##// END OF EJS Templates
test: use `printenv.py --line` in `test-https.t`...
Boris Feld -
r41790:e857dbb0 default
parent child Browse files
Show More
@@ -1,666 +1,673 b''
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Make server certificates:
5 Make server certificates:
6
6
7 $ CERTSDIR="$TESTDIR/sslcerts"
7 $ CERTSDIR="$TESTDIR/sslcerts"
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
9 $ PRIV=`pwd`/server.pem
9 $ PRIV=`pwd`/server.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
12
12
13 $ hg init test
13 $ hg init test
14 $ cd test
14 $ cd test
15 $ echo foo>foo
15 $ echo foo>foo
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
17 $ echo foo>foo.d/foo
17 $ echo foo>foo.d/foo
18 $ echo bar>foo.d/bAr.hg.d/BaR
18 $ echo bar>foo.d/bAr.hg.d/BaR
19 $ echo bar>foo.d/baR.d.hg/bAR
19 $ echo bar>foo.d/baR.d.hg/bAR
20 $ hg commit -A -m 1
20 $ hg commit -A -m 1
21 adding foo
21 adding foo
22 adding foo.d/bAr.hg.d/BaR
22 adding foo.d/bAr.hg.d/BaR
23 adding foo.d/baR.d.hg/bAR
23 adding foo.d/baR.d.hg/bAR
24 adding foo.d/foo
24 adding foo.d/foo
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
26 $ cat ../hg0.pid >> $DAEMON_PIDS
26 $ cat ../hg0.pid >> $DAEMON_PIDS
27
27
28 cacert not found
28 cacert not found
29
29
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32 abort: could not find web.cacerts: no-such.pem
32 abort: could not find web.cacerts: no-such.pem
33 [255]
33 [255]
34
34
35 Test server address cannot be reused
35 Test server address cannot be reused
36
36
37 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
37 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
38 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
38 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
39 [255]
39 [255]
40
40
41 $ cd ..
41 $ cd ..
42
42
43 Our test cert is not signed by a trusted CA. It should fail to verify if
43 Our test cert is not signed by a trusted CA. It should fail to verify if
44 we are able to load CA certs.
44 we are able to load CA certs.
45
45
46 #if sslcontext defaultcacerts no-defaultcacertsloaded
46 #if sslcontext defaultcacerts no-defaultcacertsloaded
47 $ hg clone https://localhost:$HGPORT/ copy-pull
47 $ hg clone https://localhost:$HGPORT/ copy-pull
48 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
48 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
49 abort: error: *certificate verify failed* (glob)
49 abort: error: *certificate verify failed* (glob)
50 [255]
50 [255]
51 #endif
51 #endif
52
52
53 #if no-sslcontext defaultcacerts
53 #if no-sslcontext defaultcacerts
54 $ hg clone https://localhost:$HGPORT/ copy-pull
54 $ hg clone https://localhost:$HGPORT/ copy-pull
55 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
55 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
56 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
56 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
57 abort: error: *certificate verify failed* (glob)
57 abort: error: *certificate verify failed* (glob)
58 [255]
58 [255]
59 #endif
59 #endif
60
60
61 #if no-sslcontext windows
61 #if no-sslcontext windows
62 $ hg clone https://localhost:$HGPORT/ copy-pull
62 $ hg clone https://localhost:$HGPORT/ copy-pull
63 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
63 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
64 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
64 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
65 abort: error: *certificate verify failed* (glob)
65 abort: error: *certificate verify failed* (glob)
66 [255]
66 [255]
67 #endif
67 #endif
68
68
69 #if no-sslcontext osx
69 #if no-sslcontext osx
70 $ hg clone https://localhost:$HGPORT/ copy-pull
70 $ hg clone https://localhost:$HGPORT/ copy-pull
71 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
71 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
72 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
72 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
73 abort: localhost certificate error: no certificate received
73 abort: localhost certificate error: no certificate received
74 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
74 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
75 [255]
75 [255]
76 #endif
76 #endif
77
77
78 #if defaultcacertsloaded
78 #if defaultcacertsloaded
79 $ hg clone https://localhost:$HGPORT/ copy-pull
79 $ hg clone https://localhost:$HGPORT/ copy-pull
80 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
80 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
81 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
81 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
82 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
82 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
83 abort: error: *certificate verify failed* (glob)
83 abort: error: *certificate verify failed* (glob)
84 [255]
84 [255]
85 #endif
85 #endif
86
86
87 #if no-defaultcacerts
87 #if no-defaultcacerts
88 $ hg clone https://localhost:$HGPORT/ copy-pull
88 $ hg clone https://localhost:$HGPORT/ copy-pull
89 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
89 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
90 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
90 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
91 abort: localhost certificate error: no certificate received
91 abort: localhost certificate error: no certificate received
92 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
92 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
93 [255]
93 [255]
94 #endif
94 #endif
95
95
96 Specifying a per-host certificate file that doesn't exist will abort. The full
96 Specifying a per-host certificate file that doesn't exist will abort. The full
97 C:/path/to/msysroot will print on Windows.
97 C:/path/to/msysroot will print on Windows.
98
98
99 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
99 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
100 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
100 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
101 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
101 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
102 [255]
102 [255]
103
103
104 A malformed per-host certificate file will raise an error
104 A malformed per-host certificate file will raise an error
105
105
106 $ echo baddata > badca.pem
106 $ echo baddata > badca.pem
107 #if sslcontext
107 #if sslcontext
108 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
108 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
109 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
109 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
110 abort: error loading CA file badca.pem: * (glob)
110 abort: error loading CA file badca.pem: * (glob)
111 (file is empty or malformed?)
111 (file is empty or malformed?)
112 [255]
112 [255]
113 #else
113 #else
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
116 abort: error: * (glob)
116 abort: error: * (glob)
117 [255]
117 [255]
118 #endif
118 #endif
119
119
120 A per-host certificate mismatching the server will fail verification
120 A per-host certificate mismatching the server will fail verification
121
121
122 (modern ssl is able to discern whether the loaded cert is a CA cert)
122 (modern ssl is able to discern whether the loaded cert is a CA cert)
123 #if sslcontext
123 #if sslcontext
124 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
124 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
125 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
125 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
126 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
126 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
127 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
127 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
128 abort: error: *certificate verify failed* (glob)
128 abort: error: *certificate verify failed* (glob)
129 [255]
129 [255]
130 #else
130 #else
131 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
131 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
132 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
132 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
133 abort: error: *certificate verify failed* (glob)
133 abort: error: *certificate verify failed* (glob)
134 [255]
134 [255]
135 #endif
135 #endif
136
136
137 A per-host certificate matching the server's cert will be accepted
137 A per-host certificate matching the server's cert will be accepted
138
138
139 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
139 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
140 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
140 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
141 requesting all changes
141 requesting all changes
142 adding changesets
142 adding changesets
143 adding manifests
143 adding manifests
144 adding file changes
144 adding file changes
145 added 1 changesets with 4 changes to 4 files
145 added 1 changesets with 4 changes to 4 files
146 new changesets 8b6053c928fe
146 new changesets 8b6053c928fe
147
147
148 A per-host certificate with multiple certs and one matching will be accepted
148 A per-host certificate with multiple certs and one matching will be accepted
149
149
150 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
150 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
151 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
151 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
152 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
152 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
153 requesting all changes
153 requesting all changes
154 adding changesets
154 adding changesets
155 adding manifests
155 adding manifests
156 adding file changes
156 adding file changes
157 added 1 changesets with 4 changes to 4 files
157 added 1 changesets with 4 changes to 4 files
158 new changesets 8b6053c928fe
158 new changesets 8b6053c928fe
159
159
160 Defining both per-host certificate and a fingerprint will print a warning
160 Defining both per-host certificate and a fingerprint will print a warning
161
161
162 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
162 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
163 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
163 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
164 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
164 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
165 requesting all changes
165 requesting all changes
166 adding changesets
166 adding changesets
167 adding manifests
167 adding manifests
168 adding file changes
168 adding file changes
169 added 1 changesets with 4 changes to 4 files
169 added 1 changesets with 4 changes to 4 files
170 new changesets 8b6053c928fe
170 new changesets 8b6053c928fe
171
171
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
173
173
174 Inability to verify peer certificate will result in abort
174 Inability to verify peer certificate will result in abort
175
175
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
180 [255]
180 [255]
181
181
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
185 requesting all changes
185 requesting all changes
186 adding changesets
186 adding changesets
187 adding manifests
187 adding manifests
188 adding file changes
188 adding file changes
189 added 1 changesets with 4 changes to 4 files
189 added 1 changesets with 4 changes to 4 files
190 new changesets 8b6053c928fe
190 new changesets 8b6053c928fe
191 updating to branch default
191 updating to branch default
192 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
192 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
193 $ hg verify -R copy-pull
193 $ hg verify -R copy-pull
194 checking changesets
194 checking changesets
195 checking manifests
195 checking manifests
196 crosschecking files in changesets and manifests
196 crosschecking files in changesets and manifests
197 checking files
197 checking files
198 checked 1 changesets with 4 changes to 4 files
198 checked 1 changesets with 4 changes to 4 files
199 $ cd test
199 $ cd test
200 $ echo bar > bar
200 $ echo bar > bar
201 $ hg commit -A -d '1 0' -m 2
201 $ hg commit -A -d '1 0' -m 2
202 adding bar
202 adding bar
203 $ cd ..
203 $ cd ..
204
204
205 pull without cacert
205 pull without cacert
206
206
207 $ cd copy-pull
207 $ cd copy-pull
208 $ cat >> .hg/hgrc <<EOF
208 $ cat >> .hg/hgrc <<EOF
209 > [hooks]
209 > [hooks]
210 > changegroup = sh -c "printenv.py changegroup"
210 > changegroup = sh -c "printenv.py --line changegroup"
211 > EOF
211 > EOF
212 $ hg pull $DISABLECACERTS
212 $ hg pull $DISABLECACERTS
213 pulling from https://localhost:$HGPORT/
213 pulling from https://localhost:$HGPORT/
214 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
214 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
215 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
215 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
216 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
216 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
217 [255]
217 [255]
218
218
219 $ hg pull --insecure
219 $ hg pull --insecure
220 pulling from https://localhost:$HGPORT/
220 pulling from https://localhost:$HGPORT/
221 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
221 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
222 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
222 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
223 searching for changes
223 searching for changes
224 adding changesets
224 adding changesets
225 adding manifests
225 adding manifests
226 adding file changes
226 adding file changes
227 added 1 changesets with 1 changes to 1 files
227 added 1 changesets with 1 changes to 1 files
228 new changesets 5fed3813f7f5
228 new changesets 5fed3813f7f5
229 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
229 changegroup hook: HG_HOOKNAME=changegroup
230 HG_HOOKTYPE=changegroup
231 HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
232 HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
233 HG_SOURCE=pull
234 HG_TXNID=TXN:$ID$
235 HG_URL=https://localhost:$HGPORT/
236
230 (run 'hg update' to get a working copy)
237 (run 'hg update' to get a working copy)
231 $ cd ..
238 $ cd ..
232
239
233 cacert configured in local repo
240 cacert configured in local repo
234
241
235 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
242 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
236 $ echo "[web]" >> copy-pull/.hg/hgrc
243 $ echo "[web]" >> copy-pull/.hg/hgrc
237 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
244 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
238 $ hg -R copy-pull pull
245 $ hg -R copy-pull pull
239 pulling from https://localhost:$HGPORT/
246 pulling from https://localhost:$HGPORT/
240 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
247 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
241 searching for changes
248 searching for changes
242 no changes found
249 no changes found
243 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
250 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
244
251
245 cacert configured globally, also testing expansion of environment
252 cacert configured globally, also testing expansion of environment
246 variables in the filename
253 variables in the filename
247
254
248 $ echo "[web]" >> $HGRCPATH
255 $ echo "[web]" >> $HGRCPATH
249 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
256 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
250 $ P="$CERTSDIR" hg -R copy-pull pull
257 $ P="$CERTSDIR" hg -R copy-pull pull
251 pulling from https://localhost:$HGPORT/
258 pulling from https://localhost:$HGPORT/
252 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
259 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
253 searching for changes
260 searching for changes
254 no changes found
261 no changes found
255 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
262 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
256 pulling from https://localhost:$HGPORT/
263 pulling from https://localhost:$HGPORT/
257 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
264 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
258 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
265 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
259 searching for changes
266 searching for changes
260 no changes found
267 no changes found
261
268
262 empty cacert file
269 empty cacert file
263
270
264 $ touch emptycafile
271 $ touch emptycafile
265
272
266 #if sslcontext
273 #if sslcontext
267 $ hg --config web.cacerts=emptycafile -R copy-pull pull
274 $ hg --config web.cacerts=emptycafile -R copy-pull pull
268 pulling from https://localhost:$HGPORT/
275 pulling from https://localhost:$HGPORT/
269 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
276 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
270 abort: error loading CA file emptycafile: * (glob)
277 abort: error loading CA file emptycafile: * (glob)
271 (file is empty or malformed?)
278 (file is empty or malformed?)
272 [255]
279 [255]
273 #else
280 #else
274 $ hg --config web.cacerts=emptycafile -R copy-pull pull
281 $ hg --config web.cacerts=emptycafile -R copy-pull pull
275 pulling from https://localhost:$HGPORT/
282 pulling from https://localhost:$HGPORT/
276 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
283 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
277 abort: error: * (glob)
284 abort: error: * (glob)
278 [255]
285 [255]
279 #endif
286 #endif
280
287
281 cacert mismatch
288 cacert mismatch
282
289
283 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
290 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
284 > https://$LOCALIP:$HGPORT/
291 > https://$LOCALIP:$HGPORT/
285 pulling from https://*:$HGPORT/ (glob)
292 pulling from https://*:$HGPORT/ (glob)
286 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
293 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
287 abort: $LOCALIP certificate error: certificate is for localhost (glob)
294 abort: $LOCALIP certificate error: certificate is for localhost (glob)
288 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
295 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
289 [255]
296 [255]
290 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
297 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
291 > https://$LOCALIP:$HGPORT/ --insecure
298 > https://$LOCALIP:$HGPORT/ --insecure
292 pulling from https://*:$HGPORT/ (glob)
299 pulling from https://*:$HGPORT/ (glob)
293 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
300 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
294 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
301 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
295 searching for changes
302 searching for changes
296 no changes found
303 no changes found
297 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
304 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
298 pulling from https://localhost:$HGPORT/
305 pulling from https://localhost:$HGPORT/
299 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
306 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
300 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
307 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
301 abort: error: *certificate verify failed* (glob)
308 abort: error: *certificate verify failed* (glob)
302 [255]
309 [255]
303 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
310 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
304 > --insecure
311 > --insecure
305 pulling from https://localhost:$HGPORT/
312 pulling from https://localhost:$HGPORT/
306 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
313 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
307 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
314 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
308 searching for changes
315 searching for changes
309 no changes found
316 no changes found
310
317
311 Test server cert which isn't valid yet
318 Test server cert which isn't valid yet
312
319
313 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
320 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
314 $ cat hg1.pid >> $DAEMON_PIDS
321 $ cat hg1.pid >> $DAEMON_PIDS
315 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
322 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
316 > https://localhost:$HGPORT1/
323 > https://localhost:$HGPORT1/
317 pulling from https://localhost:$HGPORT1/
324 pulling from https://localhost:$HGPORT1/
318 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
325 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
319 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
326 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
320 abort: error: *certificate verify failed* (glob)
327 abort: error: *certificate verify failed* (glob)
321 [255]
328 [255]
322
329
323 Test server cert which no longer is valid
330 Test server cert which no longer is valid
324
331
325 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
332 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
326 $ cat hg2.pid >> $DAEMON_PIDS
333 $ cat hg2.pid >> $DAEMON_PIDS
327 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
334 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
328 > https://localhost:$HGPORT2/
335 > https://localhost:$HGPORT2/
329 pulling from https://localhost:$HGPORT2/
336 pulling from https://localhost:$HGPORT2/
330 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
337 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
331 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
338 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
332 abort: error: *certificate verify failed* (glob)
339 abort: error: *certificate verify failed* (glob)
333 [255]
340 [255]
334
341
335 Disabling the TLS 1.0 warning works
342 Disabling the TLS 1.0 warning works
336 $ hg -R copy-pull id https://localhost:$HGPORT/ \
343 $ hg -R copy-pull id https://localhost:$HGPORT/ \
337 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
344 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
338 > --config hostsecurity.disabletls10warning=true
345 > --config hostsecurity.disabletls10warning=true
339 5fed3813f7f5
346 5fed3813f7f5
340
347
341 Error message for setting ciphers is different depending on SSLContext support
348 Error message for setting ciphers is different depending on SSLContext support
342
349
343 #if no-sslcontext
350 #if no-sslcontext
344 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
351 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
352 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
346 abort: *No cipher can be selected. (glob)
353 abort: *No cipher can be selected. (glob)
347 [255]
354 [255]
348
355
349 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
356 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
350 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
357 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
351 5fed3813f7f5
358 5fed3813f7f5
352 #endif
359 #endif
353
360
354 #if sslcontext
361 #if sslcontext
355 Setting ciphers to an invalid value aborts
362 Setting ciphers to an invalid value aborts
356 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
363 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
357 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
364 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
358 abort: could not set ciphers: No cipher can be selected.
365 abort: could not set ciphers: No cipher can be selected.
359 (change cipher string (invalid) in config)
366 (change cipher string (invalid) in config)
360 [255]
367 [255]
361
368
362 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
369 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
370 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
364 abort: could not set ciphers: No cipher can be selected.
371 abort: could not set ciphers: No cipher can be selected.
365 (change cipher string (invalid) in config)
372 (change cipher string (invalid) in config)
366 [255]
373 [255]
367
374
368 Changing the cipher string works
375 Changing the cipher string works
369
376
370 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
377 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
371 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
378 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
372 5fed3813f7f5
379 5fed3813f7f5
373 #endif
380 #endif
374
381
375 Fingerprints
382 Fingerprints
376
383
377 - works without cacerts (hostfingerprints)
384 - works without cacerts (hostfingerprints)
378 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
385 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
379 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
386 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
380 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
387 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
381 5fed3813f7f5
388 5fed3813f7f5
382
389
383 - works without cacerts (hostsecurity)
390 - works without cacerts (hostsecurity)
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
391 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
392 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
386 5fed3813f7f5
393 5fed3813f7f5
387
394
388 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
395 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
389 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
396 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
390 5fed3813f7f5
397 5fed3813f7f5
391
398
392 - multiple fingerprints specified and first matches
399 - multiple fingerprints specified and first matches
393 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
400 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
401 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
395 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
402 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
396 5fed3813f7f5
403 5fed3813f7f5
397
404
398 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
405 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
406 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
400 5fed3813f7f5
407 5fed3813f7f5
401
408
402 - multiple fingerprints specified and last matches
409 - multiple fingerprints specified and last matches
403 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
410 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
411 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
405 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
412 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
406 5fed3813f7f5
413 5fed3813f7f5
407
414
408 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
415 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
409 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
416 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
410 5fed3813f7f5
417 5fed3813f7f5
411
418
412 - multiple fingerprints specified and none match
419 - multiple fingerprints specified and none match
413
420
414 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
421 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
422 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
416 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
423 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
417 (check hostfingerprint configuration)
424 (check hostfingerprint configuration)
418 [255]
425 [255]
419
426
420 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
427 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
428 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
422 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
429 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
423 (check hostsecurity configuration)
430 (check hostsecurity configuration)
424 [255]
431 [255]
425
432
426 - fails when cert doesn't match hostname (port is ignored)
433 - fails when cert doesn't match hostname (port is ignored)
427 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
434 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
428 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
435 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
429 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
436 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
430 (check hostfingerprint configuration)
437 (check hostfingerprint configuration)
431 [255]
438 [255]
432
439
433
440
434 - ignores that certificate doesn't match hostname
441 - ignores that certificate doesn't match hostname
435 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
442 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
436 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
443 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
437 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
444 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
438 5fed3813f7f5
445 5fed3813f7f5
439
446
440 Ports used by next test. Kill servers.
447 Ports used by next test. Kill servers.
441
448
442 $ killdaemons.py hg0.pid
449 $ killdaemons.py hg0.pid
443 $ killdaemons.py hg1.pid
450 $ killdaemons.py hg1.pid
444 $ killdaemons.py hg2.pid
451 $ killdaemons.py hg2.pid
445
452
446 #if sslcontext tls1.2
453 #if sslcontext tls1.2
447 Start servers running supported TLS versions
454 Start servers running supported TLS versions
448
455
449 $ cd test
456 $ cd test
450 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
457 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
451 > --config devel.serverexactprotocol=tls1.0
458 > --config devel.serverexactprotocol=tls1.0
452 $ cat ../hg0.pid >> $DAEMON_PIDS
459 $ cat ../hg0.pid >> $DAEMON_PIDS
453 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
460 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
454 > --config devel.serverexactprotocol=tls1.1
461 > --config devel.serverexactprotocol=tls1.1
455 $ cat ../hg1.pid >> $DAEMON_PIDS
462 $ cat ../hg1.pid >> $DAEMON_PIDS
456 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
463 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
457 > --config devel.serverexactprotocol=tls1.2
464 > --config devel.serverexactprotocol=tls1.2
458 $ cat ../hg2.pid >> $DAEMON_PIDS
465 $ cat ../hg2.pid >> $DAEMON_PIDS
459 $ cd ..
466 $ cd ..
460
467
461 Clients talking same TLS versions work
468 Clients talking same TLS versions work
462
469
463 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
470 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
464 5fed3813f7f5
471 5fed3813f7f5
465 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
472 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
466 5fed3813f7f5
473 5fed3813f7f5
467 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
474 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
468 5fed3813f7f5
475 5fed3813f7f5
469
476
470 Clients requiring newer TLS version than what server supports fail
477 Clients requiring newer TLS version than what server supports fail
471
478
472 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
479 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
473 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
480 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
474 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
481 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
475 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
482 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
476 abort: error: *unsupported protocol* (glob)
483 abort: error: *unsupported protocol* (glob)
477 [255]
484 [255]
478
485
479 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
486 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
480 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
487 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
481 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
488 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
482 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
489 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
483 abort: error: *unsupported protocol* (glob)
490 abort: error: *unsupported protocol* (glob)
484 [255]
491 [255]
485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
492 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
486 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
493 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
494 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
495 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
489 abort: error: *unsupported protocol* (glob)
496 abort: error: *unsupported protocol* (glob)
490 [255]
497 [255]
491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
498 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
499 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
500 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
501 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
495 abort: error: *unsupported protocol* (glob)
502 abort: error: *unsupported protocol* (glob)
496 [255]
503 [255]
497
504
498 --insecure will allow TLS 1.0 connections and override configs
505 --insecure will allow TLS 1.0 connections and override configs
499
506
500 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
507 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
501 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
508 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
502 5fed3813f7f5
509 5fed3813f7f5
503
510
504 The per-host config option overrides the default
511 The per-host config option overrides the default
505
512
506 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
513 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
507 > --config hostsecurity.minimumprotocol=tls1.2 \
514 > --config hostsecurity.minimumprotocol=tls1.2 \
508 > --config hostsecurity.localhost:minimumprotocol=tls1.0
515 > --config hostsecurity.localhost:minimumprotocol=tls1.0
509 5fed3813f7f5
516 5fed3813f7f5
510
517
511 The per-host config option by itself works
518 The per-host config option by itself works
512
519
513 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
520 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
514 > --config hostsecurity.localhost:minimumprotocol=tls1.2
521 > --config hostsecurity.localhost:minimumprotocol=tls1.2
515 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
522 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
516 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
523 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
517 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
524 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
518 abort: error: *unsupported protocol* (glob)
525 abort: error: *unsupported protocol* (glob)
519 [255]
526 [255]
520
527
521 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
528 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
522
529
523 $ cat >> copy-pull/.hg/hgrc << EOF
530 $ cat >> copy-pull/.hg/hgrc << EOF
524 > [hostsecurity]
531 > [hostsecurity]
525 > localhost:minimumprotocol=tls1.2
532 > localhost:minimumprotocol=tls1.2
526 > EOF
533 > EOF
527 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
534 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
528 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
535 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
529 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
536 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
530 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
537 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
531 abort: error: *unsupported protocol* (glob)
538 abort: error: *unsupported protocol* (glob)
532 [255]
539 [255]
533
540
534 $ killdaemons.py hg0.pid
541 $ killdaemons.py hg0.pid
535 $ killdaemons.py hg1.pid
542 $ killdaemons.py hg1.pid
536 $ killdaemons.py hg2.pid
543 $ killdaemons.py hg2.pid
537 #endif
544 #endif
538
545
539 Prepare for connecting through proxy
546 Prepare for connecting through proxy
540
547
541 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
548 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
542 $ cat hg0.pid >> $DAEMON_PIDS
549 $ cat hg0.pid >> $DAEMON_PIDS
543 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
550 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
544 $ cat hg2.pid >> $DAEMON_PIDS
551 $ cat hg2.pid >> $DAEMON_PIDS
545 tinyproxy.py doesn't fully detach, so killing it may result in extra output
552 tinyproxy.py doesn't fully detach, so killing it may result in extra output
546 from the shell. So don't kill it.
553 from the shell. So don't kill it.
547 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
554 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
548 $ while [ ! -f proxy.pid ]; do sleep 0; done
555 $ while [ ! -f proxy.pid ]; do sleep 0; done
549 $ cat proxy.pid >> $DAEMON_PIDS
556 $ cat proxy.pid >> $DAEMON_PIDS
550
557
551 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
558 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
552 $ echo "always=True" >> copy-pull/.hg/hgrc
559 $ echo "always=True" >> copy-pull/.hg/hgrc
553 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
560 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
554 $ echo "localhost =" >> copy-pull/.hg/hgrc
561 $ echo "localhost =" >> copy-pull/.hg/hgrc
555
562
556 Test unvalidated https through proxy
563 Test unvalidated https through proxy
557
564
558 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
565 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
559 pulling from https://localhost:$HGPORT/
566 pulling from https://localhost:$HGPORT/
560 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
567 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
561 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
568 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
562 searching for changes
569 searching for changes
563 no changes found
570 no changes found
564
571
565 Test https with cacert and fingerprint through proxy
572 Test https with cacert and fingerprint through proxy
566
573
567 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
574 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
568 > --config web.cacerts="$CERTSDIR/pub.pem"
575 > --config web.cacerts="$CERTSDIR/pub.pem"
569 pulling from https://localhost:$HGPORT/
576 pulling from https://localhost:$HGPORT/
570 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
577 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
571 searching for changes
578 searching for changes
572 no changes found
579 no changes found
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
580 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
574 pulling from https://*:$HGPORT/ (glob)
581 pulling from https://*:$HGPORT/ (glob)
575 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
582 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
576 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
583 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
577 searching for changes
584 searching for changes
578 no changes found
585 no changes found
579
586
580 Test https with cert problems through proxy
587 Test https with cert problems through proxy
581
588
582 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
589 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
583 > --config web.cacerts="$CERTSDIR/pub-other.pem"
590 > --config web.cacerts="$CERTSDIR/pub-other.pem"
584 pulling from https://localhost:$HGPORT/
591 pulling from https://localhost:$HGPORT/
585 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
592 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
586 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
593 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
587 abort: error: *certificate verify failed* (glob)
594 abort: error: *certificate verify failed* (glob)
588 [255]
595 [255]
589 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
596 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
590 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
597 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
591 pulling from https://localhost:$HGPORT2/
598 pulling from https://localhost:$HGPORT2/
592 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
599 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
593 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
600 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
594 abort: error: *certificate verify failed* (glob)
601 abort: error: *certificate verify failed* (glob)
595 [255]
602 [255]
596
603
597
604
598 $ killdaemons.py hg0.pid
605 $ killdaemons.py hg0.pid
599
606
600 #if sslcontext
607 #if sslcontext
601
608
602 $ cd test
609 $ cd test
603
610
604 Missing certificate file(s) are detected
611 Missing certificate file(s) are detected
605
612
606 $ hg serve -p $HGPORT --certificate=/missing/certificate \
613 $ hg serve -p $HGPORT --certificate=/missing/certificate \
607 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
614 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
608 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
615 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
609 [255]
616 [255]
610
617
611 $ hg serve -p $HGPORT --certificate=$PRIV \
618 $ hg serve -p $HGPORT --certificate=$PRIV \
612 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
619 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
613 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
620 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
614 [255]
621 [255]
615
622
616 Start hgweb that requires client certificates:
623 Start hgweb that requires client certificates:
617
624
618 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
625 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
619 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
626 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
620 $ cat ../hg0.pid >> $DAEMON_PIDS
627 $ cat ../hg0.pid >> $DAEMON_PIDS
621 $ cd ..
628 $ cd ..
622
629
623 without client certificate:
630 without client certificate:
624
631
625 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
632 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
626 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
633 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
627 abort: error: *handshake failure* (glob)
634 abort: error: *handshake failure* (glob)
628 [255]
635 [255]
629
636
630 with client certificate:
637 with client certificate:
631
638
632 $ cat << EOT >> $HGRCPATH
639 $ cat << EOT >> $HGRCPATH
633 > [auth]
640 > [auth]
634 > l.prefix = localhost
641 > l.prefix = localhost
635 > l.cert = $CERTSDIR/client-cert.pem
642 > l.cert = $CERTSDIR/client-cert.pem
636 > l.key = $CERTSDIR/client-key.pem
643 > l.key = $CERTSDIR/client-key.pem
637 > EOT
644 > EOT
638
645
639 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
646 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
640 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
647 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
648 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
642 5fed3813f7f5
649 5fed3813f7f5
643
650
644 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
651 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
645 > --config ui.interactive=True --config ui.nontty=True
652 > --config ui.interactive=True --config ui.nontty=True
646 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
653 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
647 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
654 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
648
655
649 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
656 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
650 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
657 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
651 abort: error: * (glob)
658 abort: error: * (glob)
652 [255]
659 [255]
653
660
654 Missing certficate and key files result in error
661 Missing certficate and key files result in error
655
662
656 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
663 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
657 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
664 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
658 (restore missing file or fix references in Mercurial config)
665 (restore missing file or fix references in Mercurial config)
659 [255]
666 [255]
660
667
661 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
668 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
662 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
669 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
663 (restore missing file or fix references in Mercurial config)
670 (restore missing file or fix references in Mercurial config)
664 [255]
671 [255]
665
672
666 #endif
673 #endif
General Comments 0
You need to be logged in to leave comments. Login now