Mercurial: tests/test-https.t annotate

annotate tests/test-https.t @ 29449:5b71a8d7f7ff

sslutil: emit warning when no CA certificates loaded If no CA certificates are loaded, that is almost certainly a/the reason certificate verification fails when connecting to a server. The modern ssl module in Python 2.7.9+ provides an API to access the list of loaded CA certificates. This patch emits a warning on modern Python when certificate verification fails and there are no loaded CA certificates. There is no way to detect the number of loaded CA certificates unless the modern ssl module is present. Hence the differences in test output depending on whether modern ssl is available. It's worth noting that a test which specifies a CA file still renders this warning. That is because the certificate it is loading is a x509 client certificate and not a CA certificate. This test could be updated if anyone is so inclined.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Wed, 29 Jun 2016 19:43:27 -0700
parents	afbe1fe4c44e
children	5caa415aa48b

rev	line source
22046 7a9cbb315d84 tests: replace exit 80 with #require Matt Mackall <mpm@selenic.com> parents: 18682 diff changeset	1 #require serve ssl
2612 ffb895f16925 add support for streaming clone. Vadim Gelfer <vadim.gelfer@gmail.com> parents: diff changeset	2
22046 7a9cbb315d84 tests: replace exit 80 with #require Matt Mackall <mpm@selenic.com> parents: 18682 diff changeset	3 Proper https client requires the built-in ssl from Python 2.6.
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	4
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	5 Make server certificates:
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	6
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	7 $ CERTSDIR="$TESTDIR/sslcerts"
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	9 $ PRIV=`pwd`/server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	12
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	13 $ hg init test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	14 $ cd test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	15 $ echo foo>foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	17 $ echo foo>foo.d/foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	18 $ echo bar>foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	19 $ echo bar>foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	20 $ hg commit -A -m 1
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	21 adding foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	22 adding foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	23 adding foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	24 adding foo.d/foo
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	26 $ cat ../hg0.pid >> $DAEMON_PIDS
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	27
13544 66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	28 cacert not found
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	29
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	31 abort: could not find web.cacerts: no-such.pem
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	32 [255]
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	33
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	34 Test server address cannot be reused
4289 e17598881509 test-http: use printenv.py Alexis S. L. Carvalho <alexis@cecm.usp.br> parents: 4130 diff changeset	35
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	36 #if windows
3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	37 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
18682 408f2202bd80 tests: remove glob from output lines containing no glob character Simon Heimberg <simohe@besonet.ch> parents: 18588 diff changeset	38 abort: cannot start server at ':$HGPORT':
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	39 [255]
3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	40 #else
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	41 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	42 abort: cannot start server at ':$HGPORT': Address already in use
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	43 [255]
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	44 #endif
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	45 $ cd ..
2612 ffb895f16925 add support for streaming clone. Vadim Gelfer <vadim.gelfer@gmail.com> parents: diff changeset	46
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	47 Our test cert is not signed by a trusted CA. It should fail to verify if
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	48 we are able to load CA certs.
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	49
24289 07fafcd4bc74 test-https: enable dummycert test only if Apple python is used (issue4500) Yuya Nishihara <yuya@tcha.org> parents: 24138 diff changeset	50 #if defaultcacerts
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	51 $ hg clone https://localhost:$HGPORT/ copy-pull
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	52 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	53 abort: error: certificate verify failed (glob)
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	54 [255]
29448 afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	55 #else
afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	56 $ hg clone https://localhost:$HGPORT/ copy-pull
afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	57 abort: localhost certificate error: no certificate received
afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	58 (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	59 [255]
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	60 #endif
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	61
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	62 Specifying a per-host certificate file that doesn't exist will abort
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	63
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	64 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	65 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	66 [255]
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	67
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	68 A malformed per-host certificate file will raise an error
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	69
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	70 $ echo baddata > badca.pem
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	71 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	72 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	73 abort: error loading CA file badca.pem: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	74 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	75 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	76 #else
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	77 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29356 93b83ef78d1e tests: increase test-https malform error glob Durham Goode <durham@fb.com> parents: 29334 diff changeset	78 abort: error: * (glob)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	79 [255]
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	80 #endif
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	81
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	82 A per-host certificate mismatching the server will fail verification
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	83
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	84 (modern ssl is able to discern whether the loaded cert is a CA cert)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	85 #if sslcontext
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	86 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	87 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	88 abort: error: certificate verify failed (glob)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	89 [255]
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	90 #else
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	91 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	92 abort: error: certificate verify failed (glob)
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	93 [255]
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	94 #endif
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	95
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	96 A per-host certificate matching the server's cert will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	97
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	98 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	99 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	100 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	101 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	102 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	103 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	104
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	105 A per-host certificate with multiple certs and one matching will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	106
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	107 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	108 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	109 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	110 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	111 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	112 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	113 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	114
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	115 Defining both per-host certificate and a fingerprint will print a warning
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	116
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	117 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	118 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	119 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	120 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	121 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	122 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	123 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	124
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	125 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	126
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	127 Inability to verify peer certificate will result in abort
2673 109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks Vadim Gelfer <vadim.gelfer@gmail.com> parents: 2622 diff changeset	128
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	129 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	130 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	131 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	132 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	133
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	134 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	135 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	136 requesting all changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	137 adding changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	138 adding manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	139 adding file changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	140 added 1 changesets with 4 changes to 4 files
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	141 updating to branch default
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	142 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	143 $ hg verify -R copy-pull
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	144 checking changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	145 checking manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	146 crosschecking files in changesets and manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	147 checking files
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	148 4 files, 1 changesets, 4 total revisions
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	149 $ cd test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	150 $ echo bar > bar
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	151 $ hg commit -A -d '1 0' -m 2
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	152 adding bar
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	153 $ cd ..
2673 109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks Vadim Gelfer <vadim.gelfer@gmail.com> parents: 2622 diff changeset	154
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	155 pull without cacert
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	156
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	157 $ cd copy-pull
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	158 $ echo '[hooks]' >> .hg/hgrc
25478 d19787db6fe0 tests: simplify printenv calls Matt Mackall <mpm@selenic.com> parents: 25472 diff changeset	159 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	160 $ hg pull $DISABLECACERTS
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	161 pulling from https://localhost:$HGPORT/
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	162 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	163 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	164 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	165
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	166 $ hg pull --insecure
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	167 pulling from https://localhost:$HGPORT/
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	168 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	169 searching for changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	170 adding changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	171 adding manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	172 adding file changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	173 added 1 changesets with 1 changes to 1 files
27739 d6d3cf5fda6f hooks: add HG_NODE_LAST to txnclose and changegroup hook environments Mateusz Kwapich <mitrandir@fb.com> parents: 25478 diff changeset	174 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	175 (run 'hg update' to get a working copy)
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	176 $ cd ..
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	177
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	178 cacert configured in local repo
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	179
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	180 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	181 $ echo "[web]" >> copy-pull/.hg/hgrc
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	182 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	183 $ hg -R copy-pull pull --traceback
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	184 pulling from https://localhost:$HGPORT/
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	185 searching for changes
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	186 no changes found
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	187 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	188
13231 b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	189 cacert configured globally, also testing expansion of environment
b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	190 variables in the filename
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	191
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	192 $ echo "[web]" >> $HGRCPATH
13231 b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	193 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	194 $ P="$CERTSDIR" hg -R copy-pull pull
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	195 pulling from https://localhost:$HGPORT/
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	196 searching for changes
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	197 no changes found
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	198 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	199 pulling from https://localhost:$HGPORT/
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	200 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	201 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	202 no changes found
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	203
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	204 empty cacert file
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	205
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	206 $ touch emptycafile
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	207
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	208 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	209 $ hg --config web.cacerts=emptycafile -R copy-pull pull
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	210 pulling from https://localhost:$HGPORT/
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	211 abort: error loading CA file emptycafile: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	212 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	213 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	214 #else
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	215 $ hg --config web.cacerts=emptycafile -R copy-pull pull
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	216 pulling from https://localhost:$HGPORT/
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	217 abort: error: * (glob)
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	218 [255]
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	219 #endif
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	220
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	221 cacert mismatch
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	222
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	223 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	224 > https://127.0.0.1:$HGPORT/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	225 pulling from https://127.0.0.1:$HGPORT/
15814 c3e958b50a22 sslutil: show fingerprint when cacerts validation fails Mads Kiilerich <mads@kiilerich.com> parents: 15650 diff changeset	226 abort: 127.0.0.1 certificate error: certificate is for localhost
29292 bc5f55493397 sslutil: make cert fingerprints messages more actionable Gregory Szorc <gregory.szorc@gmail.com> parents: 29290 diff changeset	227 (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	228 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	229 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	230 > https://127.0.0.1:$HGPORT/ --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	231 pulling from https://127.0.0.1:$HGPORT/
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	232 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	233 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	234 no changes found
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	235 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	236 pulling from https://localhost:$HGPORT/
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	237 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	238 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	239 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	240 > --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	241 pulling from https://localhost:$HGPORT/
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	242 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	243 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	244 no changes found
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	245
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	246 Test server cert which isn't valid yet
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	247
28549 e01bd7385f4f tests: reorder hg serve commands Jun Wu <quark@fb.com> parents: 28525 diff changeset	248 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	249 $ cat hg1.pid >> $DAEMON_PIDS
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	250 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	251 > https://localhost:$HGPORT1/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	252 pulling from https://localhost:$HGPORT1/
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	253 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	254 [255]
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	255
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	256 Test server cert which no longer is valid
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	257
28549 e01bd7385f4f tests: reorder hg serve commands Jun Wu <quark@fb.com> parents: 28525 diff changeset	258 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	259 $ cat hg2.pid >> $DAEMON_PIDS
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	260 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	261 > https://localhost:$HGPORT2/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	262 pulling from https://localhost:$HGPORT2/
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	263 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	264 [255]
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	265
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	266 Fingerprints
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	267
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	268 - works without cacerts (hostkeyfingerprints)
29263 817ee3cfe862 tests: don't save host fingerprints in hgrc Gregory Szorc <gregory.szorc@gmail.com> parents: 28847 diff changeset	269 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	270 5fed3813f7f5
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	271
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	272 - works without cacerts (hostsecurity)
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	273 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	274 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	275
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	276 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	277 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	278
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	279 - multiple fingerprints specified and first matches
28847 3e576fe66715 tests: use --insecure instead of web.cacerts=! Gregory Szorc <gregory.szorc@gmail.com> parents: 28549 diff changeset	280 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	281 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	282
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	283 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	284 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	285
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	286 - multiple fingerprints specified and last matches
28847 3e576fe66715 tests: use --insecure instead of web.cacerts=! Gregory Szorc <gregory.szorc@gmail.com> parents: 28549 diff changeset	287 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	288 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	289
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	290 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	291 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	292
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	293 - multiple fingerprints specified and none match
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	294
28847 3e576fe66715 tests: use --insecure instead of web.cacerts=! Gregory Szorc <gregory.szorc@gmail.com> parents: 28549 diff changeset	295 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	296 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	297 (check hostfingerprint configuration)
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	298 [255]
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	299
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	300 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29293 1b3a0b0c414f sslutil: print the fingerprint from the last hash used Gregory Szorc <gregory.szorc@gmail.com> parents: 29292 diff changeset	301 abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
29268 f200b58497f1 sslutil: reference appropriate config section in messaging Gregory Szorc <gregory.szorc@gmail.com> parents: 29267 diff changeset	302 (check hostsecurity configuration)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	303 [255]
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	304
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	305 - fails when cert doesn't match hostname (port is ignored)
29263 817ee3cfe862 tests: don't save host fingerprints in hgrc Gregory Szorc <gregory.szorc@gmail.com> parents: 28847 diff changeset	306 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
15997 a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15814 diff changeset	307 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15814 diff changeset	308 (check hostfingerprint configuration)
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	309 [255]
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	310
18588 3241fc65e3cd test-https.t: stop using kill `cat $pidfile` Augie Fackler <raf@durin42.com> parents: 18354 diff changeset	311
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	312 - ignores that certificate doesn't match hostname
29263 817ee3cfe862 tests: don't save host fingerprints in hgrc Gregory Szorc <gregory.szorc@gmail.com> parents: 28847 diff changeset	313 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	314 5fed3813f7f5
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	315
18588 3241fc65e3cd test-https.t: stop using kill `cat $pidfile` Augie Fackler <raf@durin42.com> parents: 18354 diff changeset	316 HGPORT1 is reused below for tinyproxy tests. Kill that server.
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	317 $ killdaemons.py hg1.pid
16300 74e114ac6ec1 tests: fix startup/shutdown races in test-https Matt Mackall <mpm@selenic.com> parents: 16107 diff changeset	318
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	319 Prepare for connecting through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	320
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	321 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
16496 abbabbbe4ec2 tests: use 'do sleep 0' instead of 'do true', also on first line of command Mads Kiilerich <mads@kiilerich.com> parents: 16300 diff changeset	322 $ while [ ! -f proxy.pid ]; do sleep 0; done
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	323 $ cat proxy.pid >> $DAEMON_PIDS
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	324
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	325 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	326 $ echo "always=True" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	327 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	328 $ echo "localhost =" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	329
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	330 Test unvalidated https through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	331
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	332 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	333 pulling from https://localhost:$HGPORT/
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	334 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	335 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	336 no changes found
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	337
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	338 Test https with cacert and fingerprint through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	339
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	340 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	341 > --config web.cacerts="$CERTSDIR/pub.pem"
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	342 pulling from https://localhost:$HGPORT/
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	343 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	344 no changes found
29263 817ee3cfe862 tests: don't save host fingerprints in hgrc Gregory Szorc <gregory.szorc@gmail.com> parents: 28847 diff changeset	345 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	346 pulling from https://127.0.0.1:$HGPORT/
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	347 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	348 no changes found
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	349
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	350 Test https with cert problems through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	351
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	352 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	353 > --config web.cacerts="$CERTSDIR/pub-other.pem"
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	354 pulling from https://localhost:$HGPORT/
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	355 abort: error: certificate verify failed (glob)
13424 08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation Mads Kiilerich <mads@kiilerich.com> parents: 13423 diff changeset	356 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	357 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	358 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	359 pulling from https://localhost:$HGPORT2/
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	360 abort: error: certificate verify failed (glob)
13424 08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation Mads Kiilerich <mads@kiilerich.com> parents: 13423 diff changeset	361 [255]
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	362
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	363
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	364 $ killdaemons.py hg0.pid
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	365
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	366 #if sslcontext
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	367
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	368 Start patched hgweb that requires client certificates:
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	369
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	370 $ cat << EOT > reqclientcert.py
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	371 > import ssl
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	372 > from mercurial.hgweb import server
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	373 > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	374 > @staticmethod
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	375 > def preparehttpserver(httpserver, ssl_cert):
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	376 > sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	377 > sslcontext.verify_mode = ssl.CERT_REQUIRED
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	378 > sslcontext.load_cert_chain(ssl_cert)
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	379 > # verify clients by server certificate
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	380 > sslcontext.load_verify_locations(ssl_cert)
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	381 > httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	382 > server_side=True)
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	383 > server._httprequesthandlerssl = _httprequesthandlersslclientcert
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	384 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	385 $ cd test
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	386 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	387 > --config extensions.reqclientcert=../reqclientcert.py
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	388 $ cat ../hg0.pid >> $DAEMON_PIDS
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	389 $ cd ..
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	390
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	391 without client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	392
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	393 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	394 abort: error: handshake failure (glob)
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	395 [255]
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	396
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	397 with client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	398
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	399 $ cat << EOT >> $HGRCPATH
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	400 > [auth]
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	401 > l.prefix = localhost
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	402 > l.cert = $CERTSDIR/client-cert.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	403 > l.key = $CERTSDIR/client-key.pem
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	404 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	405
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	406 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	407 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	408 5fed3813f7f5
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	409
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	410 $ printf '1234\n' \| env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	411 > --config ui.interactive=True --config ui.nontty=True
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	412 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	413
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	414 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	415 abort: error: * (glob)
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	416 [255]
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	417
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	418 #endif

Mercurial > hg

annotate tests/test-https.t @ 29449:5b71a8d7f7ff