Mercurial > hg
annotate tests/test-patchbomb-tls.t @ 29481:5caa415aa48b
tests: better testing of loaded certificates
Tests were failing on systems like RHEL 7 where loading the system
certificates results in CA certs being reported to Python. We add
a feature that detects when we're able to load *and detect* the
loading of system certificates. We update the tests to cover the
3 scenarios:
1) system CAs are loadable and detected
2) system CAs are loadable but not detected
3) system CAs aren't loadable
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Fri, 01 Jul 2016 19:27:34 -0700 |
| parents | 5b71a8d7f7ff |
| children | 9c5325c79683 |
| rev | line source |
|---|---|
|
29333
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
1 #require serve ssl |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
2 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
3 Set up SMTP server: |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
4 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
5 $ CERTSDIR="$TESTDIR/sslcerts" |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
6 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
7 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
8 $ python "$TESTDIR/dummysmtpd.py" -p $HGPORT --pid-file a.pid -d \ |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
9 > --tls smtps --certificate `pwd`/server.pem |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
10 listening at localhost:$HGPORT |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
11 $ cat a.pid >> $DAEMON_PIDS |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
12 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
13 Ensure hg email output is sent to stdout: |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
14 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
15 $ unset PAGER |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
16 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
17 Set up repository: |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
18 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
19 $ hg init t |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
20 $ cd t |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
21 $ cat <<EOF >> .hg/hgrc |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
22 > [extensions] |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
23 > patchbomb = |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
24 > [email] |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
25 > method = smtp |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
26 > [smtp] |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
27 > host = localhost |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
28 > port = $HGPORT |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
29 > tls = smtps |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
30 > EOF |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
31 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
32 $ echo a > a |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
33 $ hg commit -Ama -d '1 0' |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
34 adding a |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
35 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
36 Utility functions: |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
37 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
38 $ DISABLECACERTS= |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
39 $ try () { |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
40 > hg email $DISABLECACERTS -f quux -t foo -c bar -r tip "$@" |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
41 > } |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
42 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
43 Our test cert is not signed by a trusted CA. It should fail to verify if |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
44 we are able to load CA certs: |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
45 |
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
46 #if sslcontext defaultcacerts no-defaultcacertsloaded |
|
29333
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
47 $ try |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
48 this patch series consists of 1 patches. |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
49 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
50 |
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
51 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
29333
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
52 (?i)abort: .*?certificate.verify.failed.* (re) |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
53 [255] |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
54 #endif |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
55 |
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
56 #if no-sslcontext defaultcacerts |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
57 $ try |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
58 this patch series consists of 1 patches. |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
59 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
60 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
61 (?i)abort: .*?certificate.verify.failed.* (re) |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
62 [255] |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
63 #endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
64 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
65 #if defaultcacertsloaded |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
66 $ try |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
67 this patch series consists of 1 patches. |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
68 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
69 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
70 (?i)abort: .*?certificate.verify.failed.* (re) |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
71 [255] |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
72 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
73 #endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
74 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
75 #if no-defaultcacerts |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
76 $ try |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
77 this patch series consists of 1 patches. |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
78 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
79 |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
80 abort: localhost certificate error: no certificate received |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
81 (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
82 [255] |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
83 #endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
84 |
|
29333
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
85 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
86 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
87 Without certificates: |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
88 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
89 $ try --debug |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
90 this patch series consists of 1 patches. |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
91 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
92 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
93 (using smtps) |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
94 sending mail: smtp host localhost, port * (glob) |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
95 (verifying remote certificate) |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29333
diff
changeset
|
96 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29333
diff
changeset
|
97 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server) |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29333
diff
changeset
|
98 [255] |
|
29333
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
99 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
100 With global certificates: |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
101 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
102 $ try --debug --config web.cacerts="$CERTSDIR/pub.pem" |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
103 this patch series consists of 1 patches. |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
104 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
105 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
106 (using smtps) |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
107 sending mail: smtp host localhost, port * (glob) |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
108 (verifying remote certificate) |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
109 sending [PATCH] a ... |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
110 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
111 With invalid certificates: |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
112 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
113 $ try --config web.cacerts="$CERTSDIR/pub-other.pem" |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
114 this patch series consists of 1 patches. |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
115 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
116 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
117 (?i)abort: .*?certificate.verify.failed.* (re) |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
118 [255] |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
119 |
|
cdef60d9f442
tests: add basic tests for SMTP over SSL
Yuya Nishihara <yuya@tcha.org>
parents:
diff
changeset
|
120 $ cd .. |