annotate tests/test-https.t @ 33381:3bdbbadddecc

sslutil: check for missing certificate and key files (issue5598) Currently, sslutil._hostsettings() performs validation that web.cacerts exists. However, client certificates are passed in to the function and not all callers may validate them. This includes httpconnection.readauthforuri(), which loads the [auth] section. If a missing file is specified, the ssl module will raise a generic IOException. And, it doesn't even give us the courtesy of telling us which file is missing! Mercurial then prints a generic "abort: No such file or directory" (or similar) error, leaving users to scratch their head as to what file is missing. This commit introduces explicit validation of all paths passed as arguments to wrapsocket() and wrapserversocket(). Any missing file is alerted about explicitly. We should probably catch missing files earlier - as part of loading the [auth] section. However, I think the sslutil functions should check for file presence regardless of what callers do because that's the only way to be sure that missing files are always detected.
author Gregory Szorc <gregory.szorc@gmail.com>
date Mon, 10 Jul 2017 21:09:46 -0700
parents 2e455cbeac50
children ba971f555cb0
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
1 #require serve ssl
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
2
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
3 Proper https client requires the built-in ssl from Python 2.6.
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
4
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
5 Make server certificates:
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
6
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
7 $ CERTSDIR="$TESTDIR/sslcerts"
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
9 $ PRIV=`pwd`/server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
12
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
13 $ hg init test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
14 $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
15 $ echo foo>foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
17 $ echo foo>foo.d/foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
18 $ echo bar>foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
19 $ echo bar>foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
20 $ hg commit -A -m 1
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
21 adding foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
22 adding foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
23 adding foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
24 adding foo.d/foo
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
26 $ cat ../hg0.pid >> $DAEMON_PIDS
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
27
13544
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
28 cacert not found
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
29
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13544
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
32 abort: could not find web.cacerts: no-such.pem
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
33 [255]
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
34
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
35 Test server address cannot be reused
4289
e17598881509 test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents: 4130
diff changeset
36
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
37 #if windows
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31771
49e9124cfc23 test-http: update output for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31769
diff changeset
39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
40 [255]
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
41 #else
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31029
161ab32b44a1 runtests: set web.address to localhost
Jun Wu <quark@fb.com>
parents: 31028
diff changeset
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
44 [255]
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
45 #endif
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
46 $ cd ..
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
47
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
48 Our test cert is not signed by a trusted CA. It should fail to verify if
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
49 we are able to load CA certs.
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
50
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
51 #if sslcontext defaultcacerts no-defaultcacertsloaded
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
52 $ hg clone https://localhost:$HGPORT/ copy-pull
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
54 abort: error: *certificate verify failed* (glob)
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
55 [255]
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
56 #endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
57
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
58 #if no-sslcontext defaultcacerts
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
59 $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29499
diff changeset
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
62 abort: error: *certificate verify failed* (glob)
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
63 [255]
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
64 #endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
65
29489
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
66 #if no-sslcontext windows
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
67 $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29489
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
70 abort: error: *certificate verify failed* (glob)
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
71 [255]
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
72 #endif
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
73
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
74 #if no-sslcontext osx
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
75 $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
78 abort: localhost certificate error: no certificate received
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
80 [255]
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
81 #endif
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
82
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
83 #if defaultcacertsloaded
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
84 $ hg clone https://localhost:$HGPORT/ copy-pull
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29499
diff changeset
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
87 abort: error: *certificate verify failed* (glob)
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
88 [255]
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
89 #endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
90
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
91 #if no-defaultcacerts
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
92 $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
95 abort: localhost certificate error: no certificate received
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
97 [255]
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
98 #endif
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
99
31769
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31752
diff changeset
100 Specifying a per-host certificate file that doesn't exist will abort. The full
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31752
diff changeset
101 C:/path/to/msysroot will print on Windows.
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
102
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31769
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31752
diff changeset
105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
106 [255]
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
107
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
108 A malformed per-host certificate file will raise an error
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
109
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
110 $ echo baddata > badca.pem
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
111 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
114 abort: error loading CA file badca.pem: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
115 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
116 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
117 #else
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29356
93b83ef78d1e tests: increase test-https malform error glob
Durham Goode <durham@fb.com>
parents: 29334
diff changeset
120 abort: error: * (glob)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
121 [255]
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
122 #endif
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
123
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
124 A per-host certificate mismatching the server will fail verification
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
125
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
126 (modern ssl is able to discern whether the loaded cert is a CA cert)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
127 #if sslcontext
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
131 abort: error: *certificate verify failed* (glob)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
132 [255]
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
133 #else
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
136 abort: error: *certificate verify failed* (glob)
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
137 [255]
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
138 #endif
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
139
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
140 A per-host certificate matching the server's cert will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
141
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
144 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
145 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
146 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
147 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
148 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
149
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
150 A per-host certificate with multiple certs and one matching will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
151
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
155 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
156 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
157 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
158 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
159 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
160
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
161 Defining both per-host certificate and a fingerprint will print a warning
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
162
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
166 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
167 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
168 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
169 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
170 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
171
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
173
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
174 Inability to verify peer certificate will result in abort
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
175
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
180 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
181
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
185 requesting all changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
186 adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
187 adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
188 adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
189 added 1 changesets with 4 changes to 4 files
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
190 updating to branch default
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
192 $ hg verify -R copy-pull
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
193 checking changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
194 checking manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
195 crosschecking files in changesets and manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
196 checking files
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
197 4 files, 1 changesets, 4 total revisions
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
198 $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
199 $ echo bar > bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
200 $ hg commit -A -d '1 0' -m 2
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
201 adding bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
202 $ cd ..
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
203
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
204 pull without cacert
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
205
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
206 $ cd copy-pull
30234
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29853
diff changeset
207 $ cat >> .hg/hgrc <<EOF
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29853
diff changeset
208 > [hooks]
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29853
diff changeset
209 > changegroup = sh -c "printenv.py changegroup"
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29853
diff changeset
210 > EOF
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
211 $ hg pull $DISABLECACERTS
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
212 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
216 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
217
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
218 $ hg pull --insecure
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
219 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
222 searching for changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
223 adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
224 adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
225 adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
226 added 1 changesets with 1 changes to 1 files
31752
aff7b32b3c05 hook: add hook name information to external hook
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents: 31751
diff changeset
227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
228 (run 'hg update' to get a working copy)
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
229 $ cd ..
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
230
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
231 cacert configured in local repo
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
232
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
234 $ echo "[web]" >> copy-pull/.hg/hgrc
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
29853
d5497eb1d768 test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents: 29635
diff changeset
236 $ hg -R copy-pull pull
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
237 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
239 searching for changes
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
240 no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
242
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
243 cacert configured globally, also testing expansion of environment
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
244 variables in the filename
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
245
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
246 $ echo "[web]" >> $HGRCPATH
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
248 $ P="$CERTSDIR" hg -R copy-pull pull
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
249 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
251 searching for changes
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
252 no changes found
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
254 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
257 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
258 no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
259
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
260 empty cacert file
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
261
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
262 $ touch emptycafile
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
263
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
264 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
265 $ hg --config web.cacerts=emptycafile -R copy-pull pull
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
266 pulling from https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
268 abort: error loading CA file emptycafile: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
269 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
270 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
271 #else
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
272 $ hg --config web.cacerts=emptycafile -R copy-pull pull
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
273 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
275 abort: error: * (glob)
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
276 [255]
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
277 #endif
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
278
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
279 cacert mismatch
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
280
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31028
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
282 > https://$LOCALIP:$HGPORT/
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
283 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31813
68bd8cd381a3 tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents: 31771
diff changeset
285 abort: $LOCALIP certificate error: certificate is for localhost (glob)
31028
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
287 [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31028
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
289 > https://$LOCALIP:$HGPORT/ --insecure
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
290 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31813
68bd8cd381a3 tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents: 31771
diff changeset
292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
293 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
294 no changes found
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
296 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
298 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
299 [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
301 > --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
302 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
305 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
306 no changes found
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
307
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
308 Test server cert which isn't valid yet
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
309
28549
e01bd7385f4f tests: reorder hg serve commands
Jun Wu <quark@fb.com>
parents: 28525
diff changeset
310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
311 $ cat hg1.pid >> $DAEMON_PIDS
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
313 > https://localhost:$HGPORT1/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
314 pulling from https://localhost:$HGPORT1/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
316 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
317 [255]
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
318
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
319 Test server cert which no longer is valid
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
320
28549
e01bd7385f4f tests: reorder hg serve commands
Jun Wu <quark@fb.com>
parents: 28525
diff changeset
321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
322 $ cat hg2.pid >> $DAEMON_PIDS
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
324 > https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
325 pulling from https://localhost:$HGPORT2/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
327 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
328 [255]
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
329
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
330 Disabling the TLS 1.0 warning works
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
331 $ hg -R copy-pull id https://localhost:$HGPORT/ \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
333 > --config hostsecurity.disabletls10warning=true
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
334 5fed3813f7f5
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
335
32274
ab89d2f7dc9a tests: remove test targeting Python 2.6
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31813
diff changeset
336 Error message for setting ciphers is different depending on SSLContext support
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
337
32274
ab89d2f7dc9a tests: remove test targeting Python 2.6
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31813
diff changeset
338 #if no-sslcontext
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
339 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
340 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
341 abort: *No cipher can be selected. (glob)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
342 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
343
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
344 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
346 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
347 #endif
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
348
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
349 #if sslcontext
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
350 Setting ciphers to an invalid value aborts
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
351 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
352 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
353 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
354 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
355 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
356
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
357 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
358 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
359 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
360 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
361 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
362
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
363 Changing the cipher string works
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
364
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
365 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
366 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
367 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
368 #endif
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
369
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
370 Fingerprints
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
371
30342
318a24b52eeb spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents: 30234
diff changeset
372 - works without cacerts (hostfingerprints)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
373 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
374 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32313
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32285
diff changeset
375 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
376 5fed3813f7f5
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
377
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
378 - works without cacerts (hostsecurity)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
379 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
380 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
381 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
382
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
383 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
384 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
385 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
386
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
387 - multiple fingerprints specified and first matches
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
388 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
389 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32313
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32285
diff changeset
390 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
391 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
392
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
393 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
395 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
396
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
397 - multiple fingerprints specified and last matches
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
398 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32313
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32285
diff changeset
400 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
401 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
402
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
403 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
405 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
406
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
407 - multiple fingerprints specified and none match
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
408
28847
3e576fe66715 tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents: 28549
diff changeset
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
411 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
412 (check hostfingerprint configuration)
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
413 [255]
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
414
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
415 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
416 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
417 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29268
f200b58497f1 sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29267
diff changeset
418 (check hostsecurity configuration)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
419 [255]
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
420
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
421 - fails when cert doesn't match hostname (port is ignored)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
422 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
423 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
424 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
15997
a45516cb8d9f sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents: 15814
diff changeset
425 (check hostfingerprint configuration)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
426 [255]
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
427
18588
3241fc65e3cd test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents: 18354
diff changeset
428
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
429 - ignores that certificate doesn't match hostname
31028
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
430 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
431 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32313
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32285
diff changeset
432 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
433 5fed3813f7f5
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
434
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
435 Ports used by next test. Kill servers.
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
436
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
437 $ killdaemons.py hg0.pid
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
438 $ killdaemons.py hg1.pid
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
439 $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
440
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
441 #if sslcontext tls1.2
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
442 Start servers running supported TLS versions
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
443
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
444 $ cd test
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
445 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
446 > --config devel.serverexactprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
447 $ cat ../hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
448 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
449 > --config devel.serverexactprotocol=tls1.1
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
450 $ cat ../hg1.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
451 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
452 > --config devel.serverexactprotocol=tls1.2
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
453 $ cat ../hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
454 $ cd ..
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
455
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
456 Clients talking same TLS versions work
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
457
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
458 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
459 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
460 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
461 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
462 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
463 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
464
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
465 Clients requiring newer TLS version than what server supports fail
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
466
29560
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
467 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
468 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
469 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
470 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29560
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
471 abort: error: *unsupported protocol* (glob)
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
472 [255]
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
473
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
474 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
475 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
476 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
477 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
478 abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
479 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
481 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
482 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
483 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
484 abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
485 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
486 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
487 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
488 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
489 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
490 abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
491 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
492
29617
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
493 --insecure will allow TLS 1.0 connections and override configs
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
494
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
495 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
496 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
497 5fed3813f7f5
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
498
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
499 The per-host config option overrides the default
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
500
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
501 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
502 > --config hostsecurity.minimumprotocol=tls1.2 \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
503 > --config hostsecurity.localhost:minimumprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
504 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
505
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
506 The per-host config option by itself works
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
507
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
508 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
509 > --config hostsecurity.localhost:minimumprotocol=tls1.2
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
510 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
511 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
512 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
513 abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
514 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
515
29616
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
516 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
517
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
518 $ cat >> copy-pull/.hg/hgrc << EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
519 > [hostsecurity]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
520 > localhost:minimumprotocol=tls1.2
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
521 > EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
522 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
523 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
524 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
525 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29635
dee24c87dbf0 tests: glob over ssl error
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29619
diff changeset
526 abort: error: *unsupported protocol* (glob)
29616
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
527 [255]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
528
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
529 $ killdaemons.py hg0.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
530 $ killdaemons.py hg1.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
531 $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
532 #endif
16300
74e114ac6ec1 tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents: 16107
diff changeset
533
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
534 Prepare for connecting through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
535
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
536 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
537 $ cat hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
538 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
539 $ cat hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
540 tinyproxy.py doesn't fully detach, so killing it may result in extra output
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
541 from the shell. So don't kill it.
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
542 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
16496
abbabbbe4ec2 tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents: 16300
diff changeset
543 $ while [ ! -f proxy.pid ]; do sleep 0; done
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
544 $ cat proxy.pid >> $DAEMON_PIDS
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
545
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
546 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
547 $ echo "always=True" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
548 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
549 $ echo "localhost =" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
550
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
551 Test unvalidated https through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
552
29853
d5497eb1d768 test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents: 29635
diff changeset
553 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
554 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
555 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
556 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
557 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
558 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
559
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
560 Test https with cacert and fingerprint through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
561
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
562 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
563 > --config web.cacerts="$CERTSDIR/pub.pem"
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
564 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
565 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
566 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
567 no changes found
31028
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
568 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
569 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30342
diff changeset
570 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
32313
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32285
diff changeset
571 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
572 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
573 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
574
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
575 Test https with cert problems through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
576
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
577 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
578 > --config web.cacerts="$CERTSDIR/pub-other.pem"
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
579 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
580 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
581 abort: error: *certificate verify failed* (glob)
13424
08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents: 13423
diff changeset
582 [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
583 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
584 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
585 pulling from https://localhost:$HGPORT2/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
586 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
587 abort: error: *certificate verify failed* (glob)
13424
08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents: 13423
diff changeset
588 [255]
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
589
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
590
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
591 $ killdaemons.py hg0.pid
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
592
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
593 #if sslcontext
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
594
33381
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
595 $ cd test
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
596
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
597 Missing certificate file(s) are detected
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
598
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
599 $ hg serve -p $HGPORT --certificate=/missing/certificate \
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
600 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
601 abort: referenced certificate file (/missing/certificate) does not exist
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
602 [255]
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
603
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
604 $ hg serve -p $HGPORT --certificate=$PRIV \
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
605 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
606 abort: referenced certificate file (/missing/cafile) does not exist
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
607 [255]
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
608
29555
121d11814c62 hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29553
diff changeset
609 Start hgweb that requires client certificates:
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
610
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
611 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
29555
121d11814c62 hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29553
diff changeset
612 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
613 $ cat ../hg0.pid >> $DAEMON_PIDS
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
614 $ cd ..
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
615
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
616 without client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
617
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
618 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
619 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
620 abort: error: *handshake failure* (glob)
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
621 [255]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
622
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
623 with client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
624
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
625 $ cat << EOT >> $HGRCPATH
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
626 > [auth]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
627 > l.prefix = localhost
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
628 > l.cert = $CERTSDIR/client-cert.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
629 > l.key = $CERTSDIR/client-key.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
630 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
631
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
632 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
633 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
634 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
635 5fed3813f7f5
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
636
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
637 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
638 > --config ui.interactive=True --config ui.nontty=True
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
639 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
640 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
641
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
642 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
643 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
644 abort: error: * (glob)
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
645 [255]
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
646
33381
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
647 Missing certficate and key files result in error
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
648
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
649 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
650 abort: certificate file (/missing/cert) does not exist; cannot connect to localhost
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
651 (restore missing file or fix references in Mercurial config)
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
652 [255]
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
653
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
654 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
655 abort: certificate file (/missing/key) does not exist; cannot connect to localhost
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
656 (restore missing file or fix references in Mercurial config)
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
657 [255]
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32313
diff changeset
658
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
659 #endif