Mercurial > hg-stable
comparison tests/test-https.t @ 29267:f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
We introduce the [hostsecurity] config section. It holds per-host
security settings.
Currently, the section only contains a "fingerprints" option,
which behaves like [hostfingerprints] but supports specifying the
hashing algorithm.
There is still some follow-up work, such as changing some error
messages.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Sat, 28 May 2016 12:37:36 -0700 |
parents | 817ee3cfe862 |
children | f200b58497f1 |
comparison
equal
deleted
inserted
replaced
29266:b3a677c82a35 | 29267:f0ccb6cde3e5 |
---|---|
280 abort: error: *certificate verify failed* (glob) | 280 abort: error: *certificate verify failed* (glob) |
281 [255] | 281 [255] |
282 | 282 |
283 Fingerprints | 283 Fingerprints |
284 | 284 |
285 - works without cacerts | 285 - works without cacerts (hostkeyfingerprints) |
286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | 286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
287 5fed3813f7f5 | |
288 | |
289 - works without cacerts (hostsecurity) | |
290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca | |
291 5fed3813f7f5 | |
292 | |
293 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 | |
287 5fed3813f7f5 | 294 5fed3813f7f5 |
288 | 295 |
289 - multiple fingerprints specified and first matches | 296 - multiple fingerprints specified and first matches |
290 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | 297 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
291 5fed3813f7f5 | 298 5fed3813f7f5 |
292 | 299 |
300 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | |
301 5fed3813f7f5 | |
302 | |
293 - multiple fingerprints specified and last matches | 303 - multiple fingerprints specified and last matches |
294 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure | 304 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure |
295 5fed3813f7f5 | 305 5fed3813f7f5 |
296 | 306 |
307 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ | |
308 5fed3813f7f5 | |
309 | |
297 - multiple fingerprints specified and none match | 310 - multiple fingerprints specified and none match |
298 | 311 |
299 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | 312 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
313 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | |
314 (check hostfingerprint configuration) | |
315 [255] | |
316 | |
317 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | |
300 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | 318 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
301 (check hostfingerprint configuration) | 319 (check hostfingerprint configuration) |
302 [255] | 320 [255] |
303 | 321 |
304 - fails when cert doesn't match hostname (port is ignored) | 322 - fails when cert doesn't match hostname (port is ignored) |