
565 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
577 searching for changes
566 searching for changes
578 no changes found
567 no changes found
579 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
568 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
580 pulling from https://*:$HGPORT/ (glob)
569 pulling from https://*:$HGPORT/ (glob)
581 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
570 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
582 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
571 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
583 searching for changes
572 searching for changes
584 no changes found
573 no changes found
585
574
586 Test https with cert problems through proxy
575 Test https with cert problems through proxy
587
576
588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
577 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
589 > --config web.cacerts="$CERTSDIR/pub-other.pem"
578 > --config web.cacerts="$CERTSDIR/pub-other.pem"
590 pulling from https://localhost:$HGPORT/
579 pulling from https://localhost:$HGPORT/
591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
580 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
592 abort: error: *certificate verify failed* (glob)
581 abort: error: *certificate verify failed* (glob)
593 [255]
582 [255]
594 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
583 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
595 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
584 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
596 pulling from https://localhost:$HGPORT2/
585 pulling from https://localhost:$HGPORT2/
597 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
586 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
598 abort: error: *certificate verify failed* (glob)
587 abort: error: *certificate verify failed* (glob)
599 [255]
588 [255]
600
589
601
590
602 $ killdaemons.py hg0.pid
591 $ killdaemons.py hg0.pid
603
592
604 #if sslcontext
593 #if sslcontext
605
594
606 Start hgweb that requires client certificates:
595 Start hgweb that requires client certificates:
607
596
608 $ cd test
597 $ cd test
609 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
598 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
610 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
599 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
611 $ cat ../hg0.pid >> $DAEMON_PIDS
600 $ cat ../hg0.pid >> $DAEMON_PIDS
612 $ cd ..
601 $ cd ..
613
602
614 without client certificate:
603 without client certificate:
615
604
616 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
605 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
617 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
606 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
618 abort: error: *handshake failure* (glob)
607 abort: error: *handshake failure* (glob)
619 [255]
608 [255]
620
609
621 with client certificate:
610 with client certificate:
622
611
623 $ cat << EOT >> $HGRCPATH
612 $ cat << EOT >> $HGRCPATH
624 > [auth]
613 > [auth]
625 > l.prefix = localhost
614 > l.prefix = localhost
626 > l.cert = $CERTSDIR/client-cert.pem
615 > l.cert = $CERTSDIR/client-cert.pem
627 > l.key = $CERTSDIR/client-key.pem
616 > l.key = $CERTSDIR/client-key.pem
628 > EOT
617 > EOT
629
618
630 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
619 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
631 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
620 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
632 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
621 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
633 5fed3813f7f5
622 5fed3813f7f5
634
623
635 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
624 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
636 > --config ui.interactive=True --config ui.nontty=True
625 > --config ui.interactive=True --config ui.nontty=True
637 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
626 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
638 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
627 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
639
628
640 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
629 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
630 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
642 abort: error: * (glob)
631 abort: error: * (glob)
643 [255]
632 [255]
644
633
645 #endif
634 #endif
General Comments 0
You need to be logged in to leave comments. Login now