##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

tests: work around libressl being different about error strings (issue6122)...
Augie Fackler -
r42542:e0ac310b default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,681 +1,681 b''
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Disable the system configuration which may set stricter TLS requirements.
5 Disable the system configuration which may set stricter TLS requirements.
6 This test expects that legacy TLS versions are supported.
6 This test expects that legacy TLS versions are supported.
7
7
8 $ OPENSSL_CONF=
8 $ OPENSSL_CONF=
9 $ export OPENSSL_CONF
9 $ export OPENSSL_CONF
10
10
11 Make server certificates:
11 Make server certificates:
12
12
13 $ CERTSDIR="$TESTDIR/sslcerts"
13 $ CERTSDIR="$TESTDIR/sslcerts"
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
15 $ PRIV=`pwd`/server.pem
15 $ PRIV=`pwd`/server.pem
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
18
18
19 $ hg init test
19 $ hg init test
20 $ cd test
20 $ cd test
21 $ echo foo>foo
21 $ echo foo>foo
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
23 $ echo foo>foo.d/foo
23 $ echo foo>foo.d/foo
24 $ echo bar>foo.d/bAr.hg.d/BaR
24 $ echo bar>foo.d/bAr.hg.d/BaR
25 $ echo bar>foo.d/baR.d.hg/bAR
25 $ echo bar>foo.d/baR.d.hg/bAR
26 $ hg commit -A -m 1
26 $ hg commit -A -m 1
27 adding foo
27 adding foo
28 adding foo.d/bAr.hg.d/BaR
28 adding foo.d/bAr.hg.d/BaR
29 adding foo.d/baR.d.hg/bAR
29 adding foo.d/baR.d.hg/bAR
30 adding foo.d/foo
30 adding foo.d/foo
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
32 $ cat ../hg0.pid >> $DAEMON_PIDS
32 $ cat ../hg0.pid >> $DAEMON_PIDS
33
33
34 cacert not found
34 cacert not found
35
35
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
37 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
37 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
38 abort: could not find web.cacerts: no-such.pem
38 abort: could not find web.cacerts: no-such.pem
39 [255]
39 [255]
40
40
41 Test server address cannot be reused
41 Test server address cannot be reused
42
42
43 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
43 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
44 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
44 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
45 [255]
45 [255]
46
46
47 $ cd ..
47 $ cd ..
48
48
49 Our test cert is not signed by a trusted CA. It should fail to verify if
49 Our test cert is not signed by a trusted CA. It should fail to verify if
50 we are able to load CA certs.
50 we are able to load CA certs.
51
51
52 #if sslcontext defaultcacerts no-defaultcacertsloaded
52 #if sslcontext defaultcacerts no-defaultcacertsloaded
53 $ hg clone https://localhost:$HGPORT/ copy-pull
53 $ hg clone https://localhost:$HGPORT/ copy-pull
54 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
54 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
55 abort: error: *certificate verify failed* (glob)
55 abort: error: *certificate verify failed* (glob)
56 [255]
56 [255]
57 #endif
57 #endif
58
58
59 #if no-sslcontext defaultcacerts
59 #if no-sslcontext defaultcacerts
60 $ hg clone https://localhost:$HGPORT/ copy-pull
60 $ hg clone https://localhost:$HGPORT/ copy-pull
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
62 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
62 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
63 abort: error: *certificate verify failed* (glob)
63 abort: error: *certificate verify failed* (glob)
64 [255]
64 [255]
65 #endif
65 #endif
66
66
67 #if no-sslcontext windows
67 #if no-sslcontext windows
68 $ hg clone https://localhost:$HGPORT/ copy-pull
68 $ hg clone https://localhost:$HGPORT/ copy-pull
69 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
69 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
70 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
70 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
71 abort: error: *certificate verify failed* (glob)
71 abort: error: *certificate verify failed* (glob)
72 [255]
72 [255]
73 #endif
73 #endif
74
74
75 #if no-sslcontext osx
75 #if no-sslcontext osx
76 $ hg clone https://localhost:$HGPORT/ copy-pull
76 $ hg clone https://localhost:$HGPORT/ copy-pull
77 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
77 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
78 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
78 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
79 abort: localhost certificate error: no certificate received
79 abort: localhost certificate error: no certificate received
80 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
80 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
81 [255]
81 [255]
82 #endif
82 #endif
83
83
84 #if defaultcacertsloaded
84 #if defaultcacertsloaded
85 $ hg clone https://localhost:$HGPORT/ copy-pull
85 $ hg clone https://localhost:$HGPORT/ copy-pull
86 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
86 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
87 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
87 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
88 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
88 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
89 abort: error: *certificate verify failed* (glob)
89 abort: error: *certificate verify failed* (glob)
90 [255]
90 [255]
91 #endif
91 #endif
92
92
93 #if no-defaultcacerts
93 #if no-defaultcacerts
94 $ hg clone https://localhost:$HGPORT/ copy-pull
94 $ hg clone https://localhost:$HGPORT/ copy-pull
95 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
95 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
96 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
96 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
97 abort: localhost certificate error: no certificate received
97 abort: localhost certificate error: no certificate received
98 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
98 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
99 [255]
99 [255]
100 #endif
100 #endif
101
101
102 Specifying a per-host certificate file that doesn't exist will abort. The full
102 Specifying a per-host certificate file that doesn't exist will abort. The full
103 C:/path/to/msysroot will print on Windows.
103 C:/path/to/msysroot will print on Windows.
104
104
105 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
105 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
106 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
106 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
107 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
107 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
108 [255]
108 [255]
109
109
110 A malformed per-host certificate file will raise an error
110 A malformed per-host certificate file will raise an error
111
111
112 $ echo baddata > badca.pem
112 $ echo baddata > badca.pem
113 #if sslcontext
113 #if sslcontext
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
116 abort: error loading CA file badca.pem: * (glob)
116 abort: error loading CA file badca.pem: * (glob)
117 (file is empty or malformed?)
117 (file is empty or malformed?)
118 [255]
118 [255]
119 #else
119 #else
120 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
120 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
121 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
121 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
122 abort: error: * (glob)
122 abort: error: * (glob)
123 [255]
123 [255]
124 #endif
124 #endif
125
125
126 A per-host certificate mismatching the server will fail verification
126 A per-host certificate mismatching the server will fail verification
127
127
128 (modern ssl is able to discern whether the loaded cert is a CA cert)
128 (modern ssl is able to discern whether the loaded cert is a CA cert)
129 #if sslcontext
129 #if sslcontext
130 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
130 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
131 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
131 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
132 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
132 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
133 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
133 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
134 abort: error: *certificate verify failed* (glob)
134 abort: error: *certificate verify failed* (glob)
135 [255]
135 [255]
136 #else
136 #else
137 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
137 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
138 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
138 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
139 abort: error: *certificate verify failed* (glob)
139 abort: error: *certificate verify failed* (glob)
140 [255]
140 [255]
141 #endif
141 #endif
142
142
143 A per-host certificate matching the server's cert will be accepted
143 A per-host certificate matching the server's cert will be accepted
144
144
145 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
145 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
146 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
146 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
147 requesting all changes
147 requesting all changes
148 adding changesets
148 adding changesets
149 adding manifests
149 adding manifests
150 adding file changes
150 adding file changes
151 added 1 changesets with 4 changes to 4 files
151 added 1 changesets with 4 changes to 4 files
152 new changesets 8b6053c928fe
152 new changesets 8b6053c928fe
153
153
154 A per-host certificate with multiple certs and one matching will be accepted
154 A per-host certificate with multiple certs and one matching will be accepted
155
155
156 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
156 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
157 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
157 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
158 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
158 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
159 requesting all changes
159 requesting all changes
160 adding changesets
160 adding changesets
161 adding manifests
161 adding manifests
162 adding file changes
162 adding file changes
163 added 1 changesets with 4 changes to 4 files
163 added 1 changesets with 4 changes to 4 files
164 new changesets 8b6053c928fe
164 new changesets 8b6053c928fe
165
165
166 Defining both per-host certificate and a fingerprint will print a warning
166 Defining both per-host certificate and a fingerprint will print a warning
167
167
168 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
168 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
169 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
169 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
170 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
170 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
171 requesting all changes
171 requesting all changes
172 adding changesets
172 adding changesets
173 adding manifests
173 adding manifests
174 adding file changes
174 adding file changes
175 added 1 changesets with 4 changes to 4 files
175 added 1 changesets with 4 changes to 4 files
176 new changesets 8b6053c928fe
176 new changesets 8b6053c928fe
177
177
178 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
178 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
179
179
180 Inability to verify peer certificate will result in abort
180 Inability to verify peer certificate will result in abort
181
181
182 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
182 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
184 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
184 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
185 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
185 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
186 [255]
186 [255]
187
187
188 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
188 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
189 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
189 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
190 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
190 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
191 requesting all changes
191 requesting all changes
192 adding changesets
192 adding changesets
193 adding manifests
193 adding manifests
194 adding file changes
194 adding file changes
195 added 1 changesets with 4 changes to 4 files
195 added 1 changesets with 4 changes to 4 files
196 new changesets 8b6053c928fe
196 new changesets 8b6053c928fe
197 updating to branch default
197 updating to branch default
198 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
198 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
199 $ hg verify -R copy-pull
199 $ hg verify -R copy-pull
200 checking changesets
200 checking changesets
201 checking manifests
201 checking manifests
202 crosschecking files in changesets and manifests
202 crosschecking files in changesets and manifests
203 checking files
203 checking files
204 checked 1 changesets with 4 changes to 4 files
204 checked 1 changesets with 4 changes to 4 files
205 $ cd test
205 $ cd test
206 $ echo bar > bar
206 $ echo bar > bar
207 $ hg commit -A -d '1 0' -m 2
207 $ hg commit -A -d '1 0' -m 2
208 adding bar
208 adding bar
209 $ cd ..
209 $ cd ..
210
210
211 pull without cacert
211 pull without cacert
212
212
213 $ cd copy-pull
213 $ cd copy-pull
214 $ cat >> .hg/hgrc <<EOF
214 $ cat >> .hg/hgrc <<EOF
215 > [hooks]
215 > [hooks]
216 > changegroup = sh -c "printenv.py --line changegroup"
216 > changegroup = sh -c "printenv.py --line changegroup"
217 > EOF
217 > EOF
218 $ hg pull $DISABLECACERTS
218 $ hg pull $DISABLECACERTS
219 pulling from https://localhost:$HGPORT/
219 pulling from https://localhost:$HGPORT/
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
221 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
221 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
222 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
222 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
223 [255]
223 [255]
224
224
225 $ hg pull --insecure
225 $ hg pull --insecure
226 pulling from https://localhost:$HGPORT/
226 pulling from https://localhost:$HGPORT/
227 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
227 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
228 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
228 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
229 searching for changes
229 searching for changes
230 adding changesets
230 adding changesets
231 adding manifests
231 adding manifests
232 adding file changes
232 adding file changes
233 added 1 changesets with 1 changes to 1 files
233 added 1 changesets with 1 changes to 1 files
234 new changesets 5fed3813f7f5
234 new changesets 5fed3813f7f5
235 changegroup hook: HG_HOOKNAME=changegroup
235 changegroup hook: HG_HOOKNAME=changegroup
236 HG_HOOKTYPE=changegroup
236 HG_HOOKTYPE=changegroup
237 HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
237 HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
238 HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
238 HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
239 HG_SOURCE=pull
239 HG_SOURCE=pull
240 HG_TXNID=TXN:$ID$
240 HG_TXNID=TXN:$ID$
241 HG_TXNNAME=pull
241 HG_TXNNAME=pull
242 https://localhost:$HGPORT/
242 https://localhost:$HGPORT/
243 HG_URL=https://localhost:$HGPORT/
243 HG_URL=https://localhost:$HGPORT/
244
244
245 (run 'hg update' to get a working copy)
245 (run 'hg update' to get a working copy)
246 $ cd ..
246 $ cd ..
247
247
248 cacert configured in local repo
248 cacert configured in local repo
249
249
250 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
250 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
251 $ echo "[web]" >> copy-pull/.hg/hgrc
251 $ echo "[web]" >> copy-pull/.hg/hgrc
252 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
252 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
253 $ hg -R copy-pull pull
253 $ hg -R copy-pull pull
254 pulling from https://localhost:$HGPORT/
254 pulling from https://localhost:$HGPORT/
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
256 searching for changes
256 searching for changes
257 no changes found
257 no changes found
258 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
258 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
259
259
260 cacert configured globally, also testing expansion of environment
260 cacert configured globally, also testing expansion of environment
261 variables in the filename
261 variables in the filename
262
262
263 $ echo "[web]" >> $HGRCPATH
263 $ echo "[web]" >> $HGRCPATH
264 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
264 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
265 $ P="$CERTSDIR" hg -R copy-pull pull
265 $ P="$CERTSDIR" hg -R copy-pull pull
266 pulling from https://localhost:$HGPORT/
266 pulling from https://localhost:$HGPORT/
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
268 searching for changes
268 searching for changes
269 no changes found
269 no changes found
270 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
270 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
271 pulling from https://localhost:$HGPORT/
271 pulling from https://localhost:$HGPORT/
272 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
272 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
273 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
273 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
274 searching for changes
274 searching for changes
275 no changes found
275 no changes found
276
276
277 empty cacert file
277 empty cacert file
278
278
279 $ touch emptycafile
279 $ touch emptycafile
280
280
281 #if sslcontext
281 #if sslcontext
282 $ hg --config web.cacerts=emptycafile -R copy-pull pull
282 $ hg --config web.cacerts=emptycafile -R copy-pull pull
283 pulling from https://localhost:$HGPORT/
283 pulling from https://localhost:$HGPORT/
284 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
284 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
285 abort: error loading CA file emptycafile: * (glob)
285 abort: error loading CA file emptycafile: * (glob)
286 (file is empty or malformed?)
286 (file is empty or malformed?)
287 [255]
287 [255]
288 #else
288 #else
289 $ hg --config web.cacerts=emptycafile -R copy-pull pull
289 $ hg --config web.cacerts=emptycafile -R copy-pull pull
290 pulling from https://localhost:$HGPORT/
290 pulling from https://localhost:$HGPORT/
291 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
291 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
292 abort: error: * (glob)
292 abort: error: * (glob)
293 [255]
293 [255]
294 #endif
294 #endif
295
295
296 cacert mismatch
296 cacert mismatch
297
297
298 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
298 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
299 > https://$LOCALIP:$HGPORT/
299 > https://$LOCALIP:$HGPORT/
300 pulling from https://*:$HGPORT/ (glob)
300 pulling from https://*:$HGPORT/ (glob)
301 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
301 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
302 abort: $LOCALIP certificate error: certificate is for localhost (glob)
302 abort: $LOCALIP certificate error: certificate is for localhost (glob)
303 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
303 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
304 [255]
304 [255]
305 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
305 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
306 > https://$LOCALIP:$HGPORT/ --insecure
306 > https://$LOCALIP:$HGPORT/ --insecure
307 pulling from https://*:$HGPORT/ (glob)
307 pulling from https://*:$HGPORT/ (glob)
308 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
308 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
309 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
309 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
310 searching for changes
310 searching for changes
311 no changes found
311 no changes found
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
313 pulling from https://localhost:$HGPORT/
313 pulling from https://localhost:$HGPORT/
314 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
314 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
315 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
315 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
316 abort: error: *certificate verify failed* (glob)
316 abort: error: *certificate verify failed* (glob)
317 [255]
317 [255]
318 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
318 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
319 > --insecure
319 > --insecure
320 pulling from https://localhost:$HGPORT/
320 pulling from https://localhost:$HGPORT/
321 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
321 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
322 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
322 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
323 searching for changes
323 searching for changes
324 no changes found
324 no changes found
325
325
326 Test server cert which isn't valid yet
326 Test server cert which isn't valid yet
327
327
328 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
328 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
329 $ cat hg1.pid >> $DAEMON_PIDS
329 $ cat hg1.pid >> $DAEMON_PIDS
330 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
330 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
331 > https://localhost:$HGPORT1/
331 > https://localhost:$HGPORT1/
332 pulling from https://localhost:$HGPORT1/
332 pulling from https://localhost:$HGPORT1/
333 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
333 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
334 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
334 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
335 abort: error: *certificate verify failed* (glob)
335 abort: error: *certificate verify failed* (glob)
336 [255]
336 [255]
337
337
338 Test server cert which no longer is valid
338 Test server cert which no longer is valid
339
339
340 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
340 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
341 $ cat hg2.pid >> $DAEMON_PIDS
341 $ cat hg2.pid >> $DAEMON_PIDS
342 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
342 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
343 > https://localhost:$HGPORT2/
343 > https://localhost:$HGPORT2/
344 pulling from https://localhost:$HGPORT2/
344 pulling from https://localhost:$HGPORT2/
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
346 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
346 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
347 abort: error: *certificate verify failed* (glob)
347 abort: error: *certificate verify failed* (glob)
348 [255]
348 [255]
349
349
350 Disabling the TLS 1.0 warning works
350 Disabling the TLS 1.0 warning works
351 $ hg -R copy-pull id https://localhost:$HGPORT/ \
351 $ hg -R copy-pull id https://localhost:$HGPORT/ \
352 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
352 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
353 > --config hostsecurity.disabletls10warning=true
353 > --config hostsecurity.disabletls10warning=true
354 5fed3813f7f5
354 5fed3813f7f5
355
355
356 Error message for setting ciphers is different depending on SSLContext support
356 Error message for setting ciphers is different depending on SSLContext support
357
357
358 #if no-sslcontext
358 #if no-sslcontext
359 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
359 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
360 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
360 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
361 abort: *No cipher can be selected. (glob)
361 abort: *No cipher can be selected. (glob)
362 [255]
362 [255]
363
363
364 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
364 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
365 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
365 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
366 5fed3813f7f5
366 5fed3813f7f5
367 #endif
367 #endif
368
368
369 #if sslcontext
369 #if sslcontext
370 Setting ciphers to an invalid value aborts
370 Setting ciphers to an invalid value aborts
371 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
371 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
372 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
372 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
373 abort: could not set ciphers: No cipher can be selected.
373 abort: could not set ciphers: No cipher can be selected.
374 (change cipher string (invalid) in config)
374 (change cipher string (invalid) in config)
375 [255]
375 [255]
376
376
377 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
377 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
378 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
378 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
379 abort: could not set ciphers: No cipher can be selected.
379 abort: could not set ciphers: No cipher can be selected.
380 (change cipher string (invalid) in config)
380 (change cipher string (invalid) in config)
381 [255]
381 [255]
382
382
383 Changing the cipher string works
383 Changing the cipher string works
384
384
385 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
385 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
386 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
386 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
387 5fed3813f7f5
387 5fed3813f7f5
388 #endif
388 #endif
389
389
390 Fingerprints
390 Fingerprints
391
391
392 - works without cacerts (hostfingerprints)
392 - works without cacerts (hostfingerprints)
393 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
393 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
395 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
395 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
396 5fed3813f7f5
396 5fed3813f7f5
397
397
398 - works without cacerts (hostsecurity)
398 - works without cacerts (hostsecurity)
399 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
399 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
401 5fed3813f7f5
401 5fed3813f7f5
402
402
403 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
403 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
405 5fed3813f7f5
405 5fed3813f7f5
406
406
407 - multiple fingerprints specified and first matches
407 - multiple fingerprints specified and first matches
408 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
408 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
409 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
409 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
410 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
410 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
411 5fed3813f7f5
411 5fed3813f7f5
412
412
413 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
413 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
414 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
414 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
415 5fed3813f7f5
415 5fed3813f7f5
416
416
417 - multiple fingerprints specified and last matches
417 - multiple fingerprints specified and last matches
418 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
418 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
419 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
419 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
420 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
420 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
421 5fed3813f7f5
421 5fed3813f7f5
422
422
423 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
423 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
424 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
424 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
425 5fed3813f7f5
425 5fed3813f7f5
426
426
427 - multiple fingerprints specified and none match
427 - multiple fingerprints specified and none match
428
428
429 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
429 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
430 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
430 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
431 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
431 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
432 (check hostfingerprint configuration)
432 (check hostfingerprint configuration)
433 [255]
433 [255]
434
434
435 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
435 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
436 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
436 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
437 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
437 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
438 (check hostsecurity configuration)
438 (check hostsecurity configuration)
439 [255]
439 [255]
440
440
441 - fails when cert doesn't match hostname (port is ignored)
441 - fails when cert doesn't match hostname (port is ignored)
442 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
442 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
443 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
443 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
444 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
444 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
445 (check hostfingerprint configuration)
445 (check hostfingerprint configuration)
446 [255]
446 [255]
447
447
448
448
449 - ignores that certificate doesn't match hostname
449 - ignores that certificate doesn't match hostname
450 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
450 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
451 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
451 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
452 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
452 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
453 5fed3813f7f5
453 5fed3813f7f5
454
454
455 Ports used by next test. Kill servers.
455 Ports used by next test. Kill servers.
456
456
457 $ killdaemons.py hg0.pid
457 $ killdaemons.py hg0.pid
458 $ killdaemons.py hg1.pid
458 $ killdaemons.py hg1.pid
459 $ killdaemons.py hg2.pid
459 $ killdaemons.py hg2.pid
460
460
461 #if sslcontext tls1.2
461 #if sslcontext tls1.2
462 Start servers running supported TLS versions
462 Start servers running supported TLS versions
463
463
464 $ cd test
464 $ cd test
465 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
465 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
466 > --config devel.serverexactprotocol=tls1.0
466 > --config devel.serverexactprotocol=tls1.0
467 $ cat ../hg0.pid >> $DAEMON_PIDS
467 $ cat ../hg0.pid >> $DAEMON_PIDS
468 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
468 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
469 > --config devel.serverexactprotocol=tls1.1
469 > --config devel.serverexactprotocol=tls1.1
470 $ cat ../hg1.pid >> $DAEMON_PIDS
470 $ cat ../hg1.pid >> $DAEMON_PIDS
471 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
471 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
472 > --config devel.serverexactprotocol=tls1.2
472 > --config devel.serverexactprotocol=tls1.2
473 $ cat ../hg2.pid >> $DAEMON_PIDS
473 $ cat ../hg2.pid >> $DAEMON_PIDS
474 $ cd ..
474 $ cd ..
475
475
476 Clients talking same TLS versions work
476 Clients talking same TLS versions work
477
477
478 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
478 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
479 5fed3813f7f5
479 5fed3813f7f5
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
481 5fed3813f7f5
481 5fed3813f7f5
482 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
482 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
483 5fed3813f7f5
483 5fed3813f7f5
484
484
485 Clients requiring newer TLS version than what server supports fail
485 Clients requiring newer TLS version than what server supports fail
486
486
487 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
487 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
488 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
488 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
489 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
489 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
490 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
490 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
491 abort: error: *unsupported protocol* (glob)
491 abort: error: .*(unsupported protocol|wrong ssl version).* (re)
492 [255]
492 [255]
493
493
494 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
494 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
495 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
495 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
496 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
496 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
497 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
497 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
498 abort: error: *unsupported protocol* (glob)
498 abort: error: .*(unsupported protocol|wrong ssl version).* (re)
499 [255]
499 [255]
500 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
500 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
501 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
501 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
502 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
502 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
503 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
503 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
504 abort: error: *unsupported protocol* (glob)
504 abort: error: .*(unsupported protocol|wrong ssl version).* (re)
505 [255]
505 [255]
506 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
506 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
507 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
507 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
508 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
508 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
509 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
509 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
510 abort: error: *unsupported protocol* (glob)
510 abort: error: .*(unsupported protocol|wrong ssl version).* (re)
511 [255]
511 [255]
512
512
513 --insecure will allow TLS 1.0 connections and override configs
513 --insecure will allow TLS 1.0 connections and override configs
514
514
515 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
515 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
516 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
516 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
517 5fed3813f7f5
517 5fed3813f7f5
518
518
519 The per-host config option overrides the default
519 The per-host config option overrides the default
520
520
521 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
521 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
522 > --config hostsecurity.minimumprotocol=tls1.2 \
522 > --config hostsecurity.minimumprotocol=tls1.2 \
523 > --config hostsecurity.localhost:minimumprotocol=tls1.0
523 > --config hostsecurity.localhost:minimumprotocol=tls1.0
524 5fed3813f7f5
524 5fed3813f7f5
525
525
526 The per-host config option by itself works
526 The per-host config option by itself works
527
527
528 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
528 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
529 > --config hostsecurity.localhost:minimumprotocol=tls1.2
529 > --config hostsecurity.localhost:minimumprotocol=tls1.2
530 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
530 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
531 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
531 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
532 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
532 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
533 abort: error: *unsupported protocol* (glob)
533 abort: error: .*(unsupported protocol|wrong ssl version).* (re)
534 [255]
534 [255]
535
535
536 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
536 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
537
537
538 $ cat >> copy-pull/.hg/hgrc << EOF
538 $ cat >> copy-pull/.hg/hgrc << EOF
539 > [hostsecurity]
539 > [hostsecurity]
540 > localhost:minimumprotocol=tls1.2
540 > localhost:minimumprotocol=tls1.2
541 > EOF
541 > EOF
542 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
542 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
543 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
543 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
544 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
544 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
545 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
545 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
546 abort: error: *unsupported protocol* (glob)
546 abort: error: .*(unsupported protocol|wrong ssl version).* (re)
547 [255]
547 [255]
548
548
549 $ killdaemons.py hg0.pid
549 $ killdaemons.py hg0.pid
550 $ killdaemons.py hg1.pid
550 $ killdaemons.py hg1.pid
551 $ killdaemons.py hg2.pid
551 $ killdaemons.py hg2.pid
552 #endif
552 #endif
553
553
554 Prepare for connecting through proxy
554 Prepare for connecting through proxy
555
555
556 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
556 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
557 $ cat hg0.pid >> $DAEMON_PIDS
557 $ cat hg0.pid >> $DAEMON_PIDS
558 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
558 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
559 $ cat hg2.pid >> $DAEMON_PIDS
559 $ cat hg2.pid >> $DAEMON_PIDS
560 tinyproxy.py doesn't fully detach, so killing it may result in extra output
560 tinyproxy.py doesn't fully detach, so killing it may result in extra output
561 from the shell. So don't kill it.
561 from the shell. So don't kill it.
562 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
562 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
563 $ while [ ! -f proxy.pid ]; do sleep 0; done
563 $ while [ ! -f proxy.pid ]; do sleep 0; done
564 $ cat proxy.pid >> $DAEMON_PIDS
564 $ cat proxy.pid >> $DAEMON_PIDS
565
565
566 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
566 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
567 $ echo "always=True" >> copy-pull/.hg/hgrc
567 $ echo "always=True" >> copy-pull/.hg/hgrc
568 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
568 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
569 $ echo "localhost =" >> copy-pull/.hg/hgrc
569 $ echo "localhost =" >> copy-pull/.hg/hgrc
570
570
571 Test unvalidated https through proxy
571 Test unvalidated https through proxy
572
572
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
574 pulling from https://localhost:$HGPORT/
574 pulling from https://localhost:$HGPORT/
575 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
575 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
576 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
576 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
577 searching for changes
577 searching for changes
578 no changes found
578 no changes found
579
579
580 Test https with cacert and fingerprint through proxy
580 Test https with cacert and fingerprint through proxy
581
581
582 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
582 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
583 > --config web.cacerts="$CERTSDIR/pub.pem"
583 > --config web.cacerts="$CERTSDIR/pub.pem"
584 pulling from https://localhost:$HGPORT/
584 pulling from https://localhost:$HGPORT/
585 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
585 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
586 searching for changes
586 searching for changes
587 no changes found
587 no changes found
588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
589 pulling from https://*:$HGPORT/ (glob)
589 pulling from https://*:$HGPORT/ (glob)
590 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
590 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
591 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
591 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
592 searching for changes
592 searching for changes
593 no changes found
593 no changes found
594
594
595 Test https with cert problems through proxy
595 Test https with cert problems through proxy
596
596
597 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
597 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
598 > --config web.cacerts="$CERTSDIR/pub-other.pem"
598 > --config web.cacerts="$CERTSDIR/pub-other.pem"
599 pulling from https://localhost:$HGPORT/
599 pulling from https://localhost:$HGPORT/
600 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
600 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
601 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
601 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
602 abort: error: *certificate verify failed* (glob)
602 abort: error: *certificate verify failed* (glob)
603 [255]
603 [255]
604 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
604 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
605 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
605 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
606 pulling from https://localhost:$HGPORT2/
606 pulling from https://localhost:$HGPORT2/
607 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
607 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
608 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
608 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
609 abort: error: *certificate verify failed* (glob)
609 abort: error: *certificate verify failed* (glob)
610 [255]
610 [255]
611
611
612
612
613 $ killdaemons.py hg0.pid
613 $ killdaemons.py hg0.pid
614
614
615 #if sslcontext
615 #if sslcontext
616
616
617 $ cd test
617 $ cd test
618
618
619 Missing certificate file(s) are detected
619 Missing certificate file(s) are detected
620
620
621 $ hg serve -p $HGPORT --certificate=/missing/certificate \
621 $ hg serve -p $HGPORT --certificate=/missing/certificate \
622 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
622 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
623 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
623 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
624 [255]
624 [255]
625
625
626 $ hg serve -p $HGPORT --certificate=$PRIV \
626 $ hg serve -p $HGPORT --certificate=$PRIV \
627 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
627 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
628 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
628 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
629 [255]
629 [255]
630
630
631 Start hgweb that requires client certificates:
631 Start hgweb that requires client certificates:
632
632
633 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
633 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
634 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
634 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
635 $ cat ../hg0.pid >> $DAEMON_PIDS
635 $ cat ../hg0.pid >> $DAEMON_PIDS
636 $ cd ..
636 $ cd ..
637
637
638 without client certificate:
638 without client certificate:
639
639
640 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
640 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
642 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)
642 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)
643 [255]
643 [255]
644
644
645 with client certificate:
645 with client certificate:
646
646
647 $ cat << EOT >> $HGRCPATH
647 $ cat << EOT >> $HGRCPATH
648 > [auth]
648 > [auth]
649 > l.prefix = localhost
649 > l.prefix = localhost
650 > l.cert = $CERTSDIR/client-cert.pem
650 > l.cert = $CERTSDIR/client-cert.pem
651 > l.key = $CERTSDIR/client-key.pem
651 > l.key = $CERTSDIR/client-key.pem
652 > EOT
652 > EOT
653
653
654 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
654 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
655 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
655 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
656 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
656 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
657 5fed3813f7f5
657 5fed3813f7f5
658
658
659 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
659 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
660 > --config ui.interactive=True --config ui.nontty=True
660 > --config ui.interactive=True --config ui.nontty=True
661 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
661 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
662 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
662 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
663
663
664 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
664 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
665 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
665 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
666 abort: error: * (glob)
666 abort: error: * (glob)
667 [255]
667 [255]
668
668
669 Missing certficate and key files result in error
669 Missing certficate and key files result in error
670
670
671 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
671 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
672 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
672 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
673 (restore missing file or fix references in Mercurial config)
673 (restore missing file or fix references in Mercurial config)
674 [255]
674 [255]
675
675
676 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
676 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
677 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
677 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
678 (restore missing file or fix references in Mercurial config)
678 (restore missing file or fix references in Mercurial config)
679 [255]
679 [255]
680
680
681 #endif
681 #endif
General Comments 0
You need to be logged in to leave comments. Login now