Mercurial > hg-stable
annotate tests/test-https.t @ 33381:3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Currently, sslutil._hostsettings() performs validation that web.cacerts
exists. However, client certificates are passed in to the function
and not all callers may validate them. This includes
httpconnection.readauthforuri(), which loads the [auth] section.
If a missing file is specified, the ssl module will raise a generic
IOException. And, it doesn't even give us the courtesy of telling
us which file is missing! Mercurial then prints a generic
"abort: No such file or directory" (or similar) error, leaving users
to scratch their head as to what file is missing.
This commit introduces explicit validation of all paths passed as
arguments to wrapsocket() and wrapserversocket(). Any missing file
is alerted about explicitly.
We should probably catch missing files earlier - as part of loading
the [auth] section. However, I think the sslutil functions should
check for file presence regardless of what callers do because that's
the only way to be sure that missing files are always detected.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Mon, 10 Jul 2017 21:09:46 -0700 |
parents | 2e455cbeac50 |
children | ba971f555cb0 |
rev | line source |
---|---|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
1 #require serve ssl |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 |
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
3 Proper https client requires the built-in ssl from Python 2.6. |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
4 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
5 Make server certificates: |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
6 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
7 $ CERTSDIR="$TESTDIR/sslcerts" |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
9 $ PRIV=`pwd`/server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
12 |
12446 | 13 $ hg init test |
14 $ cd test | |
15 $ echo foo>foo | |
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg | |
17 $ echo foo>foo.d/foo | |
18 $ echo bar>foo.d/bAr.hg.d/BaR | |
19 $ echo bar>foo.d/baR.d.hg/bAR | |
20 $ hg commit -A -m 1 | |
21 adding foo | |
22 adding foo.d/bAr.hg.d/BaR | |
23 adding foo.d/baR.d.hg/bAR | |
24 adding foo.d/foo | |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV |
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
26 $ cat ../hg0.pid >> $DAEMON_PIDS |
12446 | 27 |
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
28 cacert not found |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
29 |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
32 abort: could not find web.cacerts: no-such.pem |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
33 [255] |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
34 |
12446 | 35 Test server address cannot be reused |
4289
e17598881509
test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents:
4130
diff
changeset
|
36 |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
37 #if windows |
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
31771
49e9124cfc23
test-http: update output for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31769
diff
changeset
|
39 abort: cannot start server at 'localhost:$HGPORT': * (glob) |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
40 [255] |
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
41 #else |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
31029
161ab32b44a1
runtests: set web.address to localhost
Jun Wu <quark@fb.com>
parents:
31028
diff
changeset
|
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use |
12446 | 44 [255] |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
45 #endif |
12446 | 46 $ cd .. |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
47 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
48 Our test cert is not signed by a trusted CA. It should fail to verify if |
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
49 we are able to load CA certs. |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
50 |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
51 #if sslcontext defaultcacerts no-defaultcacertsloaded |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
52 $ hg clone https://localhost:$HGPORT/ copy-pull |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
54 abort: error: *certificate verify failed* (glob) |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
55 [255] |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
56 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
57 |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
58 #if no-sslcontext defaultcacerts |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
59 $ hg clone https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29500
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
62 abort: error: *certificate verify failed* (glob) |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
63 [255] |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
64 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
65 |
29489
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
66 #if no-sslcontext windows |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
67 $ hg clone https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
29489
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
70 abort: error: *certificate verify failed* (glob) |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
71 [255] |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
72 #endif |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
73 |
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
74 #if no-sslcontext osx |
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
75 $ hg clone https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
78 abort: localhost certificate error: no certificate received |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
80 [255] |
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
81 #endif |
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
82 |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
83 #if defaultcacertsloaded |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
84 $ hg clone https://localhost:$HGPORT/ copy-pull |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29500
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
87 abort: error: *certificate verify failed* (glob) |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
88 [255] |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
89 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
90 |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
91 #if no-defaultcacerts |
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
92 $ hg clone https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
95 abort: localhost certificate error: no certificate received |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
97 [255] |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
98 #endif |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
99 |
31769
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31752
diff
changeset
|
100 Specifying a per-host certificate file that doesn't exist will abort. The full |
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31752
diff
changeset
|
101 C:/path/to/msysroot will print on Windows. |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
102 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
31769
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31752
diff
changeset
|
105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
106 [255] |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
107 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
108 A malformed per-host certificate file will raise an error |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
109 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
110 $ echo baddata > badca.pem |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
111 #if sslcontext |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
114 abort: error loading CA file badca.pem: * (glob) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
115 (file is empty or malformed?) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
116 [255] |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
117 #else |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29356
93b83ef78d1e
tests: increase test-https malform error glob
Durham Goode <durham@fb.com>
parents:
29334
diff
changeset
|
120 abort: error: * (glob) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
121 [255] |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
122 #endif |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
123 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
124 A per-host certificate mismatching the server will fail verification |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
125 |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
126 (modern ssl is able to discern whether the loaded cert is a CA cert) |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
127 #if sslcontext |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
131 abort: error: *certificate verify failed* (glob) |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
132 [255] |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
133 #else |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
136 abort: error: *certificate verify failed* (glob) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
137 [255] |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
138 #endif |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
139 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
140 A per-host certificate matching the server's cert will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
141 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
144 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
145 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
146 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
147 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
148 added 1 changesets with 4 changes to 4 files |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
149 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
150 A per-host certificate with multiple certs and one matching will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
151 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
155 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
156 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
157 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
158 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
159 added 1 changesets with 4 changes to 4 files |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
160 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
161 Defining both per-host certificate and a fingerprint will print a warning |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
162 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
166 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
167 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
168 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
169 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
170 added 1 changesets with 4 changes to 4 files |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
171 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
173 |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
174 Inability to verify peer certificate will result in abort |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
175 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
180 [255] |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
181 |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
12446 | 185 requesting all changes |
186 adding changesets | |
187 adding manifests | |
188 adding file changes | |
189 added 1 changesets with 4 changes to 4 files | |
190 updating to branch default | |
191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved | |
192 $ hg verify -R copy-pull | |
193 checking changesets | |
194 checking manifests | |
195 crosschecking files in changesets and manifests | |
196 checking files | |
197 4 files, 1 changesets, 4 total revisions | |
198 $ cd test | |
199 $ echo bar > bar | |
200 $ hg commit -A -d '1 0' -m 2 | |
201 adding bar | |
202 $ cd .. | |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
203 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
204 pull without cacert |
12446 | 205 |
206 $ cd copy-pull | |
30234
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29853
diff
changeset
|
207 $ cat >> .hg/hgrc <<EOF |
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29853
diff
changeset
|
208 > [hooks] |
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29853
diff
changeset
|
209 > changegroup = sh -c "printenv.py changegroup" |
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29853
diff
changeset
|
210 > EOF |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
211 $ hg pull $DISABLECACERTS |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
212 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
216 [255] |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
217 |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
218 $ hg pull --insecure |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
219 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
12446 | 222 searching for changes |
223 adding changesets | |
224 adding manifests | |
225 adding file changes | |
226 added 1 changesets with 1 changes to 1 files | |
31752
aff7b32b3c05
hook: add hook name information to external hook
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents:
31751
diff
changeset
|
227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/ |
12446 | 228 (run 'hg update' to get a working copy) |
229 $ cd .. | |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
230 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
231 cacert configured in local repo |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
232 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
234 $ echo "[web]" >> copy-pull/.hg/hgrc |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc |
29853
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
236 $ hg -R copy-pull pull |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
237 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
239 searching for changes |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
240 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
242 |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
243 cacert configured globally, also testing expansion of environment |
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
244 variables in the filename |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
245 |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
246 $ echo "[web]" >> $HGRCPATH |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
248 $ P="$CERTSDIR" hg -R copy-pull pull |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
249 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
251 searching for changes |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
252 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
254 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
257 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
258 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
259 |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
260 empty cacert file |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
261 |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
262 $ touch emptycafile |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
263 |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
264 #if sslcontext |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
265 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
266 pulling from https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
268 abort: error loading CA file emptycafile: * (glob) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
269 (file is empty or malformed?) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
270 [255] |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
271 #else |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
272 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
273 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
275 abort: error: * (glob) |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
276 [255] |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
277 #endif |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
278 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
279 cacert mismatch |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
280 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
31028 | 282 > https://$LOCALIP:$HGPORT/ |
283 pulling from https://*:$HGPORT/ (glob) | |
284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |
31813
68bd8cd381a3
tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents:
31771
diff
changeset
|
285 abort: $LOCALIP certificate error: certificate is for localhost (glob) |
31028 | 286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
287 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
31028 | 289 > https://$LOCALIP:$HGPORT/ --insecure |
290 pulling from https://*:$HGPORT/ (glob) | |
291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |
31813
68bd8cd381a3
tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents:
31771
diff
changeset
|
292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
293 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
294 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
296 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
298 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
299 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
301 > --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
302 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
305 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
306 no changes found |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
307 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
308 Test server cert which isn't valid yet |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
309 |
28549 | 310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
311 $ cat hg1.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
313 > https://localhost:$HGPORT1/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
314 pulling from https://localhost:$HGPORT1/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
316 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
317 [255] |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
318 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
319 Test server cert which no longer is valid |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
320 |
28549 | 321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
322 $ cat hg2.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
324 > https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
325 pulling from https://localhost:$HGPORT2/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
327 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
328 [255] |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
329 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
330 Disabling the TLS 1.0 warning works |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
331 $ hg -R copy-pull id https://localhost:$HGPORT/ \ |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \ |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
333 > --config hostsecurity.disabletls10warning=true |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
334 5fed3813f7f5 |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
335 |
32274
ab89d2f7dc9a
tests: remove test targeting Python 2.6
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31813
diff
changeset
|
336 Error message for setting ciphers is different depending on SSLContext support |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
337 |
32274
ab89d2f7dc9a
tests: remove test targeting Python 2.6
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31813
diff
changeset
|
338 #if no-sslcontext |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
339 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
340 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
341 abort: *No cipher can be selected. (glob) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
342 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
343 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
344 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
346 5fed3813f7f5 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
347 #endif |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
348 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
349 #if sslcontext |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
350 Setting ciphers to an invalid value aborts |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
351 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
352 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
353 abort: could not set ciphers: No cipher can be selected. |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
354 (change cipher string (invalid) in config) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
355 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
356 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
357 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
358 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
359 abort: could not set ciphers: No cipher can be selected. |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
360 (change cipher string (invalid) in config) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
361 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
362 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
363 Changing the cipher string works |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
364 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
365 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
366 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
367 5fed3813f7f5 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
368 #endif |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
369 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
370 Fingerprints |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
371 |
30342
318a24b52eeb
spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents:
30234
diff
changeset
|
372 - works without cacerts (hostfingerprints) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
373 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
374 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
32313
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32285
diff
changeset
|
375 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
376 5fed3813f7f5 |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
377 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
378 - works without cacerts (hostsecurity) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
379 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
380 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
381 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
382 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
383 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
384 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
385 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
386 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
387 - multiple fingerprints specified and first matches |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
388 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
389 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
32313
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32285
diff
changeset
|
390 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
391 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
392 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
393 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
395 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
396 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
397 - multiple fingerprints specified and last matches |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
398 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
32313
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32285
diff
changeset
|
400 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
401 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
402 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
403 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
405 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
406 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
407 - multiple fingerprints specified and none match |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
408 |
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
411 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
412 (check hostfingerprint configuration) |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
413 [255] |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
414 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
415 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
416 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
417 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
29268
f200b58497f1
sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29267
diff
changeset
|
418 (check hostsecurity configuration) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
419 [255] |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
420 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
421 - fails when cert doesn't match hostname (port is ignored) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
422 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
423 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
424 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
15997
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
425 (check hostfingerprint configuration) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
426 [255] |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
427 |
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
428 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
429 - ignores that certificate doesn't match hostname |
31028 | 430 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
431 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |
32313
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32285
diff
changeset
|
432 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
433 5fed3813f7f5 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
434 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
435 Ports used by next test. Kill servers. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
436 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
437 $ killdaemons.py hg0.pid |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
438 $ killdaemons.py hg1.pid |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
439 $ killdaemons.py hg2.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
440 |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
441 #if sslcontext tls1.2 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
442 Start servers running supported TLS versions |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
443 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
444 $ cd test |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
445 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
446 > --config devel.serverexactprotocol=tls1.0 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
447 $ cat ../hg0.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
448 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
449 > --config devel.serverexactprotocol=tls1.1 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
450 $ cat ../hg1.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
451 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
452 > --config devel.serverexactprotocol=tls1.2 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
453 $ cat ../hg2.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
454 $ cd .. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
455 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
456 Clients talking same TLS versions work |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
457 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
458 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
459 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
460 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
461 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
462 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
463 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
464 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
465 Clients requiring newer TLS version than what server supports fail |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
466 |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
467 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
468 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
469 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
470 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
471 abort: error: *unsupported protocol* (glob) |
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
472 [255] |
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
473 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
474 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
475 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
476 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
477 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
478 abort: error: *unsupported protocol* (glob) |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
479 [255] |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
481 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
482 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
483 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
484 abort: error: *unsupported protocol* (glob) |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
485 [255] |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
486 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
487 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
488 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
489 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
490 abort: error: *unsupported protocol* (glob) |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
491 [255] |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
492 |
29617
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
493 --insecure will allow TLS 1.0 connections and override configs |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
494 |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
495 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
496 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
497 5fed3813f7f5 |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
498 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
499 The per-host config option overrides the default |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
500 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
501 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
502 > --config hostsecurity.minimumprotocol=tls1.2 \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
503 > --config hostsecurity.localhost:minimumprotocol=tls1.0 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
504 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
505 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
506 The per-host config option by itself works |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
507 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
508 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
509 > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
510 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
511 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
512 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
513 abort: error: *unsupported protocol* (glob) |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
514 [255] |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
515 |
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
516 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
517 |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
518 $ cat >> copy-pull/.hg/hgrc << EOF |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
519 > [hostsecurity] |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
520 > localhost:minimumprotocol=tls1.2 |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
521 > EOF |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
522 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
523 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
524 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
525 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
29635
dee24c87dbf0
tests: glob over ssl error
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29619
diff
changeset
|
526 abort: error: *unsupported protocol* (glob) |
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
527 [255] |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
528 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
529 $ killdaemons.py hg0.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
530 $ killdaemons.py hg1.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
531 $ killdaemons.py hg2.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
532 #endif |
16300
74e114ac6ec1
tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents:
16107
diff
changeset
|
533 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
534 Prepare for connecting through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
535 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
536 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
537 $ cat hg0.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
538 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
539 $ cat hg2.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
540 tinyproxy.py doesn't fully detach, so killing it may result in extra output |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
541 from the shell. So don't kill it. |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
542 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
16496
abbabbbe4ec2
tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents:
16300
diff
changeset
|
543 $ while [ ! -f proxy.pid ]; do sleep 0; done |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
544 $ cat proxy.pid >> $DAEMON_PIDS |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
545 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
546 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
547 $ echo "always=True" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
548 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
549 $ echo "localhost =" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
550 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
551 Test unvalidated https through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
552 |
29853
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
553 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
554 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
555 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
556 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
557 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
558 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
559 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
560 Test https with cacert and fingerprint through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
561 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
562 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
563 > --config web.cacerts="$CERTSDIR/pub.pem" |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
564 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
565 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
566 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
567 no changes found |
31028 | 568 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace |
569 pulling from https://*:$HGPORT/ (glob) | |
570 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |
32313
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32285
diff
changeset
|
571 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
572 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
573 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
574 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
575 Test https with cert problems through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
576 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
577 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
578 > --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
579 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
580 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
581 abort: error: *certificate verify failed* (glob) |
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
582 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
583 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
584 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
585 pulling from https://localhost:$HGPORT2/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
586 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
587 abort: error: *certificate verify failed* (glob) |
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
588 [255] |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
589 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
590 |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
591 $ killdaemons.py hg0.pid |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
592 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
593 #if sslcontext |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
594 |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
595 $ cd test |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
596 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
597 Missing certificate file(s) are detected |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
598 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
599 $ hg serve -p $HGPORT --certificate=/missing/certificate \ |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
600 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
601 abort: referenced certificate file (/missing/certificate) does not exist |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
602 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
603 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
604 $ hg serve -p $HGPORT --certificate=$PRIV \ |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
605 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
606 abort: referenced certificate file (/missing/cafile) does not exist |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
607 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
608 |
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
609 Start hgweb that requires client certificates: |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
610 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
611 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
612 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
613 $ cat ../hg0.pid >> $DAEMON_PIDS |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
614 $ cd .. |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
615 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
616 without client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
617 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
618 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
619 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
620 abort: error: *handshake failure* (glob) |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
621 [255] |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
622 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
623 with client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
624 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
625 $ cat << EOT >> $HGRCPATH |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
626 > [auth] |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
627 > l.prefix = localhost |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
628 > l.cert = $CERTSDIR/client-cert.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
629 > l.key = $CERTSDIR/client-key.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
630 > EOT |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
631 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
632 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
633 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem" |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
634 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
635 5fed3813f7f5 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
636 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
637 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
638 > --config ui.interactive=True --config ui.nontty=True |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
639 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
640 passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
641 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
642 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
643 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
644 abort: error: * (glob) |
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
645 [255] |
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
646 |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
647 Missing certficate and key files result in error |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
648 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
649 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
650 abort: certificate file (/missing/cert) does not exist; cannot connect to localhost |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
651 (restore missing file or fix references in Mercurial config) |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
652 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
653 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
654 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
655 abort: certificate file (/missing/key) does not exist; cannot connect to localhost |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
656 (restore missing file or fix references in Mercurial config) |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
657 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32313
diff
changeset
|
658 |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
659 #endif |