Mercurial: tests/test-https.t annotate

annotate tests/test-https.t @ 31971:73e9328e5307

obsolescence: add test case D-3 for obsolescence markers exchange About 3 years ago, in August 2014, the logic to select what markers to select on push was ported from the evolve extension to Mercurial core. However, for some unclear reasons, the tests for that logic were not ported alongside. I realised it a couple of weeks ago while working on another push related issue. I've made a clean up pass on the tests and they are now ready to integrate the core test suite. This series of changesets do not change any logic. I just adds test for logic that has been around for about 10 versions of Mercurial. They are a patch for each test case. It makes it easier to review and postpone one with documentation issues without rejecting the wholes series. This patch introduce case D3: missing prune target (prune not in "pushed set") Each test case comes it in own test file. It help parallelism and does not introduce a significant overhead from having a single unified giant test file. Here are timing to support this claim. # Multiple test files version: # run-tests.py --local -j 1 test-exchange-*.t 53.40s user 6.82s system 85% cpu 1:10.76 total 52.79s user 6.97s system 85% cpu 1:09.97 total 52.94s user 6.82s system 85% cpu 1:09.69 total # Single test file version: # run-tests.py --local -j 1 test-exchange-obsmarkers.t 52.97s user 6.85s system 85% cpu 1:10.10 total 52.64s user 6.79s system 85% cpu 1:09.63 total 53.70s user 7.00s system 85% cpu 1:11.17 total

author	Pierre-Yves David <pierre-yves.david@ens-lyon.org>
date	Mon, 10 Apr 2017 16:54:43 +0200
parents	68bd8cd381a3
children	9a86d936670f ab89d2f7dc9a

rev	line source
22046 7a9cbb315d84 tests: replace exit 80 with #require Matt Mackall <mpm@selenic.com> parents: 18682 diff changeset	1 #require serve ssl
2612 ffb895f16925 add support for streaming clone. Vadim Gelfer <vadim.gelfer@gmail.com> parents: diff changeset	2
22046 7a9cbb315d84 tests: replace exit 80 with #require Matt Mackall <mpm@selenic.com> parents: 18682 diff changeset	3 Proper https client requires the built-in ssl from Python 2.6.
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	4
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	5 Make server certificates:
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	6
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	7 $ CERTSDIR="$TESTDIR/sslcerts"
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	9 $ PRIV=`pwd`/server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	12
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	13 $ hg init test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	14 $ cd test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	15 $ echo foo>foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	17 $ echo foo>foo.d/foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	18 $ echo bar>foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	19 $ echo bar>foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	20 $ hg commit -A -m 1
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	21 adding foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	22 adding foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	23 adding foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	24 adding foo.d/foo
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	26 $ cat ../hg0.pid >> $DAEMON_PIDS
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	27
13544 66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	28 cacert not found
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	29
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13544 66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	32 abort: could not find web.cacerts: no-such.pem
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	33 [255]
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	34
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	35 Test server address cannot be reused
4289 e17598881509 test-http: use printenv.py Alexis S. L. Carvalho <alexis@cecm.usp.br> parents: 4130 diff changeset	36
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	37 #if windows
3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31768 49e9124cfc23 test-http: update output for Windows Matt Harbison <matt_harbison@yahoo.com> parents: 31766 diff changeset	39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	40 [255]
3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	41 #else
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31009 161ab32b44a1 runtests: set web.address to localhost Jun Wu <quark@fb.com> parents: 31008 diff changeset	43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	44 [255]
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	45 #endif
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	46 $ cd ..
2612 ffb895f16925 add support for streaming clone. Vadim Gelfer <vadim.gelfer@gmail.com> parents: diff changeset	47
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	48 Our test cert is not signed by a trusted CA. It should fail to verify if
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	49 we are able to load CA certs.
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	50
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	51 #if sslcontext defaultcacerts no-defaultcacertsloaded
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	52 $ hg clone https://localhost:$HGPORT/ copy-pull
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	54 abort: error: certificate verify failed (glob)
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	55 [255]
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	56 #endif
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	57
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	58 #if no-sslcontext defaultcacerts
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	59 $ hg clone https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	62 abort: error: certificate verify failed (glob)
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	63 [255]
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	64 #endif
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	65
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	66 #if no-sslcontext windows
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	67 $ hg clone https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	70 abort: error: certificate verify failed (glob)
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	71 [255]
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	72 #endif
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	73
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	74 #if no-sslcontext osx
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	75 $ hg clone https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	78 abort: localhost certificate error: no certificate received
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	80 [255]
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	81 #endif
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	82
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	83 #if defaultcacertsloaded
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	84 $ hg clone https://localhost:$HGPORT/ copy-pull
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	87 abort: error: certificate verify failed (glob)
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	88 [255]
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	89 #endif
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	90
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	91 #if no-defaultcacerts
29448 afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	92 $ hg clone https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29448 afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	95 abort: localhost certificate error: no certificate received
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29448 afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	97 [255]
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	98 #endif
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	99
31766 bdcaf612e75a tests: add globs for Windows Matt Harbison <matt_harbison@yahoo.com> parents: 31747 diff changeset	100 Specifying a per-host certificate file that doesn't exist will abort. The full
bdcaf612e75a tests: add globs for Windows Matt Harbison <matt_harbison@yahoo.com> parents: 31747 diff changeset	101 C:/path/to/msysroot will print on Windows.
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	102
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31766 bdcaf612e75a tests: add globs for Windows Matt Harbison <matt_harbison@yahoo.com> parents: 31747 diff changeset	105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	106 [255]
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	107
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	108 A malformed per-host certificate file will raise an error
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	109
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	110 $ echo baddata > badca.pem
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	111 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	112 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	113 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	114 abort: error loading CA file badca.pem: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	115 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	116 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	117 #else
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	118 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	119 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29356 93b83ef78d1e tests: increase test-https malform error glob Durham Goode <durham@fb.com> parents: 29334 diff changeset	120 abort: error: * (glob)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	121 [255]
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	122 #endif
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	123
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	124 A per-host certificate mismatching the server will fail verification
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	125
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	126 (modern ssl is able to discern whether the loaded cert is a CA cert)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	127 #if sslcontext
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	130 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	131 abort: error: certificate verify failed (glob)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	132 [255]
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	133 #else
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	134 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	135 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	136 abort: error: certificate verify failed (glob)
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	137 [255]
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	138 #endif
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	139
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	140 A per-host certificate matching the server's cert will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	141
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	142 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	143 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	144 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	145 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	146 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	147 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	148 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	149
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	150 A per-host certificate with multiple certs and one matching will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	151
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	152 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	153 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	154 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	155 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	156 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	157 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	158 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	159 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	160
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	161 Defining both per-host certificate and a fingerprint will print a warning
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	162
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	163 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	164 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	165 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	166 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	167 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	168 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	169 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	170 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	171
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	172 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	173
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	174 Inability to verify peer certificate will result in abort
2673 109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks Vadim Gelfer <vadim.gelfer@gmail.com> parents: 2622 diff changeset	175
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	176 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	177 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	178 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	179 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	180 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	181
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	182 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	183 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	184 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	185 requesting all changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	186 adding changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	187 adding manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	188 adding file changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	189 added 1 changesets with 4 changes to 4 files
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	190 updating to branch default
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	191 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	192 $ hg verify -R copy-pull
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	193 checking changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	194 checking manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	195 crosschecking files in changesets and manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	196 checking files
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	197 4 files, 1 changesets, 4 total revisions
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	198 $ cd test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	199 $ echo bar > bar
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	200 $ hg commit -A -d '1 0' -m 2
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	201 adding bar
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	202 $ cd ..
2673 109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks Vadim Gelfer <vadim.gelfer@gmail.com> parents: 2622 diff changeset	203
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	204 pull without cacert
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	205
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	206 $ cd copy-pull
30234 34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 29842 diff changeset	207 $ cat >> .hg/hgrc <<EOF
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 29842 diff changeset	208 > [hooks]
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 29842 diff changeset	209 > changegroup = sh -c "printenv.py changegroup"
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 29842 diff changeset	210 > EOF
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	211 $ hg pull $DISABLECACERTS
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	212 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	213 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	214 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	215 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	216 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	217
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	218 $ hg pull --insecure
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	219 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	220 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	221 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	222 searching for changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	223 adding changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	224 adding manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	225 adding file changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	226 added 1 changesets with 1 changes to 1 files
31747 aff7b32b3c05 hook: add hook name information to external hook Pierre-Yves David <pierre-yves.david@ens-lyon.org> parents: 31746 diff changeset	227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	228 (run 'hg update' to get a working copy)
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	229 $ cd ..
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	230
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	231 cacert configured in local repo
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	232
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	233 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	234 $ echo "[web]" >> copy-pull/.hg/hgrc
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	235 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
29842 d5497eb1d768 test-https: drop two spurious --traceback flags Augie Fackler <augie@google.com> parents: 29635 diff changeset	236 $ hg -R copy-pull pull
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	237 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	238 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	239 searching for changes
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	240 no changes found
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	241 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	242
13231 b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	243 cacert configured globally, also testing expansion of environment
b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	244 variables in the filename
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	245
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	246 $ echo "[web]" >> $HGRCPATH
13231 b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	247 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	248 $ P="$CERTSDIR" hg -R copy-pull pull
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	249 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	250 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	251 searching for changes
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	252 no changes found
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	253 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	254 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	255 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	256 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	257 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	258 no changes found
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	259
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	260 empty cacert file
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	261
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	262 $ touch emptycafile
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	263
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	264 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	265 $ hg --config web.cacerts=emptycafile -R copy-pull pull
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	266 pulling from https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	267 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	268 abort: error loading CA file emptycafile: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	269 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	270 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	271 #else
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	272 $ hg --config web.cacerts=emptycafile -R copy-pull pull
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	273 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	274 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	275 abort: error: * (glob)
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	276 [255]
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	277 #endif
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	278
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	279 cacert mismatch
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	280
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	282 > https://$LOCALIP:$HGPORT/
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	283 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31813 68bd8cd381a3 tests: fix missing (glob) annotations in test-https.t Augie Fackler <augie@google.com> parents: 31768 diff changeset	285 abort: $LOCALIP certificate error: certificate is for localhost (glob)
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	287 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	289 > https://$LOCALIP:$HGPORT/ --insecure
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	290 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31813 68bd8cd381a3 tests: fix missing (glob) annotations in test-https.t Augie Fackler <augie@google.com> parents: 31768 diff changeset	292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	293 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	294 no changes found
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	296 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	298 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	299 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	300 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	301 > --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	302 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	303 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	304 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	305 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	306 no changes found
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	307
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	308 Test server cert which isn't valid yet
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	309
28549 e01bd7385f4f tests: reorder hg serve commands Jun Wu <quark@fb.com> parents: 28525 diff changeset	310 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	311 $ cat hg1.pid >> $DAEMON_PIDS
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	312 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	313 > https://localhost:$HGPORT1/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	314 pulling from https://localhost:$HGPORT1/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	315 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	316 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	317 [255]
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	318
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	319 Test server cert which no longer is valid
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	320
28549 e01bd7385f4f tests: reorder hg serve commands Jun Wu <quark@fb.com> parents: 28525 diff changeset	321 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	322 $ cat hg2.pid >> $DAEMON_PIDS
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	323 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	324 > https://localhost:$HGPORT2/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	325 pulling from https://localhost:$HGPORT2/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	326 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	327 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	328 [255]
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	329
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	330 Disabling the TLS 1.0 warning works
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	331 $ hg -R copy-pull id https://localhost:$HGPORT/ \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	332 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	333 > --config hostsecurity.disabletls10warning=true
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	334 5fed3813f7f5
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	335
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	336 #if no-sslcontext no-py27+
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	337 Setting ciphers doesn't work in Python 2.6
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	338 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	339 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	340 abort: setting ciphers in [hostsecurity] is not supported by this version of Python
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	341 (remove the config option or run Mercurial with a modern Python version (preferred))
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	342 [255]
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	343 #endif
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	344
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	345 Setting ciphers works in Python 2.7+ but the error message is different on
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	346 legacy ssl. We test legacy once and do more feature checking on modern
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	347 configs.
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	348
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	349 #if py27+ no-sslcontext
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	350 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	351 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	352 abort: *No cipher can be selected. (glob)
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	353 [255]
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	354
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	356 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	357 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	358 #endif
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	359
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	360 #if sslcontext
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	361 Setting ciphers to an invalid value aborts
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	362 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	364 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	365 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	366 [255]
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	367
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	368 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	369 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	370 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	371 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	372 [255]
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	373
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	374 Changing the cipher string works
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	375
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	376 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	377 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	378 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	379 #endif
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	380
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	381 Fingerprints
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	382
30332 318a24b52eeb spelling: fixes of non-dictionary words Mads Kiilerich <madski@unity3d.com> parents: 30234 diff changeset	383 - works without cacerts (hostfingerprints)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	386 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	387 5fed3813f7f5
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	388
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	389 - works without cacerts (hostsecurity)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	390 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	391 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	392 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	393
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	394 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	395 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	396 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	397
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	398 - multiple fingerprints specified and first matches
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	399 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	401 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	402 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	403
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	404 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	405 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	406 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	407
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	408 - multiple fingerprints specified and last matches
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	411 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	412 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	413
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	414 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	416 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	417
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	418 - multiple fingerprints specified and none match
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	419
28847 3e576fe66715 tests: use --insecure instead of web.cacerts=! Gregory Szorc <gregory.szorc@gmail.com> parents: 28549 diff changeset	420 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	421 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	422 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	423 (check hostfingerprint configuration)
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	424 [255]
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	425
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	426 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	427 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	428 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29268 f200b58497f1 sslutil: reference appropriate config section in messaging Gregory Szorc <gregory.szorc@gmail.com> parents: 29267 diff changeset	429 (check hostsecurity configuration)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	430 [255]
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	431
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	432 - fails when cert doesn't match hostname (port is ignored)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	433 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	434 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	435 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
15997 a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15814 diff changeset	436 (check hostfingerprint configuration)
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	437 [255]
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	438
18588 3241fc65e3cd test-https.t: stop using kill `cat $pidfile` Augie Fackler <raf@durin42.com> parents: 18354 diff changeset	439
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	440 - ignores that certificate doesn't match hostname
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	441 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	442 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	443 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	444 5fed3813f7f5
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	445
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	446 Ports used by next test. Kill servers.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	447
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	448 $ killdaemons.py hg0.pid
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	449 $ killdaemons.py hg1.pid
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	450 $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	451
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	452 #if sslcontext tls1.2
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	453 Start servers running supported TLS versions
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	454
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	455 $ cd test
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	456 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	457 > --config devel.serverexactprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	458 $ cat ../hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	459 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	460 > --config devel.serverexactprotocol=tls1.1
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	461 $ cat ../hg1.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	462 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	463 > --config devel.serverexactprotocol=tls1.2
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	464 $ cat ../hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	465 $ cd ..
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	466
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	467 Clients talking same TLS versions work
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	468
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	469 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	470 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	471 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	472 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	473 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	474 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	475
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	476 Clients requiring newer TLS version than what server supports fail
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	477
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	478 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	482 abort: error: unsupported protocol (glob)
303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	483 [255]
303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	484
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	485 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	486 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	487 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	488 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	489 abort: error: unsupported protocol (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	490 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	491 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	492 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	493 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	494 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	495 abort: error: unsupported protocol (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	496 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	497 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	498 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	499 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	500 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	501 abort: error: unsupported protocol (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	502 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	503
29617 2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	504 --insecure will allow TLS 1.0 connections and override configs
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	505
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	506 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	507 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	508 5fed3813f7f5
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	509
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	510 The per-host config option overrides the default
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	511
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	513 > --config hostsecurity.minimumprotocol=tls1.2 \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	514 > --config hostsecurity.localhost:minimumprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	515 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	516
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	517 The per-host config option by itself works
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	518
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	519 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	520 > --config hostsecurity.localhost:minimumprotocol=tls1.2
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	521 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	522 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	523 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	524 abort: error: unsupported protocol (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	525 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	526
29616 3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	527 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	528
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	529 $ cat >> copy-pull/.hg/hgrc << EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	530 > [hostsecurity]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	531 > localhost:minimumprotocol=tls1.2
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	532 > EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	533 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	534 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	535 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	536 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29635 dee24c87dbf0 tests: glob over ssl error Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	537 abort: error: unsupported protocol (glob)
29616 3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	538 [255]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	539
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	540 $ killdaemons.py hg0.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	541 $ killdaemons.py hg1.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	542 $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	543 #endif
16300 74e114ac6ec1 tests: fix startup/shutdown races in test-https Matt Mackall <mpm@selenic.com> parents: 16107 diff changeset	544
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	545 Prepare for connecting through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	546
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	547 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	548 $ cat hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	550 $ cat hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	551 tinyproxy.py doesn't fully detach, so killing it may result in extra output
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	552 from the shell. So don't kill it.
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	553 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
16496 abbabbbe4ec2 tests: use 'do sleep 0' instead of 'do true', also on first line of command Mads Kiilerich <mads@kiilerich.com> parents: 16300 diff changeset	554 $ while [ ! -f proxy.pid ]; do sleep 0; done
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	555 $ cat proxy.pid >> $DAEMON_PIDS
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	556
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	557 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	558 $ echo "always=True" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	559 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	560 $ echo "localhost =" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	561
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	562 Test unvalidated https through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	563
29842 d5497eb1d768 test-https: drop two spurious --traceback flags Augie Fackler <augie@google.com> parents: 29635 diff changeset	564 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	565 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	566 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	567 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	568 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	569 no changes found
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	570
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	571 Test https with cacert and fingerprint through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	572
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	573 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	574 > --config web.cacerts="$CERTSDIR/pub.pem"
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	575 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	576 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	577 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	578 no changes found
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	579 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	580 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	581 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	582 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	583 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	584 no changes found
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	585
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	586 Test https with cert problems through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	587
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	588 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	589 > --config web.cacerts="$CERTSDIR/pub-other.pem"
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	590 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	591 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	592 abort: error: certificate verify failed (glob)
13424 08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation Mads Kiilerich <mads@kiilerich.com> parents: 13423 diff changeset	593 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	594 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	595 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	596 pulling from https://localhost:$HGPORT2/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	597 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	598 abort: error: certificate verify failed (glob)
13424 08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation Mads Kiilerich <mads@kiilerich.com> parents: 13423 diff changeset	599 [255]
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	600
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	601
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	602 $ killdaemons.py hg0.pid
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	603
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	604 #if sslcontext
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	605
29555 121d11814c62 hgweb: use sslutil.wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29553 diff changeset	606 Start hgweb that requires client certificates:
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	607
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	608 $ cd test
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	609 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
29555 121d11814c62 hgweb: use sslutil.wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29553 diff changeset	610 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	611 $ cat ../hg0.pid >> $DAEMON_PIDS
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	612 $ cd ..
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	613
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	614 without client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	615
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	616 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	617 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	618 abort: error: handshake failure (glob)
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	619 [255]
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	620
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	621 with client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	622
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	623 $ cat << EOT >> $HGRCPATH
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	624 > [auth]
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	625 > l.prefix = localhost
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	626 > l.cert = $CERTSDIR/client-cert.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	627 > l.key = $CERTSDIR/client-key.pem
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	628 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	629
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	630 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	631 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	632 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	633 5fed3813f7f5
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	634
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	635 $ printf '1234\n' \| env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	636 > --config ui.interactive=True --config ui.nontty=True
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	637 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	638 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	639
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	640 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	641 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	642 abort: error: * (glob)
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	643 [255]
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	644
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	645 #endif

Mercurial > hg

annotate tests/test-https.t @ 31971:73e9328e5307