Mercurial > hg-stable
annotate tests/test-https.t @ 29390:9349b4073c11
test-revset: show how inconsistent the ordering of compound expressions is
This adds mostly broken tests that will be fixed by subsequent patches. We
generally don't do that, but this patch series would be hard to review
without a set of broken tests.
Note that some tests pass thanks to the reordering problem in optimize().
For instance, '2:0 & _intlist(0 1 2)' doesn't fail because it is rewritten
as '_intlist(0 1 2) & 2:0'.
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Wed, 22 Jun 2016 22:02:25 +0900 |
parents | 93b83ef78d1e |
children | e1778b9c8d53 |
rev | line source |
---|---|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
1 #require serve ssl |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 |
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
3 Proper https client requires the built-in ssl from Python 2.6. |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
4 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
5 Make server certificates: |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
6 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
7 $ CERTSDIR="$TESTDIR/sslcerts" |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
9 $ PRIV=`pwd`/server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
12 |
12446 | 13 $ hg init test |
14 $ cd test | |
15 $ echo foo>foo | |
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg | |
17 $ echo foo>foo.d/foo | |
18 $ echo bar>foo.d/bAr.hg.d/BaR | |
19 $ echo bar>foo.d/baR.d.hg/bAR | |
20 $ hg commit -A -m 1 | |
21 adding foo | |
22 adding foo.d/bAr.hg.d/BaR | |
23 adding foo.d/baR.d.hg/bAR | |
24 adding foo.d/foo | |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV |
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
26 $ cat ../hg0.pid >> $DAEMON_PIDS |
12446 | 27 |
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
28 cacert not found |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
29 |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
31 abort: could not find web.cacerts: no-such.pem |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
32 [255] |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
33 |
12446 | 34 Test server address cannot be reused |
4289
e17598881509
test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents:
4130
diff
changeset
|
35 |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
36 #if windows |
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
37 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
18682
408f2202bd80
tests: remove glob from output lines containing no glob character
Simon Heimberg <simohe@besonet.ch>
parents:
18588
diff
changeset
|
38 abort: cannot start server at ':$HGPORT': |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
39 [255] |
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
40 #else |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
41 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
42 abort: cannot start server at ':$HGPORT': Address already in use |
12446 | 43 [255] |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
44 #endif |
12446 | 45 $ cd .. |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
46 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
47 Our test cert is not signed by a trusted CA. It should fail to verify if |
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
48 we are able to load CA certs. |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
49 |
24289
07fafcd4bc74
test-https: enable dummycert test only if Apple python is used (issue4500)
Yuya Nishihara <yuya@tcha.org>
parents:
24138
diff
changeset
|
50 #if defaultcacerts |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
51 $ hg clone https://localhost:$HGPORT/ copy-pull |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
52 abort: error: *certificate verify failed* (glob) |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
53 [255] |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
54 #endif |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
55 |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
56 Specifying a per-host certificate file that doesn't exist will abort |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
57 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
58 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
59 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
60 [255] |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
61 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
62 A malformed per-host certificate file will raise an error |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
63 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
64 $ echo baddata > badca.pem |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
65 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
29356
93b83ef78d1e
tests: increase test-https malform error glob
Durham Goode <durham@fb.com>
parents:
29334
diff
changeset
|
66 abort: error: * (glob) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
67 [255] |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
68 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
69 A per-host certificate mismatching the server will fail verification |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
70 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
71 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
72 abort: error: *certificate verify failed* (glob) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
73 [255] |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
74 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
75 A per-host certificate matching the server's cert will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
76 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
77 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
78 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
79 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
80 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
81 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
82 added 1 changesets with 4 changes to 4 files |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
83 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
84 A per-host certificate with multiple certs and one matching will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
85 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
86 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
87 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
88 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
89 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
90 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
91 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
92 added 1 changesets with 4 changes to 4 files |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
93 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
94 Defining both per-host certificate and a fingerprint will print a warning |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
95 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
96 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
97 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
98 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
99 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
100 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
101 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
102 added 1 changesets with 4 changes to 4 files |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
103 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
104 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
105 |
12446 | 106 clone via pull |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
107 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
108 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
29292
bc5f55493397
sslutil: make cert fingerprints messages more actionable
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29290
diff
changeset
|
109 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings) |
12446 | 110 requesting all changes |
111 adding changesets | |
112 adding manifests | |
113 adding file changes | |
114 added 1 changesets with 4 changes to 4 files | |
115 updating to branch default | |
116 4 files updated, 0 files merged, 0 files removed, 0 files unresolved | |
117 $ hg verify -R copy-pull | |
118 checking changesets | |
119 checking manifests | |
120 crosschecking files in changesets and manifests | |
121 checking files | |
122 4 files, 1 changesets, 4 total revisions | |
123 $ cd test | |
124 $ echo bar > bar | |
125 $ hg commit -A -d '1 0' -m 2 | |
126 adding bar | |
127 $ cd .. | |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
128 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
129 pull without cacert |
12446 | 130 |
131 $ cd copy-pull | |
132 $ echo '[hooks]' >> .hg/hgrc | |
25478
d19787db6fe0
tests: simplify printenv calls
Matt Mackall <mpm@selenic.com>
parents:
25472
diff
changeset
|
133 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
134 $ hg pull $DISABLECACERTS |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
135 pulling from https://localhost:$HGPORT/ |
29292
bc5f55493397
sslutil: make cert fingerprints messages more actionable
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29290
diff
changeset
|
136 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings) |
12446 | 137 searching for changes |
138 adding changesets | |
139 adding manifests | |
140 adding file changes | |
141 added 1 changesets with 1 changes to 1 files | |
27739
d6d3cf5fda6f
hooks: add HG_NODE_LAST to txnclose and changegroup hook environments
Mateusz Kwapich <mitrandir@fb.com>
parents:
25478
diff
changeset
|
142 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob) |
12446 | 143 (run 'hg update' to get a working copy) |
144 $ cd .. | |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
145 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
146 cacert configured in local repo |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
147 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
148 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
149 $ echo "[web]" >> copy-pull/.hg/hgrc |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
150 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
151 $ hg -R copy-pull pull --traceback |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
152 pulling from https://localhost:$HGPORT/ |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
153 searching for changes |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
154 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
155 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
156 |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
157 cacert configured globally, also testing expansion of environment |
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
158 variables in the filename |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
159 |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
160 $ echo "[web]" >> $HGRCPATH |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
161 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
162 $ P="$CERTSDIR" hg -R copy-pull pull |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
163 pulling from https://localhost:$HGPORT/ |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
164 searching for changes |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
165 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
166 $ P="$CERTSDIR" hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
167 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
168 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
169 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
170 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
171 |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
172 cacert mismatch |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
173 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
174 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
175 > https://127.0.0.1:$HGPORT/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
176 pulling from https://127.0.0.1:$HGPORT/ |
15814
c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents:
15650
diff
changeset
|
177 abort: 127.0.0.1 certificate error: certificate is for localhost |
29292
bc5f55493397
sslutil: make cert fingerprints messages more actionable
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29290
diff
changeset
|
178 (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
179 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
180 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
181 > https://127.0.0.1:$HGPORT/ --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
182 pulling from https://127.0.0.1:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
183 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
184 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
185 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
186 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
187 pulling from https://localhost:$HGPORT/ |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
188 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
189 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
190 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
191 > --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
192 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
193 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
194 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
195 no changes found |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
196 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
197 Test server cert which isn't valid yet |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
198 |
28549 | 199 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
200 $ cat hg1.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
201 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
202 > https://localhost:$HGPORT1/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
203 pulling from https://localhost:$HGPORT1/ |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
204 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
205 [255] |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
206 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
207 Test server cert which no longer is valid |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
208 |
28549 | 209 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
210 $ cat hg2.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
211 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
212 > https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
213 pulling from https://localhost:$HGPORT2/ |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
214 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
215 [255] |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
216 |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
217 Fingerprints |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
218 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
219 - works without cacerts (hostkeyfingerprints) |
29263
817ee3cfe862
tests: don't save host fingerprints in hgrc
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28847
diff
changeset
|
220 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
221 5fed3813f7f5 |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
222 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
223 - works without cacerts (hostsecurity) |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
224 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
225 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
226 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
227 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
228 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
229 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
230 - multiple fingerprints specified and first matches |
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
231 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
232 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
233 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
234 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
235 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
236 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
237 - multiple fingerprints specified and last matches |
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
238 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
239 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
240 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
241 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
242 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
243 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
244 - multiple fingerprints specified and none match |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
245 |
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
246 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
247 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
248 (check hostfingerprint configuration) |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
249 [255] |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
250 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
251 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29293
1b3a0b0c414f
sslutil: print the fingerprint from the last hash used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29292
diff
changeset
|
252 abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
29268
f200b58497f1
sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29267
diff
changeset
|
253 (check hostsecurity configuration) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
254 [255] |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
255 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
256 - fails when cert doesn't match hostname (port is ignored) |
29263
817ee3cfe862
tests: don't save host fingerprints in hgrc
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28847
diff
changeset
|
257 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca |
15997
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
258 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b |
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
259 (check hostfingerprint configuration) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
260 [255] |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
261 |
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
262 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
263 - ignores that certificate doesn't match hostname |
29263
817ee3cfe862
tests: don't save host fingerprints in hgrc
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28847
diff
changeset
|
264 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
265 5fed3813f7f5 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
266 |
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
267 HGPORT1 is reused below for tinyproxy tests. Kill that server. |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
268 $ killdaemons.py hg1.pid |
16300
74e114ac6ec1
tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents:
16107
diff
changeset
|
269 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
270 Prepare for connecting through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
271 |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
272 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
16496
abbabbbe4ec2
tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents:
16300
diff
changeset
|
273 $ while [ ! -f proxy.pid ]; do sleep 0; done |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
274 $ cat proxy.pid >> $DAEMON_PIDS |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
275 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
276 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
277 $ echo "always=True" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
278 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
279 $ echo "localhost =" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
280 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
281 Test unvalidated https through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
282 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
283 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
284 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
285 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
286 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
287 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
288 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
289 Test https with cacert and fingerprint through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
290 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
291 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
292 > --config web.cacerts="$CERTSDIR/pub.pem" |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
293 pulling from https://localhost:$HGPORT/ |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
294 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
295 no changes found |
29263
817ee3cfe862
tests: don't save host fingerprints in hgrc
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28847
diff
changeset
|
296 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
297 pulling from https://127.0.0.1:$HGPORT/ |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
298 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
299 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
300 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
301 Test https with cert problems through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
302 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
303 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
304 > --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
305 pulling from https://localhost:$HGPORT/ |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
306 abort: error: *certificate verify failed* (glob) |
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
307 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
308 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
309 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
310 pulling from https://localhost:$HGPORT2/ |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
311 abort: error: *certificate verify failed* (glob) |
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
312 [255] |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
313 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
314 |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
315 $ killdaemons.py hg0.pid |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
316 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
317 #if sslcontext |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
318 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
319 Start patched hgweb that requires client certificates: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
320 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
321 $ cat << EOT > reqclientcert.py |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
322 > import ssl |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
323 > from mercurial.hgweb import server |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
324 > class _httprequesthandlersslclientcert(server._httprequesthandlerssl): |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
325 > @staticmethod |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
326 > def preparehttpserver(httpserver, ssl_cert): |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
327 > sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1) |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
328 > sslcontext.verify_mode = ssl.CERT_REQUIRED |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
329 > sslcontext.load_cert_chain(ssl_cert) |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
330 > # verify clients by server certificate |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
331 > sslcontext.load_verify_locations(ssl_cert) |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
332 > httpserver.socket = sslcontext.wrap_socket(httpserver.socket, |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
333 > server_side=True) |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
334 > server._httprequesthandlerssl = _httprequesthandlersslclientcert |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
335 > EOT |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
336 $ cd test |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
337 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
338 > --config extensions.reqclientcert=../reqclientcert.py |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
339 $ cat ../hg0.pid >> $DAEMON_PIDS |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
340 $ cd .. |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
341 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
342 without client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
343 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
344 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
345 abort: error: *handshake failure* (glob) |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
346 [255] |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
347 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
348 with client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
349 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
350 $ cat << EOT >> $HGRCPATH |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
351 > [auth] |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
352 > l.prefix = localhost |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
353 > l.cert = $CERTSDIR/client-cert.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
354 > l.key = $CERTSDIR/client-key.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
355 > EOT |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
356 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
357 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
358 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem" |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
359 5fed3813f7f5 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
360 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
361 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
362 > --config ui.interactive=True --config ui.nontty=True |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
363 passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
364 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
365 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
366 abort: error: * (glob) |
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
367 [255] |
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
368 |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
369 #endif |