upstream/mercurial-mirror Commit - r29448:afbe1fe4

1

#require serve ssl

1

#require serve ssl

2

3

Proper https client requires the built-in ssl from Python 2.6.

3

Proper https client requires the built-in ssl from Python 2.6.

4

5

Make server certificates:

5

Make server certificates:

6

7

$ CERTSDIR="$TESTDIR/sslcerts"

7

$ CERTSDIR="$TESTDIR/sslcerts"

8

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem

8

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem

9

$ PRIV=`pwd`/server.pem

9

$ PRIV=`pwd`/server.pem

10

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem

10

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem

11

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem

11

$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem

12

13

$ hg init test

13

$ hg init test

14

$ cd test

14

$ cd test

15

$ echo foo>foo

15

$ echo foo>foo

16

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

16

$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

17

$ echo foo>foo.d/foo

17

$ echo foo>foo.d/foo

18

$ echo bar>foo.d/bAr.hg.d/BaR

18

$ echo bar>foo.d/bAr.hg.d/BaR

19

$ echo bar>foo.d/baR.d.hg/bAR

19

$ echo bar>foo.d/baR.d.hg/bAR

20

$ hg commit -A -m 1

20

$ hg commit -A -m 1

21

adding foo

21

adding foo

22

adding foo.d/bAr.hg.d/BaR

22

adding foo.d/bAr.hg.d/BaR

23

adding foo.d/baR.d.hg/bAR

23

adding foo.d/baR.d.hg/bAR

24

adding foo.d/foo

24

adding foo.d/foo

25

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

25

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

26

$ cat ../hg0.pid >> $DAEMON_PIDS

26

$ cat ../hg0.pid >> $DAEMON_PIDS

27

28

cacert not found

28

cacert not found

29

30

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

30

$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

31

abort: could not find web.cacerts: no-such.pem

31

abort: could not find web.cacerts: no-such.pem

32

[255]

32

[255]

33

34

Test server address cannot be reused

34

Test server address cannot be reused

35

36

#if windows

36

#if windows

37

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

37

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

38

abort: cannot start server at ':$HGPORT':

38

abort: cannot start server at ':$HGPORT':

39

[255]

39

[255]

40

#else

40

#else

41

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

41

$ hg serve -p $HGPORT --certificate=$PRIV 2>&1

42

abort: cannot start server at ':$HGPORT': Address already in use

42

abort: cannot start server at ':$HGPORT': Address already in use

43

[255]

43

[255]

44

#endif

44

#endif

45

$ cd ..

45

$ cd ..

46

47

Our test cert is not signed by a trusted CA. It should fail to verify if

47

Our test cert is not signed by a trusted CA. It should fail to verify if

48

we are able to load CA certs.

48

we are able to load CA certs.

49

50

#if defaultcacerts

50

#if defaultcacerts

51

$ hg clone https://localhost:$HGPORT/ copy-pull

51

$ hg clone https://localhost:$HGPORT/ copy-pull

52

abort: error: *certificate verify failed* (glob)

52

abort: error: *certificate verify failed* (glob)

53

[255]

53

[255]

54

#else

55

$ hg clone https://localhost:$HGPORT/ copy-pull

56

abort: localhost certificate error: no certificate received

57

(set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)

58

[255]

54

#endif

59

#endif

55

60

56

Specifying a per-host certificate file that doesn't exist will abort

61

Specifying a per-host certificate file that doesn't exist will abort

57

62

58

$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/

63

$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/

59

abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist

64

abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist

60

[255]

65

[255]

61

66

62

A malformed per-host certificate file will raise an error

67

A malformed per-host certificate file will raise an error

63

68

64

$ echo baddata > badca.pem

69

$ echo baddata > badca.pem

65

#if sslcontext

70

#if sslcontext

66

$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

71

$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

67

abort: error loading CA file badca.pem: * (glob)

72

abort: error loading CA file badca.pem: * (glob)

68

(file is empty or malformed?)

73

(file is empty or malformed?)

69

[255]

74

[255]

70

#else

75

#else

71

$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

76

$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

72

abort: error: * (glob)

77

abort: error: * (glob)

73

[255]

78

[255]

74

#endif

79

#endif

75

80

76

A per-host certificate mismatching the server will fail verification

81

A per-host certificate mismatching the server will fail verification

77

82

78

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

83

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

79

abort: error: *certificate verify failed* (glob)

84

abort: error: *certificate verify failed* (glob)

80

[255]

85

[255]

81

86

82

A per-host certificate matching the server's cert will be accepted

87

A per-host certificate matching the server's cert will be accepted

83

88

84

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

89

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

85

requesting all changes

90

requesting all changes

86

adding changesets

91

adding changesets

87

adding manifests

92

adding manifests

88

adding file changes

93

adding file changes

89

added 1 changesets with 4 changes to 4 files

94

added 1 changesets with 4 changes to 4 files

90

95

91

A per-host certificate with multiple certs and one matching will be accepted

96

A per-host certificate with multiple certs and one matching will be accepted

92

97

93

$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem

98

$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem

94

$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2

99

$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2

95

requesting all changes

100

requesting all changes

96

adding changesets

101

adding changesets

97

adding manifests

102

adding manifests

98

adding file changes

103

adding file changes

99

added 1 changesets with 4 changes to 4 files

104

added 1 changesets with 4 changes to 4 files

100

105

101

Defining both per-host certificate and a fingerprint will print a warning

106

Defining both per-host certificate and a fingerprint will print a warning

102

107

103

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning

108

$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning

104

(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)

109

(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)

105

requesting all changes

110

requesting all changes

106

adding changesets

111

adding changesets

107

adding manifests

112

adding manifests

108

adding file changes

113

adding file changes

109

added 1 changesets with 4 changes to 4 files

114

added 1 changesets with 4 changes to 4 files

110

115

111

$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"

116

$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"

112

117

113

Inability to verify peer certificate will result in abort

118

Inability to verify peer certificate will result in abort

114

119

115

$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS

120

$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS

116

abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

121

abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

117

(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)

122

(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)

118

[255]

123

[255]

119

124

120

$ hg clone --insecure https://localhost:$HGPORT/ copy-pull

125

$ hg clone --insecure https://localhost:$HGPORT/ copy-pull

121

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

126

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

122

requesting all changes

127

requesting all changes

123

adding changesets

128

adding changesets

124

adding manifests

129

adding manifests

125

adding file changes

130

adding file changes

126

added 1 changesets with 4 changes to 4 files

131

added 1 changesets with 4 changes to 4 files

127

updating to branch default

132

updating to branch default

128

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

133

4 files updated, 0 files merged, 0 files removed, 0 files unresolved

129

$ hg verify -R copy-pull

134

$ hg verify -R copy-pull

130

checking changesets

135

checking changesets

131

checking manifests

136

checking manifests

132

crosschecking files in changesets and manifests

137

crosschecking files in changesets and manifests

133

checking files

138

checking files

134

4 files, 1 changesets, 4 total revisions

139

4 files, 1 changesets, 4 total revisions

135

$ cd test

140

$ cd test

136

$ echo bar > bar

141

$ echo bar > bar

137

$ hg commit -A -d '1 0' -m 2

142

$ hg commit -A -d '1 0' -m 2

138

adding bar

143

adding bar

139

$ cd ..

144

$ cd ..

140

145

141

pull without cacert

146

pull without cacert

142

147

143

$ cd copy-pull

148

$ cd copy-pull

144

$ echo '[hooks]' >> .hg/hgrc

149

$ echo '[hooks]' >> .hg/hgrc

145

$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc

150

$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc

146

$ hg pull $DISABLECACERTS

151

$ hg pull $DISABLECACERTS

147

pulling from https://localhost:$HGPORT/

152

pulling from https://localhost:$HGPORT/

148

abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

153

abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

149

(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)

154

(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)

150

[255]

155

[255]

151

156

152

$ hg pull --insecure

157

$ hg pull --insecure

153

pulling from https://localhost:$HGPORT/

158

pulling from https://localhost:$HGPORT/

154

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

159

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

155

searching for changes

160

searching for changes

156

adding changesets

161

adding changesets

157

adding manifests

162

adding manifests

158

adding file changes

163

adding file changes

159

added 1 changesets with 1 changes to 1 files

164

added 1 changesets with 1 changes to 1 files

160

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)

165

changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)

161

(run 'hg update' to get a working copy)

166

(run 'hg update' to get a working copy)

162

$ cd ..

167

$ cd ..

163

168

164

cacert configured in local repo

169

cacert configured in local repo

165

170

166

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

171

$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

167

$ echo "[web]" >> copy-pull/.hg/hgrc

172

$ echo "[web]" >> copy-pull/.hg/hgrc

168

$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc

173

$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc

169

$ hg -R copy-pull pull --traceback

174

$ hg -R copy-pull pull --traceback

170

pulling from https://localhost:$HGPORT/

175

pulling from https://localhost:$HGPORT/

171

searching for changes

176

searching for changes

172

no changes found

177

no changes found

173

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

178

$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

174

179

175

cacert configured globally, also testing expansion of environment

180

cacert configured globally, also testing expansion of environment

176

variables in the filename

181

variables in the filename

177

182

178

$ echo "[web]" >> $HGRCPATH

183

$ echo "[web]" >> $HGRCPATH

179

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

184

$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

180

$ P="$CERTSDIR" hg -R copy-pull pull

185

$ P="$CERTSDIR" hg -R copy-pull pull

181

pulling from https://localhost:$HGPORT/

186

pulling from https://localhost:$HGPORT/

182

searching for changes

187

searching for changes

183

no changes found

188

no changes found

184

$ P="$CERTSDIR" hg -R copy-pull pull --insecure

189

$ P="$CERTSDIR" hg -R copy-pull pull --insecure

185

pulling from https://localhost:$HGPORT/

190

pulling from https://localhost:$HGPORT/

186

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

191

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

187

searching for changes

192

searching for changes

188

no changes found

193

no changes found

189

194

190

empty cacert file

195

empty cacert file

191

196

192

$ touch emptycafile

197

$ touch emptycafile

193

198

194

#if sslcontext

199

#if sslcontext

195

$ hg --config web.cacerts=emptycafile -R copy-pull pull

200

$ hg --config web.cacerts=emptycafile -R copy-pull pull

196

pulling from https://localhost:$HGPORT/

201

pulling from https://localhost:$HGPORT/

197

abort: error loading CA file emptycafile: * (glob)

202

abort: error loading CA file emptycafile: * (glob)

198

(file is empty or malformed?)

203

(file is empty or malformed?)

199

[255]

204

[255]

200

#else

205

#else

201

$ hg --config web.cacerts=emptycafile -R copy-pull pull

206

$ hg --config web.cacerts=emptycafile -R copy-pull pull

202

pulling from https://localhost:$HGPORT/

207

pulling from https://localhost:$HGPORT/

203

abort: error: * (glob)

208

abort: error: * (glob)

204

[255]

209

[255]

205

#endif

210

#endif

206

211

207

cacert mismatch

212

cacert mismatch

208

213

209

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

214

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

210

> https://127.0.0.1:$HGPORT/

215

> https://127.0.0.1:$HGPORT/

211

pulling from https://127.0.0.1:$HGPORT/

216

pulling from https://127.0.0.1:$HGPORT/

212

abort: 127.0.0.1 certificate error: certificate is for localhost

217

abort: 127.0.0.1 certificate error: certificate is for localhost

213

(set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)

218

(set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)

214

[255]

219

[255]

215

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

220

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

216

> https://127.0.0.1:$HGPORT/ --insecure

221

> https://127.0.0.1:$HGPORT/ --insecure

217

pulling from https://127.0.0.1:$HGPORT/

222

pulling from https://127.0.0.1:$HGPORT/

218

warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering

223

warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering

219

searching for changes

224

searching for changes

220

no changes found

225

no changes found

221

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

226

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

222

pulling from https://localhost:$HGPORT/

227

pulling from https://localhost:$HGPORT/

223

abort: error: *certificate verify failed* (glob)

228

abort: error: *certificate verify failed* (glob)

224

[255]

229

[255]

225

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

230

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

226

> --insecure

231

> --insecure

227

pulling from https://localhost:$HGPORT/

232

pulling from https://localhost:$HGPORT/

228

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

233

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

229

searching for changes

234

searching for changes

230

no changes found

235

no changes found

231

236

232

Test server cert which isn't valid yet

237

Test server cert which isn't valid yet

233

238

234

$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

239

$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

235

$ cat hg1.pid >> $DAEMON_PIDS

240

$ cat hg1.pid >> $DAEMON_PIDS

236

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

241

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

237

> https://localhost:$HGPORT1/

242

> https://localhost:$HGPORT1/

238

pulling from https://localhost:$HGPORT1/

243

pulling from https://localhost:$HGPORT1/

239

abort: error: *certificate verify failed* (glob)

244

abort: error: *certificate verify failed* (glob)

240

[255]

245

[255]

241

246

242

Test server cert which no longer is valid

247

Test server cert which no longer is valid

243

248

244

$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

249

$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

245

$ cat hg2.pid >> $DAEMON_PIDS

250

$ cat hg2.pid >> $DAEMON_PIDS

246

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

251

$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

247

> https://localhost:$HGPORT2/

252

> https://localhost:$HGPORT2/

248

pulling from https://localhost:$HGPORT2/

253

pulling from https://localhost:$HGPORT2/

249

abort: error: *certificate verify failed* (glob)

254

abort: error: *certificate verify failed* (glob)

250

[255]

255

[255]

251

256

252

Fingerprints

257

Fingerprints

253

258

254

- works without cacerts (hostkeyfingerprints)

259

- works without cacerts (hostkeyfingerprints)

255

$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

260

$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

256

5fed3813f7f5

261

5fed3813f7f5

257

262

258

- works without cacerts (hostsecurity)

263

- works without cacerts (hostsecurity)

259

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca

264

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca

260

5fed3813f7f5

265

5fed3813f7f5

261

266

262

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30

267

$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30

263

5fed3813f7f5

268

5fed3813f7f5

264

269

265

- multiple fingerprints specified and first matches

270

- multiple fingerprints specified and first matches

266

$ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

271

$ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

267

5fed3813f7f5

272

5fed3813f7f5

268

273

269

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

274

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

270

5fed3813f7f5

275

5fed3813f7f5

271

276

272

- multiple fingerprints specified and last matches

277

- multiple fingerprints specified and last matches

273

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure

278

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure

274

5fed3813f7f5

279

5fed3813f7f5

275

280

276

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/

281

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/

277

5fed3813f7f5

282

5fed3813f7f5

278

283

279

- multiple fingerprints specified and none match

284

- multiple fingerprints specified and none match

280

285

281

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

286

$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

282

abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

287

abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

283

(check hostfingerprint configuration)

288

(check hostfingerprint configuration)

284

[255]

289

[255]

285

290

286

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

291

$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

287

abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

292

abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca

288

(check hostsecurity configuration)

293

(check hostsecurity configuration)

289

[255]

294

[255]

290

295

291

- fails when cert doesn't match hostname (port is ignored)

296

- fails when cert doesn't match hostname (port is ignored)

292

$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca

297

$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca

293

abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

298

abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b

294

(check hostfingerprint configuration)

299

(check hostfingerprint configuration)

295

[255]

300

[255]

296

301

297

302

298

- ignores that certificate doesn't match hostname

303

- ignores that certificate doesn't match hostname

299

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca

304

$ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca

300

5fed3813f7f5

305

5fed3813f7f5

301

306

302

HGPORT1 is reused below for tinyproxy tests. Kill that server.

307

HGPORT1 is reused below for tinyproxy tests. Kill that server.

303

$ killdaemons.py hg1.pid

308

$ killdaemons.py hg1.pid

304

309

305

Prepare for connecting through proxy

310

Prepare for connecting through proxy

306

311

307

$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

312

$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &

308

$ while [ ! -f proxy.pid ]; do sleep 0; done

313

$ while [ ! -f proxy.pid ]; do sleep 0; done

309

$ cat proxy.pid >> $DAEMON_PIDS

314

$ cat proxy.pid >> $DAEMON_PIDS

310

315

311

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

316

$ echo "[http_proxy]" >> copy-pull/.hg/hgrc

312

$ echo "always=True" >> copy-pull/.hg/hgrc

317

$ echo "always=True" >> copy-pull/.hg/hgrc

313

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

318

$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc

314

$ echo "localhost =" >> copy-pull/.hg/hgrc

319

$ echo "localhost =" >> copy-pull/.hg/hgrc

315

320

316

Test unvalidated https through proxy

321

Test unvalidated https through proxy

317

322

318

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

323

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback

319

pulling from https://localhost:$HGPORT/

324

pulling from https://localhost:$HGPORT/

320

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

325

warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

321

searching for changes

326

searching for changes

322

no changes found

327

no changes found

323

328

324

Test https with cacert and fingerprint through proxy

329

Test https with cacert and fingerprint through proxy

325

330

326

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

331

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

327

> --config web.cacerts="$CERTSDIR/pub.pem"

332

> --config web.cacerts="$CERTSDIR/pub.pem"

328

pulling from https://localhost:$HGPORT/

333

pulling from https://localhost:$HGPORT/

329

searching for changes

334

searching for changes

330

no changes found

335

no changes found

331

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca

336

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca

332

pulling from https://127.0.0.1:$HGPORT/

337

pulling from https://127.0.0.1:$HGPORT/

333

searching for changes

338

searching for changes

334

no changes found

339

no changes found

335

340

336

Test https with cert problems through proxy

341

Test https with cert problems through proxy

337

342

338

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

343

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

339

> --config web.cacerts="$CERTSDIR/pub-other.pem"

344

> --config web.cacerts="$CERTSDIR/pub-other.pem"

340

pulling from https://localhost:$HGPORT/

345

pulling from https://localhost:$HGPORT/

341

abort: error: *certificate verify failed* (glob)

346

abort: error: *certificate verify failed* (glob)

342

[255]

347

[255]

343

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

348

$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

344

> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/

349

> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/

345

pulling from https://localhost:$HGPORT2/

350

pulling from https://localhost:$HGPORT2/

346

abort: error: *certificate verify failed* (glob)

351

abort: error: *certificate verify failed* (glob)

347

[255]

352

[255]

348

353

349

354

350

$ killdaemons.py hg0.pid

355

$ killdaemons.py hg0.pid

351

356

352

#if sslcontext

357

#if sslcontext

353

358

354

Start patched hgweb that requires client certificates:

359

Start patched hgweb that requires client certificates:

355

360

356

$ cat << EOT > reqclientcert.py

361

$ cat << EOT > reqclientcert.py

357

> import ssl

362

> import ssl

358

> from mercurial.hgweb import server

363

> from mercurial.hgweb import server

359

> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):

364

> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):

360

> @staticmethod

365

> @staticmethod

361

> def preparehttpserver(httpserver, ssl_cert):

366

> def preparehttpserver(httpserver, ssl_cert):

362

> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

367

> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

363

> sslcontext.verify_mode = ssl.CERT_REQUIRED

368

> sslcontext.verify_mode = ssl.CERT_REQUIRED

364

> sslcontext.load_cert_chain(ssl_cert)

369

> sslcontext.load_cert_chain(ssl_cert)

365

> # verify clients by server certificate

370

> # verify clients by server certificate

366

> sslcontext.load_verify_locations(ssl_cert)

371

> sslcontext.load_verify_locations(ssl_cert)

367

> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,

372

> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,

368

> server_side=True)

373

> server_side=True)

369

> server._httprequesthandlerssl = _httprequesthandlersslclientcert

374

> server._httprequesthandlerssl = _httprequesthandlersslclientcert

370

> EOT

375

> EOT

371

$ cd test

376

$ cd test

372

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

377

$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

373

> --config extensions.reqclientcert=../reqclientcert.py

378

> --config extensions.reqclientcert=../reqclientcert.py

374

$ cat ../hg0.pid >> $DAEMON_PIDS

379

$ cat ../hg0.pid >> $DAEMON_PIDS

375

$ cd ..

380

$ cd ..

376

381

377

without client certificate:

382

without client certificate:

378

383

379

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/

384

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/

380

abort: error: *handshake failure* (glob)

385

abort: error: *handshake failure* (glob)

381

[255]

386

[255]

382

387

383

with client certificate:

388

with client certificate:

384

389

385

$ cat << EOT >> $HGRCPATH

390

$ cat << EOT >> $HGRCPATH

386

> [auth]

391

> [auth]

387

> l.prefix = localhost

392

> l.prefix = localhost

388

> l.cert = $CERTSDIR/client-cert.pem

393

> l.cert = $CERTSDIR/client-cert.pem

389

> l.key = $CERTSDIR/client-key.pem

394

> l.key = $CERTSDIR/client-key.pem

390

> EOT

395

> EOT

391

396

392

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

397

$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

393

> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"

398

> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"

394

5fed3813f7f5

399

5fed3813f7f5

395

400

396

$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

401

$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

397

> --config ui.interactive=True --config ui.nontty=True

402

> --config ui.interactive=True --config ui.nontty=True

398

passphrase for */client-key.pem: 5fed3813f7f5 (glob)

403

passphrase for */client-key.pem: 5fed3813f7f5 (glob)

399

404

400

$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/

405

$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/

401

abort: error: * (glob)

406

abort: error: * (glob)

402

[255]

407

[255]

403

408

404

#endif

409

#endif

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #require serve ssl
             Proper https client requires the built-in ssl from Python 2.6.
             Make server certificates:
               $ CERTSDIR="$TESTDIR/sslcerts"
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
             #if windows
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT':
               [255]
             #else
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
             #endif
               $ cd ..
             Our test cert is not signed by a trusted CA. It should fail to verify if
             we are able to load CA certs.
             #if defaultcacerts
               $ hg clone https://localhost:$HGPORT/ copy-pull
               abort: error: *certificate verify failed* (glob)
               [255]
+            #else
+              $ hg clone https://localhost:$HGPORT/ copy-pull
+              abort: localhost certificate error: no certificate received
+              (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
+              [255]
             #endif
             Specifying a per-host certificate file that doesn't exist will abort
               $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
               abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
               [255]
             A malformed per-host certificate file will raise an error
               $ echo baddata > badca.pem
             #if sslcontext
               $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
               abort: error loading CA file badca.pem: * (glob)
               (file is empty or malformed?)
               [255]
             #else
               $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif
             A per-host certificate mismatching the server will fail verification
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
             A per-host certificate matching the server's cert will be accepted
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
             A per-host certificate with multiple certs and one matching will be accepted
               $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
               $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
             Defining both per-host certificate and a fingerprint will print a warning
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning
               (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
             Inability to verify peer certificate will result in abort
               $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
               abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
               (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)
               [255]
               $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
               $ hg pull $DISABLECACERTS
               pulling from https://localhost:$HGPORT/
               abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
               (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)
               [255]
               $ hg pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P="$CERTSDIR" hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P="$CERTSDIR" hg -R copy-pull pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             empty cacert file
               $ touch emptycafile
             #if sslcontext
               $ hg --config web.cacerts=emptycafile -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               abort: error loading CA file emptycafile: * (glob)
               (file is empty or malformed?)
               [255]
             #else
               $ hg --config web.cacerts=emptycafile -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost
               (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
               [255]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://127.0.0.1:$HGPORT/ --insecure
               pulling from https://127.0.0.1:$HGPORT/
               warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
               > --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
               > https://localhost:$HGPORT1/
               pulling from https://localhost:$HGPORT1/
               abort: error: *certificate verify failed* (glob)
               [255]
             Test server cert which no longer is valid
               $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
               > https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
             Fingerprints
             - works without cacerts (hostkeyfingerprints)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
 fed3813f7f5
             - works without cacerts (hostsecurity)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
 fed3813f7f5
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
 fed3813f7f5
             - multiple fingerprints specified and first matches
               $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             - multiple fingerprints specified and last matches
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             - multiple fingerprints specified and none match
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
               abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
               (check hostfingerprint configuration)
               [255]
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
               abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
               (check hostsecurity configuration)
               [255]
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
               abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
               (check hostfingerprint configuration)
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
 fed3813f7f5
             HGPORT1 is reused below for tinyproxy tests. Kill that server.
               $ killdaemons.py hg1.pid
             Prepare for connecting through proxy
               $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
               $ while [ ! -f proxy.pid ]; do sleep 0; done
               $ cat proxy.pid >> $DAEMON_PIDS
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub.pem"
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ killdaemons.py hg0.pid
             #if sslcontext
             Start patched hgweb that requires client certificates:
               $ cat << EOT > reqclientcert.py
               > import ssl
               > from mercurial.hgweb import server
               > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
               >     @staticmethod
               >     def preparehttpserver(httpserver, ssl_cert):
               >         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
               >         sslcontext.verify_mode = ssl.CERT_REQUIRED
               >         sslcontext.load_cert_chain(ssl_cert)
               >         # verify clients by server certificate
               >         sslcontext.load_verify_locations(ssl_cert)
               >         httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
               >                                                    server_side=True)
               > server._httprequesthandlerssl = _httprequesthandlersslclientcert
               > EOT
               $ cd test
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
               > --config extensions.reqclientcert=../reqclientcert.py
               $ cat ../hg0.pid >> $DAEMON_PIDS
               $ cd ..
             without client certificate:
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: *handshake failure* (glob)
               [255]
             with client certificate:
               $ cat << EOT >> $HGRCPATH
               > [auth]
               > l.prefix = localhost
               > l.cert = $CERTSDIR/client-cert.pem
               > l.key = $CERTSDIR/client-key.pem
               > EOT
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
 fed3813f7f5
               $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config ui.interactive=True --config ui.nontty=True
               passphrase for */client-key.pem: 5fed3813f7f5 (glob)
               $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif