Mercurial > hg-stable

diff tests/test-https.t @ 13314:8dc488dfcdb4 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Known fingerprints of HTTPS servers can now be configured in the hostfingerprints section. That makes it possible to verify the identify of web servers without configuring and trusting the CA chain. Limitations: * Portnumbers are ignored, just like with ordinary certificates. * Host name matching is case sensitive.
author Mads Kiilerich <mads@kiilerich.com>
date Fri, 28 Jan 2011 02:57:59 +0100
parents b335882c2f21
children a939f08fae9c
line wrap: on
line diff
--- a/tests/test-https.t	Thu Jan 27 17:21:23 2011 -0600
+++ b/tests/test-https.t	Fri Jan 28 02:57:59 2011 +0100
@@ -106,7 +106,7 @@
 clone via pull
 
   $ hg clone https://localhost:$HGPORT/ copy-pull
-  warning: localhost certificate not verified (check web.cacerts config setting)
+  warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
   requesting all changes
   adding changesets
   adding manifests
@@ -132,7 +132,7 @@
   $ echo '[hooks]' >> .hg/hgrc
   $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
   $ hg pull
-  warning: localhost certificate not verified (check web.cacerts config setting)
+  warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
   changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/ 
   pulling from https://localhost:$HGPORT/
   searching for changes
@@ -188,3 +188,22 @@
   $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
   abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
   [255]
+
+Fingerprints
+
+  $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
+  $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
+  $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
+
+- works without cacerts
+  $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
+  5fed3813f7f5
+
+- fails when cert doesn't match hostname (port is ignored)
+  $ hg -R copy-pull id https://localhost:$HGPORT1/
+  abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
+  [255]
+
+- ignores that certificate doesn't match hostname
+  $ hg -R copy-pull id https://127.0.0.1:$HGPORT/
+  5fed3813f7f5