annotate tests/test-https.t @ 31383:7556fe09cc48

py3: convert set of revset initial symbols back to bytes Otherwise tokenize() would fail due to comparison between unicode and bytes.
author Yuya Nishihara <yuya@tcha.org>
date Sun, 12 Mar 2017 17:10:14 -0700
parents f819aa9dbbf9
children 728d37353e1e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
1 #require serve ssl
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
2
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
3 Proper https client requires the built-in ssl from Python 2.6.
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
4
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
5 Make server certificates:
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
6
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
7 $ CERTSDIR="$TESTDIR/sslcerts"
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
9 $ PRIV=`pwd`/server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
12
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
13 $ hg init test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
14 $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
15 $ echo foo>foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
17 $ echo foo>foo.d/foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
18 $ echo bar>foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
19 $ echo bar>foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
20 $ hg commit -A -m 1
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
21 adding foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
22 adding foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
23 adding foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
24 adding foo.d/foo
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
26 $ cat ../hg0.pid >> $DAEMON_PIDS
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
27
13544
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
28 cacert not found
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
29
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13544
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
32 abort: could not find web.cacerts: no-such.pem
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
33 [255]
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
34
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
35 Test server address cannot be reused
4289
e17598881509 test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents: 4130
diff changeset
36
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
37 #if windows
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31009
161ab32b44a1 runtests: set web.address to localhost
Jun Wu <quark@fb.com>
parents: 31008
diff changeset
39 abort: cannot start server at 'localhost:$HGPORT':
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
40 [255]
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
41 #else
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31009
161ab32b44a1 runtests: set web.address to localhost
Jun Wu <quark@fb.com>
parents: 31008
diff changeset
43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
44 [255]
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
45 #endif
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
46 $ cd ..
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
47
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
48 Our test cert is not signed by a trusted CA. It should fail to verify if
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
49 we are able to load CA certs.
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
50
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
51 #if sslcontext defaultcacerts no-defaultcacertsloaded
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
52 $ hg clone https://localhost:$HGPORT/ copy-pull
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
54 abort: error: *certificate verify failed* (glob)
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
55 [255]
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
56 #endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
57
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
58 #if no-sslcontext defaultcacerts
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
59 $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29499
diff changeset
61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
62 abort: error: *certificate verify failed* (glob)
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
63 [255]
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
64 #endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
65
29489
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
66 #if no-sslcontext windows
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
67 $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29489
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
70 abort: error: *certificate verify failed* (glob)
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
71 [255]
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
72 #endif
54ad81b0665f sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29481
diff changeset
73
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
74 #if no-sslcontext osx
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
75 $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
78 abort: localhost certificate error: no certificate received
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
80 [255]
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
81 #endif
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
82
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
83 #if defaultcacertsloaded
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
84 $ hg clone https://localhost:$HGPORT/ copy-pull
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500
4b16a5bd9948 sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29499
diff changeset
86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
87 abort: error: *certificate verify failed* (glob)
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
88 [255]
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
89 #endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
90
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
91 #if no-defaultcacerts
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
92 $ hg clone https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29499
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29489
diff changeset
94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
95 abort: localhost certificate error: no certificate received
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29448
afbe1fe4c44e tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29446
diff changeset
97 [255]
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
98 #endif
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
99
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
100 Specifying a per-host certificate file that doesn't exist will abort
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
101
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
102 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
103 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
104 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
105 [255]
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
106
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
107 A malformed per-host certificate file will raise an error
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
108
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
109 $ echo baddata > badca.pem
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
110 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
111 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
112 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
113 abort: error loading CA file badca.pem: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
114 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
115 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
116 #else
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
117 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
118 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29356
93b83ef78d1e tests: increase test-https malform error glob
Durham Goode <durham@fb.com>
parents: 29334
diff changeset
119 abort: error: * (glob)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
120 [255]
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
121 #endif
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
122
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
123 A per-host certificate mismatching the server will fail verification
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
124
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
125 (modern ssl is able to discern whether the loaded cert is a CA cert)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
126 #if sslcontext
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
127 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
128 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
129 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
130 abort: error: *certificate verify failed* (glob)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
131 [255]
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
132 #else
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
133 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
134 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
135 abort: error: *certificate verify failed* (glob)
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
136 [255]
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
137 #endif
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
138
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
139 A per-host certificate matching the server's cert will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
140
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
141 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
142 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
143 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
144 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
145 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
146 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
147 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
148
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
149 A per-host certificate with multiple certs and one matching will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
150
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
151 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
152 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
153 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
154 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
155 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
156 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
157 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
158 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
159
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
160 Defining both per-host certificate and a fingerprint will print a warning
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
161
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
162 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
163 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
164 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
165 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
166 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
167 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
168 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
169 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
170
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
171 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
172
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
173 Inability to verify peer certificate will result in abort
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
174
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
175 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
176 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
177 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
178 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
179 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
180
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
181 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
182 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
183 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
184 requesting all changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
185 adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
186 adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
187 adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
188 added 1 changesets with 4 changes to 4 files
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
189 updating to branch default
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
190 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
191 $ hg verify -R copy-pull
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
192 checking changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
193 checking manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
194 crosschecking files in changesets and manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
195 checking files
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
196 4 files, 1 changesets, 4 total revisions
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
197 $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
198 $ echo bar > bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
199 $ hg commit -A -d '1 0' -m 2
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
200 adding bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
201 $ cd ..
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
202
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
203 pull without cacert
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
204
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
205 $ cd copy-pull
30234
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
206 $ cat >> .hg/hgrc <<EOF
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
207 > [hooks]
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
208 > changegroup = sh -c "printenv.py changegroup"
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
209 > EOF
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
210 $ hg pull $DISABLECACERTS
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
211 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
212 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
213 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
214 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
215 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
216
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
217 $ hg pull --insecure
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
218 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
219 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
220 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
221 searching for changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
222 adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
223 adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
224 adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
225 added 1 changesets with 1 changes to 1 files
27739
d6d3cf5fda6f hooks: add HG_NODE_LAST to txnclose and changegroup hook environments
Mateusz Kwapich <mitrandir@fb.com>
parents: 25478
diff changeset
226 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
227 (run 'hg update' to get a working copy)
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
228 $ cd ..
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
229
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
230 cacert configured in local repo
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
231
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
232 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
233 $ echo "[web]" >> copy-pull/.hg/hgrc
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
234 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
29842
d5497eb1d768 test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents: 29635
diff changeset
235 $ hg -R copy-pull pull
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
236 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
237 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
238 searching for changes
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
239 no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
240 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
241
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
242 cacert configured globally, also testing expansion of environment
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
243 variables in the filename
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
244
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
245 $ echo "[web]" >> $HGRCPATH
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
246 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
247 $ P="$CERTSDIR" hg -R copy-pull pull
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
248 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
249 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
250 searching for changes
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
251 no changes found
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
252 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
253 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
254 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
255 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
256 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
257 no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
258
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
259 empty cacert file
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
260
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
261 $ touch emptycafile
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
262
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
263 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
264 $ hg --config web.cacerts=emptycafile -R copy-pull pull
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
265 pulling from https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
266 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
267 abort: error loading CA file emptycafile: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
268 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
269 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
270 #else
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
271 $ hg --config web.cacerts=emptycafile -R copy-pull pull
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
272 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
273 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
274 abort: error: * (glob)
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
275 [255]
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
276 #endif
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
277
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
278 cacert mismatch
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
279
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
280 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
281 > https://$LOCALIP:$HGPORT/
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
282 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
283 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
284 abort: $LOCALIP certificate error: certificate is for localhost
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
285 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
286 [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
287 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
288 > https://$LOCALIP:$HGPORT/ --insecure
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
289 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
290 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
291 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
292 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
293 no changes found
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
294 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
295 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
296 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
297 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
298 [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
299 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
300 > --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
301 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
302 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
303 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
304 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
305 no changes found
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
306
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
307 Test server cert which isn't valid yet
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
308
28549
e01bd7385f4f tests: reorder hg serve commands
Jun Wu <quark@fb.com>
parents: 28525
diff changeset
309 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
310 $ cat hg1.pid >> $DAEMON_PIDS
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
311 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
312 > https://localhost:$HGPORT1/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
313 pulling from https://localhost:$HGPORT1/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
314 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
315 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
316 [255]
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
317
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
318 Test server cert which no longer is valid
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
319
28549
e01bd7385f4f tests: reorder hg serve commands
Jun Wu <quark@fb.com>
parents: 28525
diff changeset
320 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
321 $ cat hg2.pid >> $DAEMON_PIDS
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
322 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
323 > https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
324 pulling from https://localhost:$HGPORT2/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
325 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
326 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
327 [255]
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
328
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
329 Disabling the TLS 1.0 warning works
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
330 $ hg -R copy-pull id https://localhost:$HGPORT/ \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
331 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
332 > --config hostsecurity.disabletls10warning=true
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
333 5fed3813f7f5
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
334
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
335 #if no-sslcontext no-py27+
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
336 Setting ciphers doesn't work in Python 2.6
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
337 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
338 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
339 abort: setting ciphers in [hostsecurity] is not supported by this version of Python
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
340 (remove the config option or run Mercurial with a modern Python version (preferred))
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
341 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
342 #endif
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
343
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
344 Setting ciphers works in Python 2.7+ but the error message is different on
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
345 legacy ssl. We test legacy once and do more feature checking on modern
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
346 configs.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
347
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
348 #if py27+ no-sslcontext
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
349 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
350 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
351 abort: *No cipher can be selected. (glob)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
352 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
353
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
354 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
355 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
356 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
357 #endif
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
358
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
359 #if sslcontext
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
360 Setting ciphers to an invalid value aborts
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
361 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
362 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
363 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
364 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
365 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
366
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
367 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
368 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
369 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
370 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
371 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
372
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
373 Changing the cipher string works
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
374
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
375 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
376 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
377 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
378 #endif
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
379
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
380 Fingerprints
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
381
30332
318a24b52eeb spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents: 30234
diff changeset
382 - works without cacerts (hostfingerprints)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
383 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
384 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
385 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
386 5fed3813f7f5
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
387
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
388 - works without cacerts (hostsecurity)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
389 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
390 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
391 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
392
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
393 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
395 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
396
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
397 - multiple fingerprints specified and first matches
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
398 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
400 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
401 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
402
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
403 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
405 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
406
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
407 - multiple fingerprints specified and last matches
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
408 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
409 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
410 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
411 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
412
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
413 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
414 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
415 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
416
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
417 - multiple fingerprints specified and none match
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
418
28847
3e576fe66715 tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents: 28549
diff changeset
419 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
420 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
421 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
422 (check hostfingerprint configuration)
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
423 [255]
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
424
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
425 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
426 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
427 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29268
f200b58497f1 sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29267
diff changeset
428 (check hostsecurity configuration)
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
429 [255]
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
430
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
431 - fails when cert doesn't match hostname (port is ignored)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
432 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
433 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
434 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
15997
a45516cb8d9f sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents: 15814
diff changeset
435 (check hostfingerprint configuration)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
436 [255]
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
437
18588
3241fc65e3cd test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents: 18354
diff changeset
438
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
439 - ignores that certificate doesn't match hostname
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
440 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
441 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
442 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
443 5fed3813f7f5
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
444
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
445 Ports used by next test. Kill servers.
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
446
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
447 $ killdaemons.py hg0.pid
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
448 $ killdaemons.py hg1.pid
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
449 $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
450
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
451 #if sslcontext tls1.2
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
452 Start servers running supported TLS versions
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
453
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
454 $ cd test
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
455 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
456 > --config devel.serverexactprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
457 $ cat ../hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
458 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
459 > --config devel.serverexactprotocol=tls1.1
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
460 $ cat ../hg1.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
461 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
462 > --config devel.serverexactprotocol=tls1.2
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
463 $ cat ../hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
464 $ cd ..
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
465
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
466 Clients talking same TLS versions work
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
467
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
468 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
469 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
470 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
471 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
472 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
473 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
474
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
475 Clients requiring newer TLS version than what server supports fail
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
476
29560
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
477 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
478 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
479 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
480 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29560
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
481 abort: error: *unsupported protocol* (glob)
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
482 [255]
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
483
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
484 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
485 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
486 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
487 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
488 abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
489 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
490 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
491 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
492 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
493 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
494 abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
495 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
496 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
497 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
498 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
499 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
500 abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
501 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
502
29617
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
503 --insecure will allow TLS 1.0 connections and override configs
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
504
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
505 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
506 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
507 5fed3813f7f5
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
508
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
509 The per-host config option overrides the default
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
510
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
511 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
512 > --config hostsecurity.minimumprotocol=tls1.2 \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
513 > --config hostsecurity.localhost:minimumprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
514 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
515
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
516 The per-host config option by itself works
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
517
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
518 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
519 > --config hostsecurity.localhost:minimumprotocol=tls1.2
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
520 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
521 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
522 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
523 abort: error: *unsupported protocol* (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
524 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
525
29616
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
526 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
527
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
528 $ cat >> copy-pull/.hg/hgrc << EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
529 > [hostsecurity]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
530 > localhost:minimumprotocol=tls1.2
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
531 > EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
532 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
533 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
534 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
535 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29635
dee24c87dbf0 tests: glob over ssl error
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29619
diff changeset
536 abort: error: *unsupported protocol* (glob)
29616
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
537 [255]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
538
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
539 $ killdaemons.py hg0.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
540 $ killdaemons.py hg1.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
541 $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
542 #endif
16300
74e114ac6ec1 tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents: 16107
diff changeset
543
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
544 Prepare for connecting through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
545
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
546 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
547 $ cat hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
548 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
549 $ cat hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
550 tinyproxy.py doesn't fully detach, so killing it may result in extra output
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
551 from the shell. So don't kill it.
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
552 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
16496
abbabbbe4ec2 tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents: 16300
diff changeset
553 $ while [ ! -f proxy.pid ]; do sleep 0; done
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
554 $ cat proxy.pid >> $DAEMON_PIDS
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
555
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
556 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
557 $ echo "always=True" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
558 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
559 $ echo "localhost =" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
560
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
561 Test unvalidated https through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
562
29842
d5497eb1d768 test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents: 29635
diff changeset
563 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
564 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
565 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
566 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
567 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
568 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
569
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
570 Test https with cacert and fingerprint through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
571
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
572 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
573 > --config web.cacerts="$CERTSDIR/pub.pem"
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
574 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
575 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
576 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
577 no changes found
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
578 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
579 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
580 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290
f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 31009
diff changeset
581 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
582 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
583 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
584
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
585 Test https with cert problems through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
586
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
587 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
588 > --config web.cacerts="$CERTSDIR/pub-other.pem"
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
589 pulling from https://localhost:$HGPORT/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
590 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
591 abort: error: *certificate verify failed* (glob)
13424
08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents: 13423
diff changeset
592 [255]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
593 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
594 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
595 pulling from https://localhost:$HGPORT2/
29561
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29560
diff changeset
596 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
597 abort: error: *certificate verify failed* (glob)
13424
08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents: 13423
diff changeset
598 [255]
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
599
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
600
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
601 $ killdaemons.py hg0.pid
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
602
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
603 #if sslcontext
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
604
29555
121d11814c62 hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29553
diff changeset
605 Start hgweb that requires client certificates:
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
606
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
607 $ cd test
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
608 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
29555
121d11814c62 hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29553
diff changeset
609 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
610 $ cat ../hg0.pid >> $DAEMON_PIDS
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
611 $ cd ..
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
612
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
613 without client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
614
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
615 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
616 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
617 abort: error: *handshake failure* (glob)
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
618 [255]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
619
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
620 with client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
621
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
622 $ cat << EOT >> $HGRCPATH
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
623 > [auth]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
624 > l.prefix = localhost
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
625 > l.cert = $CERTSDIR/client-cert.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
626 > l.key = $CERTSDIR/client-key.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
627 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
628
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
629 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
630 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
631 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
632 5fed3813f7f5
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
633
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
634 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
635 > --config ui.interactive=True --config ui.nontty=True
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
636 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
637 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
638
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
639 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601
6cff2ac0ccb9 sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29577
diff changeset
640 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
641 abort: error: * (glob)
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
642 [255]
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
643
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
644 #endif