123 Inability to verify peer certificate will result in abort |
123 Inability to verify peer certificate will result in abort |
124 |
124 |
125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
128 [255] |
128 [150] |
129 |
129 |
130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
132 requesting all changes |
132 requesting all changes |
133 adding changesets |
133 adding changesets |
158 > EOF |
158 > EOF |
159 $ hg pull $DISABLECACERTS |
159 $ hg pull $DISABLECACERTS |
160 pulling from https://localhost:$HGPORT/ |
160 pulling from https://localhost:$HGPORT/ |
161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
163 [255] |
163 [150] |
164 |
164 |
165 $ hg pull --insecure |
165 $ hg pull --insecure |
166 pulling from https://localhost:$HGPORT/ |
166 pulling from https://localhost:$HGPORT/ |
167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
168 searching for changes |
168 searching for changes |
225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
226 > https://$LOCALIP:$HGPORT/ |
226 > https://$LOCALIP:$HGPORT/ |
227 pulling from https://*:$HGPORT/ (glob) |
227 pulling from https://*:$HGPORT/ (glob) |
228 abort: $LOCALIP certificate error: certificate is for localhost (glob) |
228 abort: $LOCALIP certificate error: certificate is for localhost (glob) |
229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
230 [255] |
230 [150] |
231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
232 > https://$LOCALIP:$HGPORT/ --insecure |
232 > https://$LOCALIP:$HGPORT/ --insecure |
233 pulling from https://*:$HGPORT/ (glob) |
233 pulling from https://*:$HGPORT/ (glob) |
234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) |
234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) |
235 searching for changes |
235 searching for changes |
317 - multiple fingerprints specified and none match |
317 - multiple fingerprints specified and none match |
318 |
318 |
319 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
319 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
320 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
320 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
321 (check hostfingerprint configuration) |
321 (check hostfingerprint configuration) |
322 [255] |
322 [150] |
323 |
323 |
324 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
324 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
325 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
325 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
326 (check hostsecurity configuration) |
326 (check hostsecurity configuration) |
327 [255] |
327 [150] |
328 |
328 |
329 - fails when cert doesn't match hostname (port is ignored) |
329 - fails when cert doesn't match hostname (port is ignored) |
330 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
330 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
331 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
331 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
332 (check hostfingerprint configuration) |
332 (check hostfingerprint configuration) |
333 [255] |
333 [150] |
334 |
334 |
335 |
335 |
336 - ignores that certificate doesn't match hostname |
336 - ignores that certificate doesn't match hostname |
337 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
337 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
338 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
338 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |