Mercurial > hg-stable
comparison tests/test-https.t @ 29267:f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
We introduce the [hostsecurity] config section. It holds per-host
security settings.
Currently, the section only contains a "fingerprints" option,
which behaves like [hostfingerprints] but supports specifying the
hashing algorithm.
There is still some follow-up work, such as changing some error
messages.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sat, 28 May 2016 12:37:36 -0700 |
| parents | 817ee3cfe862 |
| children | f200b58497f1 |
comparison
equal
deleted
inserted
replaced
| 29266:b3a677c82a35 | 29267:f0ccb6cde3e5 |
|---|---|
| 280 abort: error: *certificate verify failed* (glob) | 280 abort: error: *certificate verify failed* (glob) |
| 281 [255] | 281 [255] |
| 282 | 282 |
| 283 Fingerprints | 283 Fingerprints |
| 284 | 284 |
| 285 - works without cacerts | 285 - works without cacerts (hostkeyfingerprints) |
| 286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | 286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
| 287 5fed3813f7f5 | |
| 288 | |
| 289 - works without cacerts (hostsecurity) | |
| 290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca | |
| 291 5fed3813f7f5 | |
| 292 | |
| 293 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 | |
| 287 5fed3813f7f5 | 294 5fed3813f7f5 |
| 288 | 295 |
| 289 - multiple fingerprints specified and first matches | 296 - multiple fingerprints specified and first matches |
| 290 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | 297 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
| 291 5fed3813f7f5 | 298 5fed3813f7f5 |
| 292 | 299 |
| 300 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | |
| 301 5fed3813f7f5 | |
| 302 | |
| 293 - multiple fingerprints specified and last matches | 303 - multiple fingerprints specified and last matches |
| 294 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure | 304 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure |
| 295 5fed3813f7f5 | 305 5fed3813f7f5 |
| 296 | 306 |
| 307 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ | |
| 308 5fed3813f7f5 | |
| 309 | |
| 297 - multiple fingerprints specified and none match | 310 - multiple fingerprints specified and none match |
| 298 | 311 |
| 299 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | 312 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
| 313 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | |
| 314 (check hostfingerprint configuration) | |
| 315 [255] | |
| 316 | |
| 317 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | |
| 300 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | 318 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
| 301 (check hostfingerprint configuration) | 319 (check hostfingerprint configuration) |
| 302 [255] | 320 [255] |
| 303 | 321 |
| 304 - fails when cert doesn't match hostname (port is ignored) | 322 - fails when cert doesn't match hostname (port is ignored) |