Mercurial > hg
annotate tests/test-https.t @ 47678:065e61628980
dirstate-v2: Support appending to the same data file
For now we’re still writing the entire data every time, so appending is not
useful yet. Later we’ll have new nodes pointing to some existing data for
nodes and paths that haven’t changed.
The decision whether to append is pseudo-random in order to make tests exercise
both code paths. This will be replaced by a heuristic based on the amount
of unused existing data.
Differential Revision: https://phab.mercurial-scm.org/D11094
author | Simon Sapin <simon.sapin@octobus.net> |
---|---|
date | Tue, 13 Jul 2021 17:18:23 +0200 |
parents | 8f50dc096cf4 |
children | 7ea2bd2043d1 51b07ac1991c |
rev | line source |
---|---|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
1 #require serve ssl |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 |
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
3 Proper https client requires the built-in ssl from Python 2.6. |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
4 |
41974
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
5 Disable the system configuration which may set stricter TLS requirements. |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
6 This test expects that legacy TLS versions are supported. |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
7 |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
8 $ OPENSSL_CONF= |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
9 $ export OPENSSL_CONF |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
10 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
11 Make server certificates: |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
12 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
13 $ CERTSDIR="$TESTDIR/sslcerts" |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
15 $ PRIV=`pwd`/server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
18 |
12446 | 19 $ hg init test |
20 $ cd test | |
21 $ echo foo>foo | |
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg | |
23 $ echo foo>foo.d/foo | |
24 $ echo bar>foo.d/bAr.hg.d/BaR | |
25 $ echo bar>foo.d/baR.d.hg/bAR | |
26 $ hg commit -A -m 1 | |
27 adding foo | |
28 adding foo.d/bAr.hg.d/BaR | |
29 adding foo.d/baR.d.hg/bAR | |
30 adding foo.d/foo | |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV |
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
32 $ cat ../hg0.pid >> $DAEMON_PIDS |
12446 | 33 |
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
34 cacert not found |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
35 |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
37 abort: could not find web.cacerts: no-such.pem |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
38 [255] |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
39 |
12446 | 40 Test server address cannot be reused |
4289
e17598881509
test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents:
4130
diff
changeset
|
41 |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
35233
1b22d325089c
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages
Matt Harbison <matt_harbison@yahoo.com>
parents:
34661
diff
changeset
|
43 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$ |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
44 [255] |
35233
1b22d325089c
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages
Matt Harbison <matt_harbison@yahoo.com>
parents:
34661
diff
changeset
|
45 |
12446 | 46 $ cd .. |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
47 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
48 Our test cert is not signed by a trusted CA. It should fail to verify if |
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
49 we are able to load CA certs. |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
50 |
44881
89f83e47e9c9
tests: remove "sslcontext" check
Manuel Jacob <me@manueljacob.de>
parents:
44879
diff
changeset
|
51 #if no-defaultcacertsloaded |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
52 $ hg clone https://localhost:$HGPORT/ copy-pull |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
54 abort: error: *certificate verify failed* (glob) |
45902
6da22a068281
tests: update test-https.t's #no-defaultcacertsloaded block with new exit code
Martin von Zweigbergk <martinvonz@google.com>
parents:
45839
diff
changeset
|
55 [100] |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
56 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
57 |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
58 #if defaultcacertsloaded |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
59 $ hg clone https://localhost:$HGPORT/ copy-pull |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
60 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
61 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
62 [100] |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
63 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
64 |
31766
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
65 Specifying a per-host certificate file that doesn't exist will abort. The full |
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
66 C:/path/to/msysroot will print on Windows. |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
67 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
68 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ |
31766
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
69 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
70 [255] |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
71 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
72 A malformed per-host certificate file will raise an error |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
73 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
74 $ echo baddata > badca.pem |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
75 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
76 abort: error loading CA file badca.pem: * (glob) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
77 (file is empty or malformed?) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
78 [255] |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
79 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
80 A per-host certificate mismatching the server will fail verification |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
81 |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
82 (modern ssl is able to discern whether the loaded cert is a CA cert) |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
83 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
84 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
85 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
86 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
87 [100] |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
88 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
89 A per-host certificate matching the server's cert will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
90 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
91 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
92 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
93 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
94 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
95 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
96 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
97 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
98 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
99 A per-host certificate with multiple certs and one matching will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
100 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
101 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
102 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
103 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
104 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
105 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
106 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
107 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
108 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
109 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
110 Defining both per-host certificate and a fingerprint will print a warning |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
111 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
112 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
113 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
114 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
115 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
116 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
117 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
118 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
119 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
120 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
121 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
122 |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
123 Inability to verify peer certificate will result in abort |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
124 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
128 [150] |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
129 |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
12446 | 132 requesting all changes |
133 adding changesets | |
134 adding manifests | |
135 adding file changes | |
136 added 1 changesets with 4 changes to 4 files | |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
137 new changesets 8b6053c928fe |
12446 | 138 updating to branch default |
139 4 files updated, 0 files merged, 0 files removed, 0 files unresolved | |
140 $ hg verify -R copy-pull | |
141 checking changesets | |
142 checking manifests | |
143 crosschecking files in changesets and manifests | |
144 checking files | |
39489
f1186c292d03
verify: make output less confusing (issue5924)
Meirambek Omyrzak <meirambek77@gmail.com>
parents:
35233
diff
changeset
|
145 checked 1 changesets with 4 changes to 4 files |
12446 | 146 $ cd test |
147 $ echo bar > bar | |
148 $ hg commit -A -d '1 0' -m 2 | |
149 adding bar | |
150 $ cd .. | |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
151 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
152 pull without cacert |
12446 | 153 |
154 $ cd copy-pull | |
30234
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
155 $ cat >> .hg/hgrc <<EOF |
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
156 > [hooks] |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
157 > changegroup = sh -c "printenv.py --line changegroup" |
30234
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
158 > EOF |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
159 $ hg pull $DISABLECACERTS |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
160 pulling from https://localhost:$HGPORT/ |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
163 [150] |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
164 |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
165 $ hg pull --insecure |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
166 pulling from https://localhost:$HGPORT/ |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
12446 | 168 searching for changes |
169 adding changesets | |
170 adding manifests | |
171 adding file changes | |
172 added 1 changesets with 1 changes to 1 files | |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
173 new changesets 5fed3813f7f5 |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
174 changegroup hook: HG_HOOKNAME=changegroup |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
175 HG_HOOKTYPE=changegroup |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
176 HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
177 HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
178 HG_SOURCE=pull |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
179 HG_TXNID=TXN:$ID$ |
41896
94faa2e84094
transaction: include txnname in the hookargs dictionary
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
41641
diff
changeset
|
180 HG_TXNNAME=pull |
94faa2e84094
transaction: include txnname in the hookargs dictionary
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
41641
diff
changeset
|
181 https://localhost:$HGPORT/ |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
182 HG_URL=https://localhost:$HGPORT/ |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
183 |
12446 | 184 (run 'hg update' to get a working copy) |
185 $ cd .. | |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
186 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
187 cacert configured in local repo |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
188 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
189 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
190 $ echo "[web]" >> copy-pull/.hg/hgrc |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
191 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc |
29842
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
192 $ hg -R copy-pull pull |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
193 pulling from https://localhost:$HGPORT/ |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
194 searching for changes |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
195 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
196 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
197 |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
198 cacert configured globally, also testing expansion of environment |
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
199 variables in the filename |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
200 |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
201 $ echo "[web]" >> $HGRCPATH |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
202 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
203 $ P="$CERTSDIR" hg -R copy-pull pull |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
204 pulling from https://localhost:$HGPORT/ |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
205 searching for changes |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
206 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
207 $ P="$CERTSDIR" hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
208 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
209 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
210 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
211 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
212 |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
213 empty cacert file |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
214 |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
215 $ touch emptycafile |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
216 |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
217 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
218 pulling from https://localhost:$HGPORT/ |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
219 abort: error loading CA file emptycafile: * (glob) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
220 (file is empty or malformed?) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
221 [255] |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
222 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
223 cacert mismatch |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
224 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
31008 | 226 > https://$LOCALIP:$HGPORT/ |
227 pulling from https://*:$HGPORT/ (glob) | |
31813
68bd8cd381a3
tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents:
31768
diff
changeset
|
228 abort: $LOCALIP certificate error: certificate is for localhost (glob) |
31008 | 229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
230 [150] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
31008 | 232 > https://$LOCALIP:$HGPORT/ --insecure |
233 pulling from https://*:$HGPORT/ (glob) | |
31813
68bd8cd381a3
tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents:
31768
diff
changeset
|
234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
235 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
236 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
237 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
238 pulling from https://localhost:$HGPORT/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
239 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
240 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
241 [100] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
242 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
243 > --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
244 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
245 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
246 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
247 no changes found |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
248 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
249 Test server cert which isn't valid yet |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
250 |
28549 | 251 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
252 $ cat hg1.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
253 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
254 > https://localhost:$HGPORT1/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
255 pulling from https://localhost:$HGPORT1/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
256 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
257 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
258 [100] |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
259 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
260 Test server cert which no longer is valid |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
261 |
28549 | 262 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
263 $ cat hg2.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
264 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
265 > https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
266 pulling from https://localhost:$HGPORT2/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
267 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
268 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
269 [100] |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
270 |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
271 Setting ciphers to an invalid value aborts |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
272 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
273 abort: could not set ciphers: No cipher can be selected. |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
274 (change cipher string (invalid) in config) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
275 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
276 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
277 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
278 abort: could not set ciphers: No cipher can be selected. |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
279 (change cipher string (invalid) in config) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
280 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
281 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
282 Changing the cipher string works |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
283 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
284 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
285 5fed3813f7f5 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
286 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
287 Fingerprints |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
288 |
30332
318a24b52eeb
spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents:
30234
diff
changeset
|
289 - works without cacerts (hostfingerprints) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
290 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
291 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
292 5fed3813f7f5 |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
293 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
294 - works without cacerts (hostsecurity) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
295 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
296 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
297 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
298 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
299 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
300 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
301 - multiple fingerprints specified and first matches |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
302 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
303 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
304 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
305 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
306 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
307 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
308 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
309 - multiple fingerprints specified and last matches |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
310 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
311 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
312 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
313 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
314 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
315 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
316 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
317 - multiple fingerprints specified and none match |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
318 |
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
319 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
320 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
321 (check hostfingerprint configuration) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
322 [150] |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
323 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
324 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
325 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
29268
f200b58497f1
sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29267
diff
changeset
|
326 (check hostsecurity configuration) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
327 [150] |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
328 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
329 - fails when cert doesn't match hostname (port is ignored) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
330 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
331 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
15997
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
332 (check hostfingerprint configuration) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
333 [150] |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
334 |
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
335 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
336 - ignores that certificate doesn't match hostname |
31008 | 337 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
338 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
339 5fed3813f7f5 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
340 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
341 Ports used by next test. Kill servers. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
342 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
343 $ killdaemons.py hg0.pid |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
344 $ killdaemons.py hg1.pid |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
345 $ killdaemons.py hg2.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
346 |
44881
89f83e47e9c9
tests: remove "sslcontext" check
Manuel Jacob <me@manueljacob.de>
parents:
44879
diff
changeset
|
347 #if tls1.2 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
348 Start servers running supported TLS versions |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
349 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
350 $ cd test |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
351 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
352 > --config devel.serverexactprotocol=tls1.0 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
353 $ cat ../hg0.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
354 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
355 > --config devel.serverexactprotocol=tls1.1 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
356 $ cat ../hg1.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
357 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
358 > --config devel.serverexactprotocol=tls1.2 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
359 $ cat ../hg2.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
360 $ cd .. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
361 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
362 Clients talking same TLS versions work |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
363 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
364 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
365 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
366 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
367 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
368 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
369 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
370 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
371 Clients requiring newer TLS version than what server supports fail |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
372 |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
373 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
374 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
375 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
376 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
377 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
378 [100] |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
379 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
380 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
381 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
382 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
383 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
384 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
385 [100] |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
386 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
387 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
388 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
389 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
390 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
391 [100] |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
392 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
393 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
394 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
395 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
396 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
397 [100] |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
398 |
29617
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
399 --insecure will allow TLS 1.0 connections and override configs |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
400 |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
401 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
402 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
403 5fed3813f7f5 |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
404 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
405 The per-host config option overrides the default |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
406 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
407 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
408 > --config hostsecurity.minimumprotocol=tls1.2 \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
409 > --config hostsecurity.localhost:minimumprotocol=tls1.0 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
410 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
411 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
412 The per-host config option by itself works |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
413 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
414 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
415 > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
416 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
417 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
418 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
419 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
420 [100] |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
421 |
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
422 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
423 |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
424 $ cat >> copy-pull/.hg/hgrc << EOF |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
425 > [hostsecurity] |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
426 > localhost:minimumprotocol=tls1.2 |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
427 > EOF |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
428 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
429 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
430 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
431 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
432 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
433 [100] |
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
434 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
435 $ killdaemons.py hg0.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
436 $ killdaemons.py hg1.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
437 $ killdaemons.py hg2.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
438 #endif |
16300
74e114ac6ec1
tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents:
16107
diff
changeset
|
439 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
440 Prepare for connecting through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
441 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
442 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
443 $ cat hg0.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
444 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
445 $ cat hg2.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
446 tinyproxy.py doesn't fully detach, so killing it may result in extra output |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
447 from the shell. So don't kill it. |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
448 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
16496
abbabbbe4ec2
tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents:
16300
diff
changeset
|
449 $ while [ ! -f proxy.pid ]; do sleep 0; done |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
450 $ cat proxy.pid >> $DAEMON_PIDS |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
451 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
452 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
453 $ echo "always=True" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
454 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
455 $ echo "localhost =" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
456 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
457 Test unvalidated https through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
458 |
29842
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
459 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
460 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
461 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
462 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
463 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
464 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
465 Test https with cacert and fingerprint through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
466 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
467 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
468 > --config web.cacerts="$CERTSDIR/pub.pem" |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
469 pulling from https://localhost:$HGPORT/ |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
470 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
471 no changes found |
31008 | 472 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace |
473 pulling from https://*:$HGPORT/ (glob) | |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
474 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
475 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
476 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
477 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
478 Test https with cert problems through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
479 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
480 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
481 > --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
482 pulling from https://localhost:$HGPORT/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
483 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
484 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
485 [100] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
486 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
487 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
488 pulling from https://localhost:$HGPORT2/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
489 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
490 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
491 [100] |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
492 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
493 |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
494 $ killdaemons.py hg0.pid |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
495 |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
496 $ cd test |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
497 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
498 Missing certificate file(s) are detected |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
499 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
500 $ hg serve -p $HGPORT --certificate=/missing/certificate \ |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
501 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
502 abort: referenced certificate file (*/missing/certificate) does not exist (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
503 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
504 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
505 $ hg serve -p $HGPORT --certificate=$PRIV \ |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
506 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
507 abort: referenced certificate file (*/missing/cafile) does not exist (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
508 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
509 |
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
510 Start hgweb that requires client certificates: |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
511 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
512 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
513 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
514 $ cat ../hg0.pid >> $DAEMON_PIDS |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
515 $ cd .. |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
516 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
517 without client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
518 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
519 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
41975
406519302520
test-https: add some more known failure messages of client certs (issue6030)
Yuya Nishihara <yuya@tcha.org>
parents:
41974
diff
changeset
|
520 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
521 [100] |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
522 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
523 with client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
524 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
525 $ cat << EOT >> $HGRCPATH |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
526 > [auth] |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
527 > l.prefix = localhost |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
528 > l.cert = $CERTSDIR/client-cert.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
529 > l.key = $CERTSDIR/client-key.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
530 > EOT |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
531 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
532 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
533 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem" |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
534 5fed3813f7f5 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
535 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
536 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
537 > --config ui.interactive=True --config ui.nontty=True |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
538 passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
539 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
540 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
541 abort: error: * (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
542 [100] |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
543 |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
544 Missing certficate and key files result in error |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
545 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
546 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
547 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
548 (restore missing file or fix references in Mercurial config) |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
549 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
550 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
551 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
552 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
553 (restore missing file or fix references in Mercurial config) |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
554 [255] |