Mercurial > hg
annotate tests/test-https.t @ 45029:1fdc8cbd5fb8 stable
Added signature for changeset 0ea9c86fac89
author | Pulkit Goyal <7895pulkit@gmail.com> |
---|---|
date | Wed, 01 Jul 2020 23:30:47 +0530 |
parents | e0ac310bd033 |
children | ab5348bbc55e |
rev | line source |
---|---|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
1 #require serve ssl |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 |
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
3 Proper https client requires the built-in ssl from Python 2.6. |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
4 |
41974
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
5 Disable the system configuration which may set stricter TLS requirements. |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
6 This test expects that legacy TLS versions are supported. |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
7 |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
8 $ OPENSSL_CONF= |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
9 $ export OPENSSL_CONF |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
10 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
11 Make server certificates: |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
12 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
13 $ CERTSDIR="$TESTDIR/sslcerts" |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
15 $ PRIV=`pwd`/server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
18 |
12446 | 19 $ hg init test |
20 $ cd test | |
21 $ echo foo>foo | |
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg | |
23 $ echo foo>foo.d/foo | |
24 $ echo bar>foo.d/bAr.hg.d/BaR | |
25 $ echo bar>foo.d/baR.d.hg/bAR | |
26 $ hg commit -A -m 1 | |
27 adding foo | |
28 adding foo.d/bAr.hg.d/BaR | |
29 adding foo.d/baR.d.hg/bAR | |
30 adding foo.d/foo | |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV |
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
32 $ cat ../hg0.pid >> $DAEMON_PIDS |
12446 | 33 |
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
34 cacert not found |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
35 |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
37 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
38 abort: could not find web.cacerts: no-such.pem |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
39 [255] |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
40 |
12446 | 41 Test server address cannot be reused |
4289
e17598881509
test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents:
4130
diff
changeset
|
42 |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
43 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
35233
1b22d325089c
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages
Matt Harbison <matt_harbison@yahoo.com>
parents:
34661
diff
changeset
|
44 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$ |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
45 [255] |
35233
1b22d325089c
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages
Matt Harbison <matt_harbison@yahoo.com>
parents:
34661
diff
changeset
|
46 |
12446 | 47 $ cd .. |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
48 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
49 Our test cert is not signed by a trusted CA. It should fail to verify if |
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
50 we are able to load CA certs. |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
51 |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
52 #if sslcontext defaultcacerts no-defaultcacertsloaded |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
53 $ hg clone https://localhost:$HGPORT/ copy-pull |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
54 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
55 abort: error: *certificate verify failed* (glob) |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
56 [255] |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
57 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
58 |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
59 #if no-sslcontext defaultcacerts |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
60 $ hg clone https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29500
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
62 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
63 abort: error: *certificate verify failed* (glob) |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
64 [255] |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
65 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
66 |
29489
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
67 #if no-sslcontext windows |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
68 $ hg clone https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
69 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
29489
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
70 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
71 abort: error: *certificate verify failed* (glob) |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
72 [255] |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
73 #endif |
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
74 |
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
75 #if no-sslcontext osx |
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
76 $ hg clone https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
77 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
78 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
79 abort: localhost certificate error: no certificate received |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
80 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
81 [255] |
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
82 #endif |
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
83 |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
84 #if defaultcacertsloaded |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
85 $ hg clone https://localhost:$HGPORT/ copy-pull |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
86 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29500
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
87 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
88 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
89 abort: error: *certificate verify failed* (glob) |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
90 [255] |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
91 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
92 |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
93 #if no-defaultcacerts |
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
94 $ hg clone https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
95 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
96 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
97 abort: localhost certificate error: no certificate received |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
98 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
99 [255] |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
100 #endif |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
101 |
31766
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
102 Specifying a per-host certificate file that doesn't exist will abort. The full |
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
103 C:/path/to/msysroot will print on Windows. |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
104 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
105 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
106 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
31766
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
107 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
108 [255] |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
109 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
110 A malformed per-host certificate file will raise an error |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
111 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
112 $ echo baddata > badca.pem |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
113 #if sslcontext |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
114 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
115 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
116 abort: error loading CA file badca.pem: * (glob) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
117 (file is empty or malformed?) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
118 [255] |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
119 #else |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
120 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
121 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29356
93b83ef78d1e
tests: increase test-https malform error glob
Durham Goode <durham@fb.com>
parents:
29334
diff
changeset
|
122 abort: error: * (glob) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
123 [255] |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
124 #endif |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
125 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
126 A per-host certificate mismatching the server will fail verification |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
127 |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
128 (modern ssl is able to discern whether the loaded cert is a CA cert) |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
129 #if sslcontext |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
130 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
131 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
132 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
133 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
134 abort: error: *certificate verify failed* (glob) |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
135 [255] |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
136 #else |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
137 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
138 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
139 abort: error: *certificate verify failed* (glob) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
140 [255] |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
141 #endif |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
142 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
143 A per-host certificate matching the server's cert will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
144 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
145 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
146 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
147 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
148 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
149 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
150 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
151 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
152 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
153 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
154 A per-host certificate with multiple certs and one matching will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
155 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
156 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
157 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
158 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
159 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
160 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
161 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
162 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
163 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
164 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
165 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
166 Defining both per-host certificate and a fingerprint will print a warning |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
167 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
168 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
169 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
170 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
171 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
172 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
173 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
174 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
175 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
176 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
177 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
178 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
179 |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
180 Inability to verify peer certificate will result in abort |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
181 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
182 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
184 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
185 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
186 [255] |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
187 |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
188 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
189 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
190 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
12446 | 191 requesting all changes |
192 adding changesets | |
193 adding manifests | |
194 adding file changes | |
195 added 1 changesets with 4 changes to 4 files | |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
196 new changesets 8b6053c928fe |
12446 | 197 updating to branch default |
198 4 files updated, 0 files merged, 0 files removed, 0 files unresolved | |
199 $ hg verify -R copy-pull | |
200 checking changesets | |
201 checking manifests | |
202 crosschecking files in changesets and manifests | |
203 checking files | |
39489
f1186c292d03
verify: make output less confusing (issue5924)
Meirambek Omyrzak <meirambek77@gmail.com>
parents:
35233
diff
changeset
|
204 checked 1 changesets with 4 changes to 4 files |
12446 | 205 $ cd test |
206 $ echo bar > bar | |
207 $ hg commit -A -d '1 0' -m 2 | |
208 adding bar | |
209 $ cd .. | |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
210 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
211 pull without cacert |
12446 | 212 |
213 $ cd copy-pull | |
30234
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
214 $ cat >> .hg/hgrc <<EOF |
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
215 > [hooks] |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
216 > changegroup = sh -c "printenv.py --line changegroup" |
30234
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
217 > EOF |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
218 $ hg pull $DISABLECACERTS |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
219 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
221 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
222 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
223 [255] |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
224 |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
225 $ hg pull --insecure |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
226 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
227 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
228 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
12446 | 229 searching for changes |
230 adding changesets | |
231 adding manifests | |
232 adding file changes | |
233 added 1 changesets with 1 changes to 1 files | |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
234 new changesets 5fed3813f7f5 |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
235 changegroup hook: HG_HOOKNAME=changegroup |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
236 HG_HOOKTYPE=changegroup |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
237 HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
238 HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
239 HG_SOURCE=pull |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
240 HG_TXNID=TXN:$ID$ |
41896
94faa2e84094
transaction: include txnname in the hookargs dictionary
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
41641
diff
changeset
|
241 HG_TXNNAME=pull |
94faa2e84094
transaction: include txnname in the hookargs dictionary
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
41641
diff
changeset
|
242 https://localhost:$HGPORT/ |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
243 HG_URL=https://localhost:$HGPORT/ |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
244 |
12446 | 245 (run 'hg update' to get a working copy) |
246 $ cd .. | |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
247 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
248 cacert configured in local repo |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
249 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
250 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
251 $ echo "[web]" >> copy-pull/.hg/hgrc |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
252 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc |
29842
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
253 $ hg -R copy-pull pull |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
254 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
256 searching for changes |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
257 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
258 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
259 |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
260 cacert configured globally, also testing expansion of environment |
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
261 variables in the filename |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
262 |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
263 $ echo "[web]" >> $HGRCPATH |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
264 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
265 $ P="$CERTSDIR" hg -R copy-pull pull |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
266 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
268 searching for changes |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
269 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
270 $ P="$CERTSDIR" hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
271 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
272 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
273 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
274 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
275 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
276 |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
277 empty cacert file |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
278 |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
279 $ touch emptycafile |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
280 |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
281 #if sslcontext |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
282 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
283 pulling from https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
284 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
285 abort: error loading CA file emptycafile: * (glob) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
286 (file is empty or malformed?) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
287 [255] |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
288 #else |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
289 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
290 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
291 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
292 abort: error: * (glob) |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
293 [255] |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
294 #endif |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
295 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
296 cacert mismatch |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
297 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
298 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
31008 | 299 > https://$LOCALIP:$HGPORT/ |
300 pulling from https://*:$HGPORT/ (glob) | |
301 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |
31813
68bd8cd381a3
tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents:
31768
diff
changeset
|
302 abort: $LOCALIP certificate error: certificate is for localhost (glob) |
31008 | 303 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
304 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
305 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
31008 | 306 > https://$LOCALIP:$HGPORT/ --insecure |
307 pulling from https://*:$HGPORT/ (glob) | |
308 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |
31813
68bd8cd381a3
tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents:
31768
diff
changeset
|
309 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
310 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
311 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
313 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
314 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
315 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
316 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
317 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
318 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
319 > --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
320 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
321 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
322 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
323 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
324 no changes found |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
325 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
326 Test server cert which isn't valid yet |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
327 |
28549 | 328 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
329 $ cat hg1.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
330 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
331 > https://localhost:$HGPORT1/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
332 pulling from https://localhost:$HGPORT1/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
333 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
334 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
335 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
336 [255] |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
337 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
338 Test server cert which no longer is valid |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
339 |
28549 | 340 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
341 $ cat hg2.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
342 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
343 > https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
344 pulling from https://localhost:$HGPORT2/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
345 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
346 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
347 abort: error: *certificate verify failed* (glob) |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
348 [255] |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
349 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
350 Disabling the TLS 1.0 warning works |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
351 $ hg -R copy-pull id https://localhost:$HGPORT/ \ |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
352 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \ |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
353 > --config hostsecurity.disabletls10warning=true |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
354 5fed3813f7f5 |
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
355 |
32234
ab89d2f7dc9a
tests: remove test targeting Python 2.6
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31813
diff
changeset
|
356 Error message for setting ciphers is different depending on SSLContext support |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
357 |
32234
ab89d2f7dc9a
tests: remove test targeting Python 2.6
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31813
diff
changeset
|
358 #if no-sslcontext |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
359 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
360 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
361 abort: *No cipher can be selected. (glob) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
362 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
363 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
364 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
365 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
366 5fed3813f7f5 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
367 #endif |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
368 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
369 #if sslcontext |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
370 Setting ciphers to an invalid value aborts |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
371 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
372 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
373 abort: could not set ciphers: No cipher can be selected. |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
374 (change cipher string (invalid) in config) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
375 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
376 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
377 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
378 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
379 abort: could not set ciphers: No cipher can be selected. |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
380 (change cipher string (invalid) in config) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
381 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
382 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
383 Changing the cipher string works |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
384 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
385 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
386 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
387 5fed3813f7f5 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
388 #endif |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
389 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
390 Fingerprints |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
391 |
30332
318a24b52eeb
spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents:
30234
diff
changeset
|
392 - works without cacerts (hostfingerprints) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
393 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
395 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
396 5fed3813f7f5 |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
397 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
398 - works without cacerts (hostsecurity) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
399 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
401 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
402 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
403 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
405 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
406 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
407 - multiple fingerprints specified and first matches |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
408 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
409 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
410 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
411 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
412 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
413 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
414 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
415 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
416 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
417 - multiple fingerprints specified and last matches |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
418 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
419 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
420 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
421 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
422 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
423 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
424 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
425 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
426 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
427 - multiple fingerprints specified and none match |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
428 |
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
429 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
430 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
431 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
432 (check hostfingerprint configuration) |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
433 [255] |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
434 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
435 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
436 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
437 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
29268
f200b58497f1
sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29267
diff
changeset
|
438 (check hostsecurity configuration) |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
439 [255] |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
440 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
441 - fails when cert doesn't match hostname (port is ignored) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
442 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
443 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
444 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
15997
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
445 (check hostfingerprint configuration) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
446 [255] |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
447 |
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
448 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
449 - ignores that certificate doesn't match hostname |
31008 | 450 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
451 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
452 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
453 5fed3813f7f5 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
454 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
455 Ports used by next test. Kill servers. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
456 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
457 $ killdaemons.py hg0.pid |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
458 $ killdaemons.py hg1.pid |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
459 $ killdaemons.py hg2.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
460 |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
461 #if sslcontext tls1.2 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
462 Start servers running supported TLS versions |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
463 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
464 $ cd test |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
465 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
466 > --config devel.serverexactprotocol=tls1.0 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
467 $ cat ../hg0.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
468 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
469 > --config devel.serverexactprotocol=tls1.1 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
470 $ cat ../hg1.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
471 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
472 > --config devel.serverexactprotocol=tls1.2 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
473 $ cat ../hg2.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
474 $ cd .. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
475 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
476 Clients talking same TLS versions work |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
477 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
478 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
479 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
481 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
482 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
483 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
484 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
485 Clients requiring newer TLS version than what server supports fail |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
486 |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
487 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
488 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
489 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
490 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
491 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
492 [255] |
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
493 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
494 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
495 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
496 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
497 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
498 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
499 [255] |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
500 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
501 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
502 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
503 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
504 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
505 [255] |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
506 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
507 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
508 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
509 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
510 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
511 [255] |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
512 |
29617
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
513 --insecure will allow TLS 1.0 connections and override configs |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
514 |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
515 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
516 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
517 5fed3813f7f5 |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
518 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
519 The per-host config option overrides the default |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
520 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
521 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
522 > --config hostsecurity.minimumprotocol=tls1.2 \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
523 > --config hostsecurity.localhost:minimumprotocol=tls1.0 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
524 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
525 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
526 The per-host config option by itself works |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
527 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
528 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
529 > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
530 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
531 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
532 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
533 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
534 [255] |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
535 |
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
536 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
537 |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
538 $ cat >> copy-pull/.hg/hgrc << EOF |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
539 > [hostsecurity] |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
540 > localhost:minimumprotocol=tls1.2 |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
541 > EOF |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
542 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
543 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
544 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
545 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
42350
e0ac310bd033
tests: work around libressl being different about error strings (issue6122)
Augie Fackler <augie@google.com>
parents:
41985
diff
changeset
|
546 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
547 [255] |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
548 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
549 $ killdaemons.py hg0.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
550 $ killdaemons.py hg1.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
551 $ killdaemons.py hg2.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
552 #endif |
16300
74e114ac6ec1
tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents:
16107
diff
changeset
|
553 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
554 Prepare for connecting through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
555 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
556 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
557 $ cat hg0.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
558 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
559 $ cat hg2.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
560 tinyproxy.py doesn't fully detach, so killing it may result in extra output |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
561 from the shell. So don't kill it. |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
562 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
16496
abbabbbe4ec2
tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents:
16300
diff
changeset
|
563 $ while [ ! -f proxy.pid ]; do sleep 0; done |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
564 $ cat proxy.pid >> $DAEMON_PIDS |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
565 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
566 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
567 $ echo "always=True" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
568 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
569 $ echo "localhost =" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
570 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
571 Test unvalidated https through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
572 |
29842
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
574 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
575 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
576 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
577 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
578 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
579 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
580 Test https with cacert and fingerprint through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
581 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
582 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
583 > --config web.cacerts="$CERTSDIR/pub.pem" |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
584 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
585 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
586 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
587 no changes found |
31008 | 588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace |
589 pulling from https://*:$HGPORT/ (glob) | |
590 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
591 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
592 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
593 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
594 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
595 Test https with cert problems through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
596 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
597 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
598 > --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
599 pulling from https://localhost:$HGPORT/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
600 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
601 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
602 abort: error: *certificate verify failed* (glob) |
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
603 [255] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
604 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
605 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
606 pulling from https://localhost:$HGPORT2/ |
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
607 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
608 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
609 abort: error: *certificate verify failed* (glob) |
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
610 [255] |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
611 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
612 |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
613 $ killdaemons.py hg0.pid |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
614 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
615 #if sslcontext |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
616 |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
617 $ cd test |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
618 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
619 Missing certificate file(s) are detected |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
620 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
621 $ hg serve -p $HGPORT --certificate=/missing/certificate \ |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
622 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
623 abort: referenced certificate file (*/missing/certificate) does not exist (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
624 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
625 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
626 $ hg serve -p $HGPORT --certificate=$PRIV \ |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
627 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
628 abort: referenced certificate file (*/missing/cafile) does not exist (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
629 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
630 |
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
631 Start hgweb that requires client certificates: |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
632 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
633 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
634 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
635 $ cat ../hg0.pid >> $DAEMON_PIDS |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
636 $ cd .. |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
637 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
638 without client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
639 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
640 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
41975
406519302520
test-https: add some more known failure messages of client certs (issue6030)
Yuya Nishihara <yuya@tcha.org>
parents:
41974
diff
changeset
|
642 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re) |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
643 [255] |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
644 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
645 with client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
646 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
647 $ cat << EOT >> $HGRCPATH |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
648 > [auth] |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
649 > l.prefix = localhost |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
650 > l.cert = $CERTSDIR/client-cert.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
651 > l.key = $CERTSDIR/client-key.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
652 > EOT |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
653 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
654 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
655 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem" |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
656 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
657 5fed3813f7f5 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
658 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
659 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
660 > --config ui.interactive=True --config ui.nontty=True |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
661 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
662 passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
663 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
664 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
665 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
666 abort: error: * (glob) |
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
667 [255] |
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
668 |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
669 Missing certficate and key files result in error |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
670 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
671 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
672 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
673 (restore missing file or fix references in Mercurial config) |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
674 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
675 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
676 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
677 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
678 (restore missing file or fix references in Mercurial config) |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
679 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
680 |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
681 #endif |