Mercurial > hg
annotate tests/test-https.t @ 52289:323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
AFAICT, all of the TLS versions are supported by the server without doing any
explicit work, and there's only a `devel` config to specify an exact version on
the server side. Clients would also use TLSv1.3 if available, but this prevents
the server from negotiating down. This also causes "tls1.3" to be listed in
`hg debuginstall`, even though it was previously supported (if the Python
intepreter supported it- IDK if there's a good way to proactively test for and
show future protocols without requiring manual updates like this).
The v1.3 tests are nested inside the v1.2 tests for simplicity. The v1.2 blocks
already assume v1.0 and v1.1 support, so this seems reasonable for now. If/when
the older protocols start getting dropped, this will have to be reworked anyway.
author | Matt Harbison <matt_harbison@yahoo.com> |
---|---|
date | Mon, 21 Dec 2020 20:21:46 -0500 |
parents | 73a43fe3e6fd |
children | e03bc88776d3 |
rev | line source |
---|---|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
1 #require serve ssl |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 |
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
3 Proper https client requires the built-in ssl from Python 2.6. |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
4 |
41974
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
5 Disable the system configuration which may set stricter TLS requirements. |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
6 This test expects that legacy TLS versions are supported. |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
7 |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
8 $ OPENSSL_CONF= |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
9 $ export OPENSSL_CONF |
4748938ee0c7
test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents:
39489
diff
changeset
|
10 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
11 Make server certificates: |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
12 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
13 $ CERTSDIR="$TESTDIR/sslcerts" |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
15 $ PRIV=`pwd`/server.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
18 |
12446 | 19 $ hg init test |
20 $ cd test | |
21 $ echo foo>foo | |
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg | |
23 $ echo foo>foo.d/foo | |
24 $ echo bar>foo.d/bAr.hg.d/BaR | |
25 $ echo bar>foo.d/baR.d.hg/bAR | |
26 $ hg commit -A -m 1 | |
27 adding foo | |
28 adding foo.d/bAr.hg.d/BaR | |
29 adding foo.d/baR.d.hg/bAR | |
30 adding foo.d/foo | |
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV |
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
32 $ cat ../hg0.pid >> $DAEMON_PIDS |
12446 | 33 |
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
34 cacert not found |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
35 |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
37 abort: could not find web.cacerts: no-such.pem |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
38 [255] |
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
39 |
12446 | 40 Test server address cannot be reused |
4289
e17598881509
test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents:
4130
diff
changeset
|
41 |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
35233
1b22d325089c
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages
Matt Harbison <matt_harbison@yahoo.com>
parents:
34661
diff
changeset
|
43 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$ |
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
44 [255] |
35233
1b22d325089c
tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages
Matt Harbison <matt_harbison@yahoo.com>
parents:
34661
diff
changeset
|
45 |
12446 | 46 $ cd .. |
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
47 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
48 Our test cert is not signed by a trusted CA. It should fail to verify if |
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
49 we are able to load CA certs. |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
50 |
44881
89f83e47e9c9
tests: remove "sslcontext" check
Manuel Jacob <me@manueljacob.de>
parents:
44879
diff
changeset
|
51 #if no-defaultcacertsloaded |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
52 $ hg clone https://localhost:$HGPORT/ copy-pull |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
54 abort: error: *certificate verify failed* (glob) |
45902
6da22a068281
tests: update test-https.t's #no-defaultcacertsloaded block with new exit code
Martin von Zweigbergk <martinvonz@google.com>
parents:
45839
diff
changeset
|
55 [100] |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
56 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
57 |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
58 #if defaultcacertsloaded |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
59 $ hg clone https://localhost:$HGPORT/ copy-pull |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
60 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
61 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
62 [100] |
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
63 #endif |
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
64 |
31766
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
65 Specifying a per-host certificate file that doesn't exist will abort. The full |
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
66 C:/path/to/msysroot will print on Windows. |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
67 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
68 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ |
31766
bdcaf612e75a
tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents:
31747
diff
changeset
|
69 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob) |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
70 [255] |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
71 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
72 A malformed per-host certificate file will raise an error |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
73 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
74 $ echo baddata > badca.pem |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
75 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
76 abort: error loading CA file badca.pem: * (glob) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
77 (file is empty or malformed?) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
78 [255] |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
79 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
80 A per-host certificate mismatching the server will fail verification |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
81 |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
82 (modern ssl is able to discern whether the loaded cert is a CA cert) |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
83 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
84 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
85 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
86 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
87 [100] |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
88 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
89 A per-host certificate matching the server's cert will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
90 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
91 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
92 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
93 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
94 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
95 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
96 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
97 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
98 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
99 A per-host certificate with multiple certs and one matching will be accepted |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
100 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
101 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
102 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
103 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
104 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
105 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
106 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
107 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
108 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
109 |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
110 Defining both per-host certificate and a fingerprint will print a warning |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
111 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
112 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
113 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
114 requesting all changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
115 adding changesets |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
116 adding manifests |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
117 adding file changes |
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
118 added 1 changesets with 4 changes to 4 files |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
119 new changesets 8b6053c928fe |
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
120 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
121 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
122 |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
123 Inability to verify peer certificate will result in abort |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
124 |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
128 [150] |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
129 |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
12446 | 132 requesting all changes |
133 adding changesets | |
134 adding manifests | |
135 adding file changes | |
136 added 1 changesets with 4 changes to 4 files | |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
137 new changesets 8b6053c928fe |
12446 | 138 updating to branch default |
139 4 files updated, 0 files merged, 0 files removed, 0 files unresolved | |
49825
2f2682f40ea0
tests: use the `--quiet` flag for verify when applicable
Raphaël Gomès <rgomes@octobus.net>
parents:
49525
diff
changeset
|
140 $ hg verify -R copy-pull -q |
12446 | 141 $ cd test |
142 $ echo bar > bar | |
143 $ hg commit -A -d '1 0' -m 2 | |
144 adding bar | |
145 $ cd .. | |
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
146 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
147 pull without cacert |
12446 | 148 |
149 $ cd copy-pull | |
30234
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
150 $ cat >> .hg/hgrc <<EOF |
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
151 > [hooks] |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
152 > changegroup = sh -c "printenv.py --line changegroup" |
30234
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
153 > EOF |
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
154 $ hg pull $DISABLECACERTS |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
155 pulling from https://localhost:$HGPORT/ |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
156 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
157 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
158 [150] |
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
159 |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
160 $ hg pull --insecure |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
161 pulling from https://localhost:$HGPORT/ |
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
162 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
12446 | 163 searching for changes |
164 adding changesets | |
165 adding manifests | |
166 adding file changes | |
167 added 1 changesets with 1 changes to 1 files | |
34661
eb586ed5d8ce
transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
33695
diff
changeset
|
168 new changesets 5fed3813f7f5 |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
169 changegroup hook: HG_HOOKNAME=changegroup |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
170 HG_HOOKTYPE=changegroup |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
171 HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
172 HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
173 HG_SOURCE=pull |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
174 HG_TXNID=TXN:$ID$ |
41896
94faa2e84094
transaction: include txnname in the hookargs dictionary
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
41641
diff
changeset
|
175 HG_TXNNAME=pull |
94faa2e84094
transaction: include txnname in the hookargs dictionary
Pierre-Yves David <pierre-yves.david@octobus.net>
parents:
41641
diff
changeset
|
176 https://localhost:$HGPORT/ |
41641
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
177 HG_URL=https://localhost:$HGPORT/ |
e857dbb02dc3
test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents:
39489
diff
changeset
|
178 |
12446 | 179 (run 'hg update' to get a working copy) |
180 $ cd .. | |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
181 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
182 cacert configured in local repo |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
183 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
184 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
185 $ echo "[web]" >> copy-pull/.hg/hgrc |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
186 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc |
29842
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
187 $ hg -R copy-pull pull |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
188 pulling from https://localhost:$HGPORT/ |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
189 searching for changes |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
190 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
191 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
192 |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
193 cacert configured globally, also testing expansion of environment |
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
194 variables in the filename |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
195 |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
196 $ echo "[web]" >> $HGRCPATH |
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
197 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
198 $ P="$CERTSDIR" hg -R copy-pull pull |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
199 pulling from https://localhost:$HGPORT/ |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
200 searching for changes |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
201 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
202 $ P="$CERTSDIR" hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
203 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
204 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
205 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
206 no changes found |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
207 |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
208 empty cacert file |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
209 |
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
210 $ touch emptycafile |
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
211 |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
212 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
213 pulling from https://localhost:$HGPORT/ |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
214 abort: error loading CA file emptycafile: * (glob) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
215 (file is empty or malformed?) |
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
216 [255] |
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
217 |
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
218 cacert mismatch |
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
219 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
220 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
31008 | 221 > https://$LOCALIP:$HGPORT/ |
222 pulling from https://*:$HGPORT/ (glob) | |
31813
68bd8cd381a3
tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents:
31768
diff
changeset
|
223 abort: $LOCALIP certificate error: certificate is for localhost (glob) |
31008 | 224 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
225 [150] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
226 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
31008 | 227 > https://$LOCALIP:$HGPORT/ --insecure |
228 pulling from https://*:$HGPORT/ (glob) | |
31813
68bd8cd381a3
tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents:
31768
diff
changeset
|
229 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
230 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
231 no changes found |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
232 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
233 pulling from https://localhost:$HGPORT/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
234 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
235 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
236 [100] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
237 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
238 > --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
239 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
240 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
241 searching for changes |
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
242 no changes found |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
243 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
244 Test server cert which isn't valid yet |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
245 |
28549 | 246 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
247 $ cat hg1.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
248 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
249 > https://localhost:$HGPORT1/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
250 pulling from https://localhost:$HGPORT1/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
251 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
252 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
253 [100] |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
254 |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
255 Test server cert which no longer is valid |
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
256 |
28549 | 257 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
258 $ cat hg2.pid >> $DAEMON_PIDS |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
259 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
260 > https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
261 pulling from https://localhost:$HGPORT2/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
262 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
263 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
264 [100] |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
265 |
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
266 Setting ciphers to an invalid value aborts |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
267 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
268 abort: could not set ciphers: No cipher can be selected. |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
269 (change cipher string (invalid) in config) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
270 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
271 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
272 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
273 abort: could not set ciphers: No cipher can be selected. |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
274 (change cipher string (invalid) in config) |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
275 [255] |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
276 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
277 Changing the cipher string works |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
278 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
279 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
280 5fed3813f7f5 |
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
281 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
282 Fingerprints |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
283 |
30332
318a24b52eeb
spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents:
30234
diff
changeset
|
284 - works without cacerts (hostfingerprints) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
285 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
286 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
287 5fed3813f7f5 |
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
288 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
289 - works without cacerts (hostsecurity) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
291 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
292 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
293 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
294 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
295 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
296 - multiple fingerprints specified and first matches |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
297 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
298 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
299 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
300 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
301 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
302 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
303 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
304 - multiple fingerprints specified and last matches |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
305 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
306 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
307 5fed3813f7f5 |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
308 |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
309 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
310 5fed3813f7f5 |
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
311 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
312 - multiple fingerprints specified and none match |
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
313 |
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
314 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
315 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
316 (check hostfingerprint configuration) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
317 [150] |
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
318 |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
319 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
320 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
29268
f200b58497f1
sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29267
diff
changeset
|
321 (check hostsecurity configuration) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
322 [150] |
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
323 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
324 - fails when cert doesn't match hostname (port is ignored) |
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
325 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
326 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
15997
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
327 (check hostfingerprint configuration) |
45915
8f50dc096cf4
errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents:
45902
diff
changeset
|
328 [150] |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
329 |
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
330 |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
331 - ignores that certificate doesn't match hostname |
31008 | 332 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
333 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
334 5fed3813f7f5 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
335 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
336 Ports used by next test. Kill servers. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
337 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
338 $ killdaemons.py hg0.pid |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
339 $ killdaemons.py hg1.pid |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
340 $ killdaemons.py hg2.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
341 |
44881
89f83e47e9c9
tests: remove "sslcontext" check
Manuel Jacob <me@manueljacob.de>
parents:
44879
diff
changeset
|
342 #if tls1.2 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
343 Start servers running supported TLS versions |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
344 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
345 $ cd test |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
346 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
50341
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49825
diff
changeset
|
347 > --config devel.server-insecure-exact-protocol=tls1.0 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
348 $ cat ../hg0.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
349 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \ |
50341
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49825
diff
changeset
|
350 > --config devel.server-insecure-exact-protocol=tls1.1 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
351 $ cat ../hg1.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
352 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ |
50341
698ffff7024b
configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents:
49825
diff
changeset
|
353 > --config devel.server-insecure-exact-protocol=tls1.2 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
354 $ cat ../hg2.pid >> $DAEMON_PIDS |
52289
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
355 #if tls1.3 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
356 $ hg serve -p $HGPORT3 -d --pid-file=../hg3.pid --certificate=$PRIV \ |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
357 > --config devel.server-insecure-exact-protocol=tls1.3 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
358 $ cat ../hg3.pid >> $DAEMON_PIDS |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
359 #endif |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
360 $ cd .. |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
361 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
362 Clients talking same TLS versions work |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
363 |
50342
c54e9bb5737e
sslutil: set context security level for legacy tls testing (issue6760)
pacien <pacien.trangirard@pacien.net>
parents:
50341
diff
changeset
|
364 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT/ |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
365 5fed3813f7f5 |
50342
c54e9bb5737e
sslutil: set context security level for legacy tls testing (issue6760)
pacien <pacien.trangirard@pacien.net>
parents:
50341
diff
changeset
|
366 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT1/ |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
367 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
368 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
369 5fed3813f7f5 |
52289
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
370 #if tls1.3 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
371 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT3/ |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
372 5fed3813f7f5 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
373 #endif |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
374 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
375 Clients requiring newer TLS version than what server supports fail |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
376 |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
377 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
378 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
379 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
380 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
49057
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49056
diff
changeset
|
381 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
382 [100] |
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
383 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
384 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
385 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
386 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
387 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
49057
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49056
diff
changeset
|
388 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
389 [100] |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
390 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
391 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
392 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
393 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
49057
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49056
diff
changeset
|
394 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
395 [100] |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
396 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
397 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
398 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
399 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
49057
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49056
diff
changeset
|
400 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
401 [100] |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
402 |
52289
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
403 #if tls1.3 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
404 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT/ |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
405 (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
406 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
407 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
408 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
409 [100] |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
410 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT1/ |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
411 (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
412 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
413 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
414 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
415 [100] |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
416 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT2/ |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
417 (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
418 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
419 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
420 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
421 [100] |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
422 #endif |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
423 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
424 |
29617
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
425 --insecure will allow TLS 1.0 connections and override configs |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
426 |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
427 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
428 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
429 5fed3813f7f5 |
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
430 |
52289
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
431 #if tls1.3 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
432 $ hg --config hostsecurity.minimumprotocol=tls1.3 id --insecure https://localhost:$HGPORT2/ |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
433 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
434 5fed3813f7f5 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
435 #endif |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
436 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
437 The per-host config option overrides the default |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
438 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
439 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
50342
c54e9bb5737e
sslutil: set context security level for legacy tls testing (issue6760)
pacien <pacien.trangirard@pacien.net>
parents:
50341
diff
changeset
|
440 > --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" \ |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
441 > --config hostsecurity.minimumprotocol=tls1.2 \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
442 > --config hostsecurity.localhost:minimumprotocol=tls1.0 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
443 5fed3813f7f5 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
444 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
445 The per-host config option by itself works |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
446 |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
447 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
448 > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
449 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
450 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
451 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
49057
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49056
diff
changeset
|
452 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
453 [100] |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
454 |
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
455 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
456 |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
457 $ cat >> copy-pull/.hg/hgrc << EOF |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
458 > [hostsecurity] |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
459 > localhost:minimumprotocol=tls1.2 |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
460 > EOF |
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
461 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
462 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
463 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
464 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
49057
27ef2aa953dd
sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents:
49056
diff
changeset
|
465 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
466 [100] |
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
467 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
468 $ killdaemons.py hg0.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
469 $ killdaemons.py hg1.pid |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
470 $ killdaemons.py hg2.pid |
52289
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
471 #if tls1.3 |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
472 $ killdaemons.py hg3.pid |
323e3626929a
sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents:
51942
diff
changeset
|
473 #endif |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
474 #endif |
16300
74e114ac6ec1
tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents:
16107
diff
changeset
|
475 |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
476 Prepare for connecting through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
477 |
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
478 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
479 $ cat hg0.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
480 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
481 $ cat hg2.pid >> $DAEMON_PIDS |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
482 tinyproxy.py doesn't fully detach, so killing it may result in extra output |
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
483 from the shell. So don't kill it. |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
484 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
16496
abbabbbe4ec2
tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents:
16300
diff
changeset
|
485 $ while [ ! -f proxy.pid ]; do sleep 0; done |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
486 $ cat proxy.pid >> $DAEMON_PIDS |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
487 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
488 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
489 $ echo "always=True" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
490 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
491 $ echo "localhost =" >> copy-pull/.hg/hgrc |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
492 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
493 Test unvalidated https through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
494 |
29842
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
495 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
496 pulling from https://localhost:$HGPORT/ |
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
497 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
498 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
499 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
500 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
501 Test https with cacert and fingerprint through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
502 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
503 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
504 > --config web.cacerts="$CERTSDIR/pub.pem" |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
505 pulling from https://localhost:$HGPORT/ |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
506 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
507 no changes found |
31008 | 508 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace |
509 pulling from https://*:$HGPORT/ (glob) | |
32273
2e455cbeac50
sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32245
diff
changeset
|
510 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
511 searching for changes |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
512 no changes found |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
513 |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
514 Test https with cert problems through proxy |
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
515 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
516 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
517 > --config web.cacerts="$CERTSDIR/pub-other.pem" |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
518 pulling from https://localhost:$HGPORT/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
519 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
520 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
521 [100] |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
522 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
523 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
524 pulling from https://localhost:$HGPORT2/ |
33494
30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents:
33422
diff
changeset
|
525 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
526 abort: error: *certificate verify failed* (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
527 [100] |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
528 |
49277
51b07ac1991c
url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents:
45915
diff
changeset
|
529 Test when proxy can't connect to server |
51b07ac1991c
url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents:
45915
diff
changeset
|
530 |
51b07ac1991c
url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents:
45915
diff
changeset
|
531 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure https://localhost:0/ |
51b07ac1991c
url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents:
45915
diff
changeset
|
532 pulling from https://localhost:0/ |
51942
73a43fe3e6fd
tests: use pattern matching to mask `ECONNREFUSED` messages
Matt Harbison <matt_harbison@yahoo.com>
parents:
50342
diff
changeset
|
533 abort: error: Tunnel connection failed: 404 (\$ECONNREFUSED\$|\$EADDRNOTAVAIL\$) (re) |
49277
51b07ac1991c
url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents:
45915
diff
changeset
|
534 [100] |
51b07ac1991c
url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents:
45915
diff
changeset
|
535 |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
536 |
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
537 $ killdaemons.py hg0.pid |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
538 |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
539 $ cd test |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
540 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
541 Missing certificate file(s) are detected |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
542 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
543 $ hg serve -p $HGPORT --certificate=/missing/certificate \ |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
544 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
545 abort: referenced certificate file (*/missing/certificate) does not exist (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
546 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
547 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
548 $ hg serve -p $HGPORT --certificate=$PRIV \ |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
549 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
550 abort: referenced certificate file (*/missing/cafile) does not exist (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
551 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
552 |
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
553 Start hgweb that requires client certificates: |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
554 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
555 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
556 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
557 $ cat ../hg0.pid >> $DAEMON_PIDS |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
558 $ cd .. |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
559 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
560 without client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
561 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
562 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
49058
d8a38186a092
test: accept another error message on lack of TLS client certificate
Julien Cristau <jcristau@debian.org>
parents:
49057
diff
changeset
|
563 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure|EOF occurred).* (re) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
564 [100] |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
565 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
566 with client certificate: |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
567 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
568 $ cat << EOT >> $HGRCPATH |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
569 > [auth] |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
570 > l.prefix = localhost |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
571 > l.cert = $CERTSDIR/client-cert.pem |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
572 > l.key = $CERTSDIR/client-key.pem |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
573 > EOT |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
574 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
575 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
576 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem" |
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
577 5fed3813f7f5 |
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
578 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
579 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
580 > --config ui.interactive=True --config ui.nontty=True |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
581 passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
582 |
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
583 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
584 abort: error: * (glob) |
45839
ebee234d952a
errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents:
44896
diff
changeset
|
585 [100] |
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
586 |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
587 Missing certficate and key files result in error |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
588 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
589 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
590 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
591 (restore missing file or fix references in Mercurial config) |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
592 [255] |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
593 |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
594 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key |
33575
5b286cfe4fb0
test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents:
33494
diff
changeset
|
595 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob) |
33381
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
596 (restore missing file or fix references in Mercurial config) |
3bdbbadddecc
sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
32273
diff
changeset
|
597 [255] |