##// END OF EJS Templates
test-https: stabilize for Windows...
Matt Harbison -
r33422:ba971f55 default
parent child Browse files
Show More
@@ -1,659 +1,663
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Make server certificates:
5 Make server certificates:
6
6
7 $ CERTSDIR="$TESTDIR/sslcerts"
7 $ CERTSDIR="$TESTDIR/sslcerts"
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
9 $ PRIV=`pwd`/server.pem
9 $ PRIV=`pwd`/server.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
12
12
13 $ hg init test
13 $ hg init test
14 $ cd test
14 $ cd test
15 $ echo foo>foo
15 $ echo foo>foo
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
17 $ echo foo>foo.d/foo
17 $ echo foo>foo.d/foo
18 $ echo bar>foo.d/bAr.hg.d/BaR
18 $ echo bar>foo.d/bAr.hg.d/BaR
19 $ echo bar>foo.d/baR.d.hg/bAR
19 $ echo bar>foo.d/baR.d.hg/bAR
20 $ hg commit -A -m 1
20 $ hg commit -A -m 1
21 adding foo
21 adding foo
22 adding foo.d/bAr.hg.d/BaR
22 adding foo.d/bAr.hg.d/BaR
23 adding foo.d/baR.d.hg/bAR
23 adding foo.d/baR.d.hg/bAR
24 adding foo.d/foo
24 adding foo.d/foo
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
26 $ cat ../hg0.pid >> $DAEMON_PIDS
26 $ cat ../hg0.pid >> $DAEMON_PIDS
27
27
28 cacert not found
28 cacert not found
29
29
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32 abort: could not find web.cacerts: no-such.pem
32 abort: could not find web.cacerts: no-such.pem
33 [255]
33 [255]
34
34
35 Test server address cannot be reused
35 Test server address cannot be reused
36
36
37 #if windows
37 #if windows
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
40 [255]
40 [255]
41 #else
41 #else
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
44 [255]
44 [255]
45 #endif
45 #endif
46 $ cd ..
46 $ cd ..
47
47
48 Our test cert is not signed by a trusted CA. It should fail to verify if
48 Our test cert is not signed by a trusted CA. It should fail to verify if
49 we are able to load CA certs.
49 we are able to load CA certs.
50
50
51 #if sslcontext defaultcacerts no-defaultcacertsloaded
51 #if sslcontext defaultcacerts no-defaultcacertsloaded
52 $ hg clone https://localhost:$HGPORT/ copy-pull
52 $ hg clone https://localhost:$HGPORT/ copy-pull
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
54 abort: error: *certificate verify failed* (glob)
54 abort: error: *certificate verify failed* (glob)
55 [255]
55 [255]
56 #endif
56 #endif
57
57
58 #if no-sslcontext defaultcacerts
58 #if no-sslcontext defaultcacerts
59 $ hg clone https://localhost:$HGPORT/ copy-pull
59 $ hg clone https://localhost:$HGPORT/ copy-pull
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
62 abort: error: *certificate verify failed* (glob)
62 abort: error: *certificate verify failed* (glob)
63 [255]
63 [255]
64 #endif
64 #endif
65
65
66 #if no-sslcontext windows
66 #if no-sslcontext windows
67 $ hg clone https://localhost:$HGPORT/ copy-pull
67 $ hg clone https://localhost:$HGPORT/ copy-pull
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
70 abort: error: *certificate verify failed* (glob)
70 abort: error: *certificate verify failed* (glob)
71 [255]
71 [255]
72 #endif
72 #endif
73
73
74 #if no-sslcontext osx
74 #if no-sslcontext osx
75 $ hg clone https://localhost:$HGPORT/ copy-pull
75 $ hg clone https://localhost:$HGPORT/ copy-pull
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
78 abort: localhost certificate error: no certificate received
78 abort: localhost certificate error: no certificate received
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
80 [255]
80 [255]
81 #endif
81 #endif
82
82
83 #if defaultcacertsloaded
83 #if defaultcacertsloaded
84 $ hg clone https://localhost:$HGPORT/ copy-pull
84 $ hg clone https://localhost:$HGPORT/ copy-pull
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
87 abort: error: *certificate verify failed* (glob)
87 abort: error: *certificate verify failed* (glob)
88 [255]
88 [255]
89 #endif
89 #endif
90
90
91 #if no-defaultcacerts
91 #if no-defaultcacerts
92 $ hg clone https://localhost:$HGPORT/ copy-pull
92 $ hg clone https://localhost:$HGPORT/ copy-pull
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
95 abort: localhost certificate error: no certificate received
95 abort: localhost certificate error: no certificate received
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
97 [255]
97 [255]
98 #endif
98 #endif
99
99
100 Specifying a per-host certificate file that doesn't exist will abort. The full
100 Specifying a per-host certificate file that doesn't exist will abort. The full
101 C:/path/to/msysroot will print on Windows.
101 C:/path/to/msysroot will print on Windows.
102
102
103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
106 [255]
106 [255]
107
107
108 A malformed per-host certificate file will raise an error
108 A malformed per-host certificate file will raise an error
109
109
110 $ echo baddata > badca.pem
110 $ echo baddata > badca.pem
111 #if sslcontext
111 #if sslcontext
112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
114 abort: error loading CA file badca.pem: * (glob)
114 abort: error loading CA file badca.pem: * (glob)
115 (file is empty or malformed?)
115 (file is empty or malformed?)
116 [255]
116 [255]
117 #else
117 #else
118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
120 abort: error: * (glob)
120 abort: error: * (glob)
121 [255]
121 [255]
122 #endif
122 #endif
123
123
124 A per-host certificate mismatching the server will fail verification
124 A per-host certificate mismatching the server will fail verification
125
125
126 (modern ssl is able to discern whether the loaded cert is a CA cert)
126 (modern ssl is able to discern whether the loaded cert is a CA cert)
127 #if sslcontext
127 #if sslcontext
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
131 abort: error: *certificate verify failed* (glob)
131 abort: error: *certificate verify failed* (glob)
132 [255]
132 [255]
133 #else
133 #else
134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
136 abort: error: *certificate verify failed* (glob)
136 abort: error: *certificate verify failed* (glob)
137 [255]
137 [255]
138 #endif
138 #endif
139
139
140 A per-host certificate matching the server's cert will be accepted
140 A per-host certificate matching the server's cert will be accepted
141
141
142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
144 requesting all changes
144 requesting all changes
145 adding changesets
145 adding changesets
146 adding manifests
146 adding manifests
147 adding file changes
147 adding file changes
148 added 1 changesets with 4 changes to 4 files
148 added 1 changesets with 4 changes to 4 files
149
149
150 A per-host certificate with multiple certs and one matching will be accepted
150 A per-host certificate with multiple certs and one matching will be accepted
151
151
152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
155 requesting all changes
155 requesting all changes
156 adding changesets
156 adding changesets
157 adding manifests
157 adding manifests
158 adding file changes
158 adding file changes
159 added 1 changesets with 4 changes to 4 files
159 added 1 changesets with 4 changes to 4 files
160
160
161 Defining both per-host certificate and a fingerprint will print a warning
161 Defining both per-host certificate and a fingerprint will print a warning
162
162
163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
166 requesting all changes
166 requesting all changes
167 adding changesets
167 adding changesets
168 adding manifests
168 adding manifests
169 adding file changes
169 adding file changes
170 added 1 changesets with 4 changes to 4 files
170 added 1 changesets with 4 changes to 4 files
171
171
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
173
173
174 Inability to verify peer certificate will result in abort
174 Inability to verify peer certificate will result in abort
175
175
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
180 [255]
180 [255]
181
181
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
185 requesting all changes
185 requesting all changes
186 adding changesets
186 adding changesets
187 adding manifests
187 adding manifests
188 adding file changes
188 adding file changes
189 added 1 changesets with 4 changes to 4 files
189 added 1 changesets with 4 changes to 4 files
190 updating to branch default
190 updating to branch default
191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
192 $ hg verify -R copy-pull
192 $ hg verify -R copy-pull
193 checking changesets
193 checking changesets
194 checking manifests
194 checking manifests
195 crosschecking files in changesets and manifests
195 crosschecking files in changesets and manifests
196 checking files
196 checking files
197 4 files, 1 changesets, 4 total revisions
197 4 files, 1 changesets, 4 total revisions
198 $ cd test
198 $ cd test
199 $ echo bar > bar
199 $ echo bar > bar
200 $ hg commit -A -d '1 0' -m 2
200 $ hg commit -A -d '1 0' -m 2
201 adding bar
201 adding bar
202 $ cd ..
202 $ cd ..
203
203
204 pull without cacert
204 pull without cacert
205
205
206 $ cd copy-pull
206 $ cd copy-pull
207 $ cat >> .hg/hgrc <<EOF
207 $ cat >> .hg/hgrc <<EOF
208 > [hooks]
208 > [hooks]
209 > changegroup = sh -c "printenv.py changegroup"
209 > changegroup = sh -c "printenv.py changegroup"
210 > EOF
210 > EOF
211 $ hg pull $DISABLECACERTS
211 $ hg pull $DISABLECACERTS
212 pulling from https://localhost:$HGPORT/
212 pulling from https://localhost:$HGPORT/
213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
216 [255]
216 [255]
217
217
218 $ hg pull --insecure
218 $ hg pull --insecure
219 pulling from https://localhost:$HGPORT/
219 pulling from https://localhost:$HGPORT/
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
222 searching for changes
222 searching for changes
223 adding changesets
223 adding changesets
224 adding manifests
224 adding manifests
225 adding file changes
225 adding file changes
226 added 1 changesets with 1 changes to 1 files
226 added 1 changesets with 1 changes to 1 files
227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
228 (run 'hg update' to get a working copy)
228 (run 'hg update' to get a working copy)
229 $ cd ..
229 $ cd ..
230
230
231 cacert configured in local repo
231 cacert configured in local repo
232
232
233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
234 $ echo "[web]" >> copy-pull/.hg/hgrc
234 $ echo "[web]" >> copy-pull/.hg/hgrc
235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
236 $ hg -R copy-pull pull
236 $ hg -R copy-pull pull
237 pulling from https://localhost:$HGPORT/
237 pulling from https://localhost:$HGPORT/
238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
239 searching for changes
239 searching for changes
240 no changes found
240 no changes found
241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
242
242
243 cacert configured globally, also testing expansion of environment
243 cacert configured globally, also testing expansion of environment
244 variables in the filename
244 variables in the filename
245
245
246 $ echo "[web]" >> $HGRCPATH
246 $ echo "[web]" >> $HGRCPATH
247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
248 $ P="$CERTSDIR" hg -R copy-pull pull
248 $ P="$CERTSDIR" hg -R copy-pull pull
249 pulling from https://localhost:$HGPORT/
249 pulling from https://localhost:$HGPORT/
250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
251 searching for changes
251 searching for changes
252 no changes found
252 no changes found
253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
254 pulling from https://localhost:$HGPORT/
254 pulling from https://localhost:$HGPORT/
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
257 searching for changes
257 searching for changes
258 no changes found
258 no changes found
259
259
260 empty cacert file
260 empty cacert file
261
261
262 $ touch emptycafile
262 $ touch emptycafile
263
263
264 #if sslcontext
264 #if sslcontext
265 $ hg --config web.cacerts=emptycafile -R copy-pull pull
265 $ hg --config web.cacerts=emptycafile -R copy-pull pull
266 pulling from https://localhost:$HGPORT/
266 pulling from https://localhost:$HGPORT/
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
268 abort: error loading CA file emptycafile: * (glob)
268 abort: error loading CA file emptycafile: * (glob)
269 (file is empty or malformed?)
269 (file is empty or malformed?)
270 [255]
270 [255]
271 #else
271 #else
272 $ hg --config web.cacerts=emptycafile -R copy-pull pull
272 $ hg --config web.cacerts=emptycafile -R copy-pull pull
273 pulling from https://localhost:$HGPORT/
273 pulling from https://localhost:$HGPORT/
274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
275 abort: error: * (glob)
275 abort: error: * (glob)
276 [255]
276 [255]
277 #endif
277 #endif
278
278
279 cacert mismatch
279 cacert mismatch
280
280
281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
282 > https://$LOCALIP:$HGPORT/
282 > https://$LOCALIP:$HGPORT/
283 pulling from https://*:$HGPORT/ (glob)
283 pulling from https://*:$HGPORT/ (glob)
284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
285 abort: $LOCALIP certificate error: certificate is for localhost (glob)
285 abort: $LOCALIP certificate error: certificate is for localhost (glob)
286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
287 [255]
287 [255]
288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
289 > https://$LOCALIP:$HGPORT/ --insecure
289 > https://$LOCALIP:$HGPORT/ --insecure
290 pulling from https://*:$HGPORT/ (glob)
290 pulling from https://*:$HGPORT/ (glob)
291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
293 searching for changes
293 searching for changes
294 no changes found
294 no changes found
295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
296 pulling from https://localhost:$HGPORT/
296 pulling from https://localhost:$HGPORT/
297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
298 abort: error: *certificate verify failed* (glob)
298 abort: error: *certificate verify failed* (glob)
299 [255]
299 [255]
300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
301 > --insecure
301 > --insecure
302 pulling from https://localhost:$HGPORT/
302 pulling from https://localhost:$HGPORT/
303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
305 searching for changes
305 searching for changes
306 no changes found
306 no changes found
307
307
308 Test server cert which isn't valid yet
308 Test server cert which isn't valid yet
309
309
310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
311 $ cat hg1.pid >> $DAEMON_PIDS
311 $ cat hg1.pid >> $DAEMON_PIDS
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
313 > https://localhost:$HGPORT1/
313 > https://localhost:$HGPORT1/
314 pulling from https://localhost:$HGPORT1/
314 pulling from https://localhost:$HGPORT1/
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
316 abort: error: *certificate verify failed* (glob)
316 abort: error: *certificate verify failed* (glob)
317 [255]
317 [255]
318
318
319 Test server cert which no longer is valid
319 Test server cert which no longer is valid
320
320
321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
322 $ cat hg2.pid >> $DAEMON_PIDS
322 $ cat hg2.pid >> $DAEMON_PIDS
323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
324 > https://localhost:$HGPORT2/
324 > https://localhost:$HGPORT2/
325 pulling from https://localhost:$HGPORT2/
325 pulling from https://localhost:$HGPORT2/
326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
327 abort: error: *certificate verify failed* (glob)
327 abort: error: *certificate verify failed* (glob)
328 [255]
328 [255]
329
329
330 Disabling the TLS 1.0 warning works
330 Disabling the TLS 1.0 warning works
331 $ hg -R copy-pull id https://localhost:$HGPORT/ \
331 $ hg -R copy-pull id https://localhost:$HGPORT/ \
332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
333 > --config hostsecurity.disabletls10warning=true
333 > --config hostsecurity.disabletls10warning=true
334 5fed3813f7f5
334 5fed3813f7f5
335
335
336 Error message for setting ciphers is different depending on SSLContext support
336 Error message for setting ciphers is different depending on SSLContext support
337
337
338 #if no-sslcontext
338 #if no-sslcontext
339 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
339 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
340 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
340 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
341 abort: *No cipher can be selected. (glob)
341 abort: *No cipher can be selected. (glob)
342 [255]
342 [255]
343
343
344 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
344 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
346 5fed3813f7f5
346 5fed3813f7f5
347 #endif
347 #endif
348
348
349 #if sslcontext
349 #if sslcontext
350 Setting ciphers to an invalid value aborts
350 Setting ciphers to an invalid value aborts
351 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
351 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
352 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
352 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
353 abort: could not set ciphers: No cipher can be selected.
353 abort: could not set ciphers: No cipher can be selected.
354 (change cipher string (invalid) in config)
354 (change cipher string (invalid) in config)
355 [255]
355 [255]
356
356
357 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
357 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
358 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
358 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
359 abort: could not set ciphers: No cipher can be selected.
359 abort: could not set ciphers: No cipher can be selected.
360 (change cipher string (invalid) in config)
360 (change cipher string (invalid) in config)
361 [255]
361 [255]
362
362
363 Changing the cipher string works
363 Changing the cipher string works
364
364
365 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
365 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
366 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
366 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
367 5fed3813f7f5
367 5fed3813f7f5
368 #endif
368 #endif
369
369
370 Fingerprints
370 Fingerprints
371
371
372 - works without cacerts (hostfingerprints)
372 - works without cacerts (hostfingerprints)
373 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
373 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
374 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
374 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
375 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
375 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
376 5fed3813f7f5
376 5fed3813f7f5
377
377
378 - works without cacerts (hostsecurity)
378 - works without cacerts (hostsecurity)
379 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
379 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
380 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
380 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
381 5fed3813f7f5
381 5fed3813f7f5
382
382
383 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
383 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
384 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
384 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
385 5fed3813f7f5
385 5fed3813f7f5
386
386
387 - multiple fingerprints specified and first matches
387 - multiple fingerprints specified and first matches
388 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
388 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
389 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
389 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
390 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
390 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
391 5fed3813f7f5
391 5fed3813f7f5
392
392
393 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
393 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
395 5fed3813f7f5
395 5fed3813f7f5
396
396
397 - multiple fingerprints specified and last matches
397 - multiple fingerprints specified and last matches
398 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
398 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
400 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
400 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
401 5fed3813f7f5
401 5fed3813f7f5
402
402
403 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
403 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
405 5fed3813f7f5
405 5fed3813f7f5
406
406
407 - multiple fingerprints specified and none match
407 - multiple fingerprints specified and none match
408
408
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
411 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
411 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
412 (check hostfingerprint configuration)
412 (check hostfingerprint configuration)
413 [255]
413 [255]
414
414
415 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
415 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
416 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
416 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
417 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
417 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
418 (check hostsecurity configuration)
418 (check hostsecurity configuration)
419 [255]
419 [255]
420
420
421 - fails when cert doesn't match hostname (port is ignored)
421 - fails when cert doesn't match hostname (port is ignored)
422 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
422 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
423 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
423 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
424 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
424 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
425 (check hostfingerprint configuration)
425 (check hostfingerprint configuration)
426 [255]
426 [255]
427
427
428
428
429 - ignores that certificate doesn't match hostname
429 - ignores that certificate doesn't match hostname
430 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
430 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
431 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
431 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
432 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
432 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
433 5fed3813f7f5
433 5fed3813f7f5
434
434
435 Ports used by next test. Kill servers.
435 Ports used by next test. Kill servers.
436
436
437 $ killdaemons.py hg0.pid
437 $ killdaemons.py hg0.pid
438 $ killdaemons.py hg1.pid
438 $ killdaemons.py hg1.pid
439 $ killdaemons.py hg2.pid
439 $ killdaemons.py hg2.pid
440
440
441 #if sslcontext tls1.2
441 #if sslcontext tls1.2
442 Start servers running supported TLS versions
442 Start servers running supported TLS versions
443
443
444 $ cd test
444 $ cd test
445 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
445 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
446 > --config devel.serverexactprotocol=tls1.0
446 > --config devel.serverexactprotocol=tls1.0
447 $ cat ../hg0.pid >> $DAEMON_PIDS
447 $ cat ../hg0.pid >> $DAEMON_PIDS
448 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
448 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
449 > --config devel.serverexactprotocol=tls1.1
449 > --config devel.serverexactprotocol=tls1.1
450 $ cat ../hg1.pid >> $DAEMON_PIDS
450 $ cat ../hg1.pid >> $DAEMON_PIDS
451 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
451 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
452 > --config devel.serverexactprotocol=tls1.2
452 > --config devel.serverexactprotocol=tls1.2
453 $ cat ../hg2.pid >> $DAEMON_PIDS
453 $ cat ../hg2.pid >> $DAEMON_PIDS
454 $ cd ..
454 $ cd ..
455
455
456 Clients talking same TLS versions work
456 Clients talking same TLS versions work
457
457
458 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
458 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
459 5fed3813f7f5
459 5fed3813f7f5
460 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
460 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
461 5fed3813f7f5
461 5fed3813f7f5
462 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
462 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
463 5fed3813f7f5
463 5fed3813f7f5
464
464
465 Clients requiring newer TLS version than what server supports fail
465 Clients requiring newer TLS version than what server supports fail
466
466
467 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
467 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
468 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
468 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
469 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
469 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
470 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
470 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
471 abort: error: *unsupported protocol* (glob)
471 abort: error: *unsupported protocol* (glob)
472 [255]
472 [255]
473
473
474 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
474 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
475 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
475 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
476 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
476 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
477 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
477 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
478 abort: error: *unsupported protocol* (glob)
478 abort: error: *unsupported protocol* (glob)
479 [255]
479 [255]
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
481 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
481 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
482 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
482 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
483 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
483 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
484 abort: error: *unsupported protocol* (glob)
484 abort: error: *unsupported protocol* (glob)
485 [255]
485 [255]
486 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
486 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
487 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
487 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
488 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
488 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
489 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
489 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
490 abort: error: *unsupported protocol* (glob)
490 abort: error: *unsupported protocol* (glob)
491 [255]
491 [255]
492
492
493 --insecure will allow TLS 1.0 connections and override configs
493 --insecure will allow TLS 1.0 connections and override configs
494
494
495 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
495 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
496 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
496 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
497 5fed3813f7f5
497 5fed3813f7f5
498
498
499 The per-host config option overrides the default
499 The per-host config option overrides the default
500
500
501 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
501 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
502 > --config hostsecurity.minimumprotocol=tls1.2 \
502 > --config hostsecurity.minimumprotocol=tls1.2 \
503 > --config hostsecurity.localhost:minimumprotocol=tls1.0
503 > --config hostsecurity.localhost:minimumprotocol=tls1.0
504 5fed3813f7f5
504 5fed3813f7f5
505
505
506 The per-host config option by itself works
506 The per-host config option by itself works
507
507
508 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
508 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
509 > --config hostsecurity.localhost:minimumprotocol=tls1.2
509 > --config hostsecurity.localhost:minimumprotocol=tls1.2
510 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
510 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
511 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
511 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
512 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
512 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
513 abort: error: *unsupported protocol* (glob)
513 abort: error: *unsupported protocol* (glob)
514 [255]
514 [255]
515
515
516 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
516 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
517
517
518 $ cat >> copy-pull/.hg/hgrc << EOF
518 $ cat >> copy-pull/.hg/hgrc << EOF
519 > [hostsecurity]
519 > [hostsecurity]
520 > localhost:minimumprotocol=tls1.2
520 > localhost:minimumprotocol=tls1.2
521 > EOF
521 > EOF
522 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
522 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
523 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
523 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
524 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
524 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
525 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
525 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
526 abort: error: *unsupported protocol* (glob)
526 abort: error: *unsupported protocol* (glob)
527 [255]
527 [255]
528
528
529 $ killdaemons.py hg0.pid
529 $ killdaemons.py hg0.pid
530 $ killdaemons.py hg1.pid
530 $ killdaemons.py hg1.pid
531 $ killdaemons.py hg2.pid
531 $ killdaemons.py hg2.pid
532 #endif
532 #endif
533
533
534 Prepare for connecting through proxy
534 Prepare for connecting through proxy
535
535
536 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
536 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
537 $ cat hg0.pid >> $DAEMON_PIDS
537 $ cat hg0.pid >> $DAEMON_PIDS
538 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
538 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
539 $ cat hg2.pid >> $DAEMON_PIDS
539 $ cat hg2.pid >> $DAEMON_PIDS
540 tinyproxy.py doesn't fully detach, so killing it may result in extra output
540 tinyproxy.py doesn't fully detach, so killing it may result in extra output
541 from the shell. So don't kill it.
541 from the shell. So don't kill it.
542 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
542 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
543 $ while [ ! -f proxy.pid ]; do sleep 0; done
543 $ while [ ! -f proxy.pid ]; do sleep 0; done
544 $ cat proxy.pid >> $DAEMON_PIDS
544 $ cat proxy.pid >> $DAEMON_PIDS
545
545
546 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
546 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
547 $ echo "always=True" >> copy-pull/.hg/hgrc
547 $ echo "always=True" >> copy-pull/.hg/hgrc
548 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
548 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
549 $ echo "localhost =" >> copy-pull/.hg/hgrc
549 $ echo "localhost =" >> copy-pull/.hg/hgrc
550
550
551 Test unvalidated https through proxy
551 Test unvalidated https through proxy
552
552
553 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
553 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
554 pulling from https://localhost:$HGPORT/
554 pulling from https://localhost:$HGPORT/
555 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
555 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
556 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
556 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
557 searching for changes
557 searching for changes
558 no changes found
558 no changes found
559
559
560 Test https with cacert and fingerprint through proxy
560 Test https with cacert and fingerprint through proxy
561
561
562 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
562 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
563 > --config web.cacerts="$CERTSDIR/pub.pem"
563 > --config web.cacerts="$CERTSDIR/pub.pem"
564 pulling from https://localhost:$HGPORT/
564 pulling from https://localhost:$HGPORT/
565 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
565 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
566 searching for changes
566 searching for changes
567 no changes found
567 no changes found
568 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
568 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
569 pulling from https://*:$HGPORT/ (glob)
569 pulling from https://*:$HGPORT/ (glob)
570 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
570 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
571 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
571 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
572 searching for changes
572 searching for changes
573 no changes found
573 no changes found
574
574
575 Test https with cert problems through proxy
575 Test https with cert problems through proxy
576
576
577 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
577 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
578 > --config web.cacerts="$CERTSDIR/pub-other.pem"
578 > --config web.cacerts="$CERTSDIR/pub-other.pem"
579 pulling from https://localhost:$HGPORT/
579 pulling from https://localhost:$HGPORT/
580 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
580 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
581 abort: error: *certificate verify failed* (glob)
581 abort: error: *certificate verify failed* (glob)
582 [255]
582 [255]
583 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
583 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
584 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
584 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
585 pulling from https://localhost:$HGPORT2/
585 pulling from https://localhost:$HGPORT2/
586 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
586 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
587 abort: error: *certificate verify failed* (glob)
587 abort: error: *certificate verify failed* (glob)
588 [255]
588 [255]
589
589
590
590
591 $ killdaemons.py hg0.pid
591 $ killdaemons.py hg0.pid
592
592
593 #if sslcontext
593 #if sslcontext
594
594
595 $ cd test
595 $ cd test
596
596
597 Missing certificate file(s) are detected
597 Missing certificate file(s) are detected
598
598
599 $ hg serve -p $HGPORT --certificate=/missing/certificate \
599 $ hg serve -p $HGPORT --certificate=/missing/certificate \
600 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
600 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
601 abort: referenced certificate file (/missing/certificate) does not exist
601 abort: referenced certificate file (*/missing/certificate) does not exist (glob) (windows !)
602 abort: referenced certificate file (/missing/certificate) does not exist (no-windows !)
602 [255]
603 [255]
603
604
604 $ hg serve -p $HGPORT --certificate=$PRIV \
605 $ hg serve -p $HGPORT --certificate=$PRIV \
605 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
606 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
606 abort: referenced certificate file (/missing/cafile) does not exist
607 abort: referenced certificate file (*/missing/cafile) does not exist (glob) (windows !)
608 abort: referenced certificate file (/missing/cafile) does not exist (no-windows !)
607 [255]
609 [255]
608
610
609 Start hgweb that requires client certificates:
611 Start hgweb that requires client certificates:
610
612
611 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
613 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
612 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
614 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
613 $ cat ../hg0.pid >> $DAEMON_PIDS
615 $ cat ../hg0.pid >> $DAEMON_PIDS
614 $ cd ..
616 $ cd ..
615
617
616 without client certificate:
618 without client certificate:
617
619
618 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
620 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
619 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
621 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
620 abort: error: *handshake failure* (glob)
622 abort: error: *handshake failure* (glob)
621 [255]
623 [255]
622
624
623 with client certificate:
625 with client certificate:
624
626
625 $ cat << EOT >> $HGRCPATH
627 $ cat << EOT >> $HGRCPATH
626 > [auth]
628 > [auth]
627 > l.prefix = localhost
629 > l.prefix = localhost
628 > l.cert = $CERTSDIR/client-cert.pem
630 > l.cert = $CERTSDIR/client-cert.pem
629 > l.key = $CERTSDIR/client-key.pem
631 > l.key = $CERTSDIR/client-key.pem
630 > EOT
632 > EOT
631
633
632 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
634 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
633 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
635 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
634 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
636 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
635 5fed3813f7f5
637 5fed3813f7f5
636
638
637 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
639 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
638 > --config ui.interactive=True --config ui.nontty=True
640 > --config ui.interactive=True --config ui.nontty=True
639 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
640 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
642 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
641
643
642 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
644 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
643 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
645 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
644 abort: error: * (glob)
646 abort: error: * (glob)
645 [255]
647 [255]
646
648
647 Missing certficate and key files result in error
649 Missing certficate and key files result in error
648
650
649 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
651 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
650 abort: certificate file (/missing/cert) does not exist; cannot connect to localhost
652 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob) (windows !)
653 abort: certificate file (/missing/cert) does not exist; cannot connect to localhost (no-windows !)
651 (restore missing file or fix references in Mercurial config)
654 (restore missing file or fix references in Mercurial config)
652 [255]
655 [255]
653
656
654 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
657 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
655 abort: certificate file (/missing/key) does not exist; cannot connect to localhost
658 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob) (windows !)
659 abort: certificate file (/missing/key) does not exist; cannot connect to localhost (no-windows !)
656 (restore missing file or fix references in Mercurial config)
660 (restore missing file or fix references in Mercurial config)
657 [255]
661 [255]
658
662
659 #endif
663 #endif
General Comments 0
You need to be logged in to leave comments. Login now