tests/test-https.t
author Jun Wu <quark@fb.com>
Fri, 05 May 2017 16:48:58 -0700
changeset 32189 15f10ee778f8
parent 31813 68bd8cd381a3
child 32194 9a86d936670f
child 32234 ab89d2f7dc9a
permissions -rw-r--r--
diff: draw a table about binary diff behaviors The table should make it easier to reason about future changes.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
     1
#require serve ssl
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
     2
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
     3
Proper https client requires the built-in ssl from Python 2.6.
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
     4
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
     5
Make server certificates:
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
     6
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
     7
  $ CERTSDIR="$TESTDIR/sslcerts"
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
     8
  $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
     9
  $ PRIV=`pwd`/server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
    10
  $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
    11
  $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
    12
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    13
  $ hg init test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    14
  $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    15
  $ echo foo>foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    16
  $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    17
  $ echo foo>foo.d/foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    18
  $ echo bar>foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    19
  $ echo bar>foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    20
  $ hg commit -A -m 1
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    21
  adding foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    22
  adding foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    23
  adding foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    24
  adding foo.d/foo
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
    25
  $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
    26
  $ cat ../hg0.pid >> $DAEMON_PIDS
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    27
13544
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
    28
cacert not found
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
    29
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
    30
  $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
    31
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13544
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
    32
  abort: could not find web.cacerts: no-such.pem
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
    33
  [255]
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
    34
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    35
Test server address cannot be reused
4289
e17598881509 test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents: 4130
diff changeset
    36
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
    37
#if windows
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
    38
  $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31768
49e9124cfc23 test-http: update output for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31766
diff changeset
    39
  abort: cannot start server at 'localhost:$HGPORT': * (glob)
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
    40
  [255]
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
    41
#else
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
    42
  $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31009
161ab32b44a1 runtests: set web.address to localhost
Jun Wu <quark@fb.com>
parents: 31008
diff changeset
    43
  abort: cannot start server at 'localhost:$HGPORT': Address already in use
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    44
  [255]
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
    45
#endif
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
    46
  $ cd ..
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
    47
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
    48
Our test cert is not signed by a trusted CA. It should fail to verify if
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
    49
we are able to load CA certs.
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
    50
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    51
#if sslcontext defaultcacerts no-defaultcacertsloaded
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
    52
  $ hg clone https://localhost:$HGPORT/ copy-pull
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
    53
  (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
    54
  abort: error: *certificate verify failed* (glob)
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
    55
  [255]
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    56
#endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    57
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    58
#if no-sslcontext defaultcacerts
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    59
  $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
    60
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29499
diff changeset
    61
  (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    62
  abort: error: *certificate verify failed* (glob)
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    63
  [255]
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    64
#endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    65
29489
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
    66
#if no-sslcontext windows
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
    67
  $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
    68
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29489
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
    69
  (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
    70
  abort: error: *certificate verify failed* (glob)
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
    71
  [255]
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
    72
#endif
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
    73
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
    74
#if no-sslcontext osx
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
    75
  $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
    76
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
    77
  (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
    78
  abort: localhost certificate error: no certificate received
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
    79
  (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
    80
  [255]
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
    81
#endif
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
    82
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    83
#if defaultcacertsloaded
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    84
  $ hg clone https://localhost:$HGPORT/ copy-pull
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
    85
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29499
diff changeset
    86
  (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    87
  abort: error: *certificate verify failed* (glob)
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    88
  [255]
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    89
#endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    90
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
    91
#if no-defaultcacerts
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
    92
  $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
    93
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
    94
  (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
    95
  abort: localhost certificate error: no certificate received
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
    96
  (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
    97
  [255]
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
    98
#endif
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
    99
31766
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31747
diff changeset
   100
Specifying a per-host certificate file that doesn't exist will abort.  The full
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31747
diff changeset
   101
C:/path/to/msysroot will print on Windows.
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   102
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   103
  $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   104
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31766
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31747
diff changeset
   105
  abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   106
  [255]
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   107
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   108
A malformed per-host certificate file will raise an error
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   109
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   110
  $ echo baddata > badca.pem
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   111
#if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   112
  $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   113
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   114
  abort: error loading CA file badca.pem: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   115
  (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   116
  [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   117
#else
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   118
  $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   119
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29356
93b83ef78d1e tests: increase test-https malform error glob
Durham Goode <durham@fb.com>
parents: 29334
diff changeset
   120
  abort: error: * (glob)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   121
  [255]
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   122
#endif
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   123
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   124
A per-host certificate mismatching the server will fail verification
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   125
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
   126
(modern ssl is able to discern whether the loaded cert is a CA cert)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
   127
#if sslcontext
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
   128
  $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   129
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
   130
  (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
   131
  abort: error: *certificate verify failed* (glob)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
   132
  [255]
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
   133
#else
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   134
  $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   135
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   136
  abort: error: *certificate verify failed* (glob)
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   137
  [255]
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
   138
#endif
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   139
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   140
A per-host certificate matching the server's cert will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   141
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   142
  $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   143
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   144
  requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   145
  adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   146
  adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   147
  adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   148
  added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   149
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   150
A per-host certificate with multiple certs and one matching will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   151
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   152
  $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   153
  $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   154
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   155
  requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   156
  adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   157
  adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   158
  adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   159
  added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   160
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   161
Defining both per-host certificate and a fingerprint will print a warning
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   162
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   163
  $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   164
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   165
  (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   166
  requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   167
  adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   168
  adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   169
  adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   170
  added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
   171
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
   172
  $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
   173
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   174
Inability to verify peer certificate will result in abort
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
   175
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
   176
  $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   177
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   178
  abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   179
  (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   180
  [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   181
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   182
  $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   183
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   184
  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   185
  requesting all changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   186
  adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   187
  adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   188
  adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   189
  added 1 changesets with 4 changes to 4 files
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   190
  updating to branch default
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   191
  4 files updated, 0 files merged, 0 files removed, 0 files unresolved
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   192
  $ hg verify -R copy-pull
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   193
  checking changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   194
  checking manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   195
  crosschecking files in changesets and manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   196
  checking files
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   197
  4 files, 1 changesets, 4 total revisions
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   198
  $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   199
  $ echo bar > bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   200
  $ hg commit -A -d '1 0' -m 2
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   201
  adding bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   202
  $ cd ..
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
   203
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   204
pull without cacert
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   205
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   206
  $ cd copy-pull
30234
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
   207
  $ cat >> .hg/hgrc <<EOF
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
   208
  > [hooks]
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
   209
  > changegroup = sh -c "printenv.py changegroup"
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
   210
  > EOF
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
   211
  $ hg pull $DISABLECACERTS
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   212
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   213
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   214
  abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   215
  (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   216
  [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   217
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   218
  $ hg pull --insecure
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   219
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   220
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
   221
  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   222
  searching for changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   223
  adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   224
  adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   225
  adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   226
  added 1 changesets with 1 changes to 1 files
31747
aff7b32b3c05 hook: add hook name information to external hook
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents: 31746
diff changeset
   227
  changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   228
  (run 'hg update' to get a working copy)
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
   229
  $ cd ..
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   230
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   231
cacert configured in local repo
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   232
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   233
  $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   234
  $ echo "[web]" >> copy-pull/.hg/hgrc
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   235
  $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
29842
d5497eb1d768 test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents: 29635
diff changeset
   236
  $ hg -R copy-pull pull
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   237
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   238
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   239
  searching for changes
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   240
  no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   241
  $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   242
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
   243
cacert configured globally, also testing expansion of environment
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
   244
variables in the filename
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   245
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   246
  $ echo "[web]" >> $HGRCPATH
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
   247
  $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   248
  $ P="$CERTSDIR" hg -R copy-pull pull
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   249
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   250
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   251
  searching for changes
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   252
  no changes found
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   253
  $ P="$CERTSDIR" hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   254
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   255
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
   256
  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
   257
  searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
   258
  no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   259
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
   260
empty cacert file
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
   261
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
   262
  $ touch emptycafile
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   263
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   264
#if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   265
  $ hg --config web.cacerts=emptycafile -R copy-pull pull
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   266
  pulling from https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   267
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   268
  abort: error loading CA file emptycafile: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   269
  (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   270
  [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   271
#else
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
   272
  $ hg --config web.cacerts=emptycafile -R copy-pull pull
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
   273
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   274
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
   275
  abort: error: * (glob)
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
   276
  [255]
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
   277
#endif
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
   278
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   279
cacert mismatch
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
   280
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   281
  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   282
  > https://$LOCALIP:$HGPORT/
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   283
  pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   284
  warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31813
68bd8cd381a3 tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents: 31768
diff changeset
   285
  abort: $LOCALIP certificate error: certificate is for localhost (glob)
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   286
  (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   287
  [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   288
  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   289
  > https://$LOCALIP:$HGPORT/ --insecure
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   290
  pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   291
  warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31813
68bd8cd381a3 tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents: 31768
diff changeset
   292
  warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
   293
  searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
   294
  no changes found
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   295
  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   296
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   297
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
   298
  abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   299
  [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   300
  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   301
  > --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   302
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   303
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
   304
  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
   305
  searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
   306
  no changes found
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   307
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   308
Test server cert which isn't valid yet
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   309
28549
e01bd7385f4f tests: reorder hg serve commands
Jun Wu <quark@fb.com>
parents: 28525
diff changeset
   310
  $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   311
  $ cat hg1.pid >> $DAEMON_PIDS
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   312
  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   313
  > https://localhost:$HGPORT1/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   314
  pulling from https://localhost:$HGPORT1/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   315
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
   316
  abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   317
  [255]
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   318
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   319
Test server cert which no longer is valid
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   320
28549
e01bd7385f4f tests: reorder hg serve commands
Jun Wu <quark@fb.com>
parents: 28525
diff changeset
   321
  $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   322
  $ cat hg2.pid >> $DAEMON_PIDS
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   323
  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   324
  > https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   325
  pulling from https://localhost:$HGPORT2/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   326
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
   327
  abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
   328
  [255]
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   329
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   330
Disabling the TLS 1.0 warning works
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   331
  $ hg -R copy-pull id https://localhost:$HGPORT/ \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   332
  > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   333
  > --config hostsecurity.disabletls10warning=true
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   334
  5fed3813f7f5
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   335
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   336
#if no-sslcontext no-py27+
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   337
Setting ciphers doesn't work in Python 2.6
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   338
  $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   339
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   340
  abort: setting ciphers in [hostsecurity] is not supported by this version of Python
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   341
  (remove the config option or run Mercurial with a modern Python version (preferred))
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   342
  [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   343
#endif
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   344
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   345
Setting ciphers works in Python 2.7+ but the error message is different on
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   346
legacy ssl. We test legacy once and do more feature checking on modern
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   347
configs.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   348
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   349
#if py27+ no-sslcontext
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   350
  $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   351
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   352
  abort: *No cipher can be selected. (glob)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   353
  [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   354
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   355
  $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   356
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   357
  5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   358
#endif
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   359
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   360
#if sslcontext
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   361
Setting ciphers to an invalid value aborts
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   362
  $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   363
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   364
  abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   365
  (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   366
  [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   367
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   368
  $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   369
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   370
  abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   371
  (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   372
  [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   373
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   374
Changing the cipher string works
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   375
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   376
  $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   377
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   378
  5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   379
#endif
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
   380
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   381
Fingerprints
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   382
30332
318a24b52eeb spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents: 30234
diff changeset
   383
- works without cacerts (hostfingerprints)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   384
  $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   385
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
   386
  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   387
  5fed3813f7f5
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   388
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   389
- works without cacerts (hostsecurity)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   390
  $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   391
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   392
  5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   393
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   394
  $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   395
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   396
  5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   397
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   398
- multiple fingerprints specified and first matches
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   399
  $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   400
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
   401
  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   402
  5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   403
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   404
  $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   405
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   406
  5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   407
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   408
- multiple fingerprints specified and last matches
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   409
  $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   410
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
   411
  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   412
  5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   413
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   414
  $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   415
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   416
  5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   417
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   418
- multiple fingerprints specified and none match
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   419
28847
3e576fe66715 tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents: 28549
diff changeset
   420
  $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   421
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   422
  abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   423
  (check hostfingerprint configuration)
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   424
  [255]
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
   425
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   426
  $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   427
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   428
  abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29268
f200b58497f1 sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29267
diff changeset
   429
  (check hostsecurity configuration)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   430
  [255]
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
   431
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   432
- fails when cert doesn't match hostname (port is ignored)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   433
  $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   434
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
   435
  abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
15997
a45516cb8d9f sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents: 15814
diff changeset
   436
  (check hostfingerprint configuration)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   437
  [255]
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   438
18588
3241fc65e3cd test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents: 18354
diff changeset
   439
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   440
- ignores that certificate doesn't match hostname
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   441
  $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   442
  warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
   443
  (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
   444
  5fed3813f7f5
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   445
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   446
Ports used by next test. Kill servers.
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   447
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   448
  $ killdaemons.py hg0.pid
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
   449
  $ killdaemons.py hg1.pid
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   450
  $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   451
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   452
#if sslcontext tls1.2
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   453
Start servers running supported TLS versions
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   454
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   455
  $ cd test
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   456
  $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   457
  > --config devel.serverexactprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   458
  $ cat ../hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   459
  $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   460
  > --config devel.serverexactprotocol=tls1.1
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   461
  $ cat ../hg1.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   462
  $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   463
  > --config devel.serverexactprotocol=tls1.2
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   464
  $ cat ../hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   465
  $ cd ..
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   466
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   467
Clients talking same TLS versions work
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   468
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   469
  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   470
  5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   471
  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   472
  5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   473
  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   474
  5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   475
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   476
Clients requiring newer TLS version than what server supports fail
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   477
29560
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
   478
  $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   479
  (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   480
  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   481
  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29560
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
   482
  abort: error: *unsupported protocol* (glob)
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
   483
  [255]
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
   484
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   485
  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   486
  (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   487
  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   488
  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   489
  abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   490
  [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   491
  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   492
  (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   493
  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   494
  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   495
  abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   496
  [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   497
  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   498
  (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   499
  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   500
  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   501
  abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   502
  [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   503
29617
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
   504
--insecure will allow TLS 1.0 connections and override configs
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
   505
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
   506
  $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
   507
  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
   508
  5fed3813f7f5
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
   509
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   510
The per-host config option overrides the default
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   511
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   512
  $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   513
  > --config hostsecurity.minimumprotocol=tls1.2 \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   514
  > --config hostsecurity.localhost:minimumprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   515
  5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   516
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   517
The per-host config option by itself works
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   518
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   519
  $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   520
  > --config hostsecurity.localhost:minimumprotocol=tls1.2
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   521
  (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   522
  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   523
  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   524
  abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   525
  [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   526
29616
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   527
.hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   528
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   529
  $ cat >> copy-pull/.hg/hgrc << EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   530
  > [hostsecurity]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   531
  > localhost:minimumprotocol=tls1.2
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   532
  > EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   533
  $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   534
  (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   535
  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
   536
  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29635
dee24c87dbf0 tests: glob over ssl error
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29619
diff changeset
   537
  abort: error: *unsupported protocol* (glob)
29616
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   538
  [255]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
   539
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   540
  $ killdaemons.py hg0.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   541
  $ killdaemons.py hg1.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   542
  $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   543
#endif
16300
74e114ac6ec1 tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents: 16107
diff changeset
   544
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   545
Prepare for connecting through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   546
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   547
  $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   548
  $ cat hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   549
  $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   550
  $ cat hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   551
tinyproxy.py doesn't fully detach, so killing it may result in extra output
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
   552
from the shell. So don't kill it.
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
   553
  $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
16496
abbabbbe4ec2 tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents: 16300
diff changeset
   554
  $ while [ ! -f proxy.pid ]; do sleep 0; done
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   555
  $ cat proxy.pid >> $DAEMON_PIDS
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   556
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   557
  $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   558
  $ echo "always=True" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   559
  $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   560
  $ echo "localhost =" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   561
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   562
Test unvalidated https through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   563
29842
d5497eb1d768 test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents: 29635
diff changeset
   564
  $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   565
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   566
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
   567
  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   568
  searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   569
  no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   570
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   571
Test https with cacert and fingerprint through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   572
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   573
  $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   574
  > --config web.cacerts="$CERTSDIR/pub.pem"
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   575
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   576
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   577
  searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   578
  no changes found
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   579
  $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   580
  pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
   581
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
   582
  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   583
  searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   584
  no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   585
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   586
Test https with cert problems through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
   587
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   588
  $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   589
  > --config web.cacerts="$CERTSDIR/pub-other.pem"
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   590
  pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   591
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
   592
  abort: error: *certificate verify failed* (glob)
13424
08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents: 13423
diff changeset
   593
  [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   594
  $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   595
  > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
   596
  pulling from https://localhost:$HGPORT2/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
   597
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
   598
  abort: error: *certificate verify failed* (glob)
13424
08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents: 13423
diff changeset
   599
  [255]
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   600
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   601
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
   602
  $ killdaemons.py hg0.pid
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   603
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   604
#if sslcontext
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   605
29555
121d11814c62 hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29553
diff changeset
   606
Start hgweb that requires client certificates:
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   607
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   608
  $ cd test
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   609
  $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
29555
121d11814c62 hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29553
diff changeset
   610
  > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   611
  $ cat ../hg0.pid >> $DAEMON_PIDS
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   612
  $ cd ..
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   613
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   614
without client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   615
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   616
  $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   617
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   618
  abort: error: *handshake failure* (glob)
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   619
  [255]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   620
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   621
with client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   622
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   623
  $ cat << EOT >> $HGRCPATH
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   624
  > [auth]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   625
  > l.prefix = localhost
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   626
  > l.cert = $CERTSDIR/client-cert.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   627
  > l.key = $CERTSDIR/client-key.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   628
  > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   629
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   630
  $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   631
  > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   632
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   633
  5fed3813f7f5
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   634
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   635
  $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
   636
  > --config ui.interactive=True --config ui.nontty=True
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   637
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   638
  passphrase for */client-key.pem: 5fed3813f7f5 (glob)
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
   639
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
   640
  $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
   641
  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
   642
  abort: error: * (glob)
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
   643
  [255]
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
   644
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
   645
#endif