Mercurial: tests/test-https.t annotate

annotate tests/test-https.t @ 31315:78ac7061f840

util: add debugstacktrace depth limit Useful when you don't care about the start of the stack, but only want to see the last entries.

author	Mads Kiilerich <madski@unity3d.com>
date	Wed, 14 Jan 2015 01:15:26 +0100
parents	f819aa9dbbf9
children	728d37353e1e

rev	line source
22046 7a9cbb315d84 tests: replace exit 80 with #require Matt Mackall <mpm@selenic.com> parents: 18682 diff changeset	1 #require serve ssl
2612 ffb895f16925 add support for streaming clone. Vadim Gelfer <vadim.gelfer@gmail.com> parents: diff changeset	2
22046 7a9cbb315d84 tests: replace exit 80 with #require Matt Mackall <mpm@selenic.com> parents: 18682 diff changeset	3 Proper https client requires the built-in ssl from Python 2.6.
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	4
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	5 Make server certificates:
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	6
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	7 $ CERTSDIR="$TESTDIR/sslcerts"
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	8 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	9 $ PRIV=`pwd`/server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	10 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	11 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	12
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	13 $ hg init test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	14 $ cd test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	15 $ echo foo>foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	16 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	17 $ echo foo>foo.d/foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	18 $ echo bar>foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	19 $ echo bar>foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	20 $ hg commit -A -m 1
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	21 adding foo
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	22 adding foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	23 adding foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	24 adding foo.d/foo
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	25 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	26 $ cat ../hg0.pid >> $DAEMON_PIDS
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	27
13544 66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	28 cacert not found
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	29
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	30 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	31 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13544 66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	32 abort: could not find web.cacerts: no-such.pem
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	33 [255]
66d65bccbf06 cacert: improve error report when web.cacert file does not exist timeless <timeless@gmail.com> parents: 13439 diff changeset	34
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	35 Test server address cannot be reused
4289 e17598881509 test-http: use printenv.py Alexis S. L. Carvalho <alexis@cecm.usp.br> parents: 4130 diff changeset	36
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	37 #if windows
3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31009 161ab32b44a1 runtests: set web.address to localhost Jun Wu <quark@fb.com> parents: 31008 diff changeset	39 abort: cannot start server at 'localhost:$HGPORT':
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	40 [255]
3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	41 #else
12740 b86c6954ec4c serve: fix https mode and add test Mads Kiilerich <mads@kiilerich.com> parents: 12643 diff changeset	42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
31009 161ab32b44a1 runtests: set web.address to localhost Jun Wu <quark@fb.com> parents: 31008 diff changeset	43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	44 [255]
17023 3e2d8120528b test-http and test-https: partially adapt for Windows Adrian Buehlmann <adrian@cadifra.com> parents: 17018 diff changeset	45 #endif
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	46 $ cd ..
2612 ffb895f16925 add support for streaming clone. Vadim Gelfer <vadim.gelfer@gmail.com> parents: diff changeset	47
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	48 Our test cert is not signed by a trusted CA. It should fail to verify if
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	49 we are able to load CA certs.
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	50
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	51 #if sslcontext defaultcacerts no-defaultcacertsloaded
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	52 $ hg clone https://localhost:$HGPORT/ copy-pull
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	54 abort: error: certificate verify failed (glob)
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	55 [255]
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	56 #endif
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	57
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	58 #if no-sslcontext defaultcacerts
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	59 $ hg clone https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	60 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	61 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	62 abort: error: certificate verify failed (glob)
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	63 [255]
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	64 #endif
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	65
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	66 #if no-sslcontext windows
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	67 $ hg clone https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29489 54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	69 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	70 abort: error: certificate verify failed (glob)
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	71 [255]
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	72 #endif
54ad81b0665f sslutil: handle default CA certificate loading on Windows Gregory Szorc <gregory.szorc@gmail.com> parents: 29481 diff changeset	73
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	74 #if no-sslcontext osx
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	75 $ hg clone https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	76 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	77 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	78 abort: localhost certificate error: no certificate received
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	79 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	80 [255]
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	81 #endif
9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	82
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	83 #if defaultcacertsloaded
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	84 $ hg clone https://localhost:$HGPORT/ copy-pull
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	85 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29500 4b16a5bd9948 sslutil: try to find CA certficates in well-known locations Gregory Szorc <gregory.szorc@gmail.com> parents: 29499 diff changeset	86 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29481 5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	87 abort: error: certificate verify failed (glob)
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	88 [255]
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	89 #endif
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	90
5caa415aa48b tests: better testing of loaded certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29449 diff changeset	91 #if no-defaultcacerts
29448 afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	92 $ hg clone https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	93 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29499 9c5325c79683 sslutil: issue warning when unable to load certificates on OS X Gregory Szorc <gregory.szorc@gmail.com> parents: 29489 diff changeset	94 (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
29448 afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	95 abort: localhost certificate error: no certificate received
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
29448 afbe1fe4c44e tests: test case where default ca certs not available Gregory Szorc <gregory.szorc@gmail.com> parents: 29446 diff changeset	97 [255]
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	98 #endif
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	99
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	100 Specifying a per-host certificate file that doesn't exist will abort
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	101
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	102 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	103 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	104 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	105 [255]
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	106
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	107 A malformed per-host certificate file will raise an error
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	108
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	109 $ echo baddata > badca.pem
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	110 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	111 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	112 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	113 abort: error loading CA file badca.pem: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	114 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	115 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	116 #else
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	117 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	118 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29356 93b83ef78d1e tests: increase test-https malform error glob Durham Goode <durham@fb.com> parents: 29334 diff changeset	119 abort: error: * (glob)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	120 [255]
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	121 #endif
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	122
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	123 A per-host certificate mismatching the server will fail verification
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	124
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	125 (modern ssl is able to discern whether the loaded cert is a CA cert)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	126 #if sslcontext
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	127 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	128 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	129 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	130 abort: error: certificate verify failed (glob)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	131 [255]
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	132 #else
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	133 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	134 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	135 abort: error: certificate verify failed (glob)
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	136 [255]
29449 5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded Gregory Szorc <gregory.szorc@gmail.com> parents: 29448 diff changeset	137 #endif
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	138
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	139 A per-host certificate matching the server's cert will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	140
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	141 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	142 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	143 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	144 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	145 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	146 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	147 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	148
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	149 A per-host certificate with multiple certs and one matching will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	150
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	151 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	152 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	153 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	154 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	155 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	156 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	157 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	158 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	159
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	160 Defining both per-host certificate and a fingerprint will print a warning
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	161
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	162 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	163 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29334 ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	164 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	165 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	166 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	167 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	168 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	169 added 1 changesets with 4 changes to 4 files
ecc9b788fd69 sslutil: per-host config option to define certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29331 diff changeset	170
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	171 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
22575 d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs Mads Kiilerich <madski@unity3d.com> parents: 22046 diff changeset	172
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	173 Inability to verify peer certificate will result in abort
2673 109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks Vadim Gelfer <vadim.gelfer@gmail.com> parents: 2622 diff changeset	174
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	175 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	176 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	177 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	178 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	179 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	180
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	181 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	182 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	183 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	184 requesting all changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	185 adding changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	186 adding manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	187 adding file changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	188 added 1 changesets with 4 changes to 4 files
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	189 updating to branch default
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	190 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	191 $ hg verify -R copy-pull
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	192 checking changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	193 checking manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	194 crosschecking files in changesets and manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	195 checking files
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	196 4 files, 1 changesets, 4 total revisions
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	197 $ cd test
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	198 $ echo bar > bar
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	199 $ hg commit -A -d '1 0' -m 2
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	200 adding bar
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	201 $ cd ..
2673 109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks Vadim Gelfer <vadim.gelfer@gmail.com> parents: 2622 diff changeset	202
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	203 pull without cacert
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	204
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	205 $ cd copy-pull
30234 34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 29842 diff changeset	206 $ cat >> .hg/hgrc <<EOF
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 29842 diff changeset	207 > [hooks]
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 29842 diff changeset	208 > changegroup = sh -c "printenv.py changegroup"
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability FUJIWARA Katsunori <foozy@lares.dti.ne.jp> parents: 29842 diff changeset	209 > EOF
29288 7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading Gregory Szorc <gregory.szorc@gmail.com> parents: 29268 diff changeset	210 $ hg pull $DISABLECACERTS
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	211 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	212 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	213 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	214 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	215 [255]
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	216
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	217 $ hg pull --insecure
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	218 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	219 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29411 e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC) Gregory Szorc <gregory.szorc@gmail.com> parents: 29356 diff changeset	220 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	221 searching for changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	222 adding changesets
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	223 adding manifests
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	224 adding file changes
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	225 added 1 changesets with 1 changes to 1 files
27739 d6d3cf5fda6f hooks: add HG_NODE_LAST to txnclose and changegroup hook environments Mateusz Kwapich <mitrandir@fb.com> parents: 25478 diff changeset	226 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
12446 df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	227 (run 'hg update' to get a working copy)
df57227a72bf tests: unify test-http Matt Mackall <mpm@selenic.com> parents: 10414 diff changeset	228 $ cd ..
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	229
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	230 cacert configured in local repo
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	231
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	232 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	233 $ echo "[web]" >> copy-pull/.hg/hgrc
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	234 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
29842 d5497eb1d768 test-https: drop two spurious --traceback flags Augie Fackler <augie@google.com> parents: 29635 diff changeset	235 $ hg -R copy-pull pull
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	236 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	237 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	238 searching for changes
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	239 no changes found
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	240 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	241
13231 b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	242 cacert configured globally, also testing expansion of environment
b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	243 variables in the filename
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	244
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	245 $ echo "[web]" >> $HGRCPATH
13231 b335882c2f21 url: expand path for web.cacerts Eduard-Cristian Stefan <alexandrul.ct@gmail.com> parents: 13192 diff changeset	246 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	247 $ P="$CERTSDIR" hg -R copy-pull pull
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	248 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	249 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	250 searching for changes
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	251 no changes found
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	252 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	253 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	254 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	255 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	256 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	257 no changes found
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	258
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	259 empty cacert file
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	260
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	261 $ touch emptycafile
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	262
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	263 #if sslcontext
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	264 $ hg --config web.cacerts=emptycafile -R copy-pull pull
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	265 pulling from https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	266 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	267 abort: error loading CA file emptycafile: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	268 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	269 [255]
2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	270 #else
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	271 $ hg --config web.cacerts=emptycafile -R copy-pull pull
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	272 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	273 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	274 abort: error: * (glob)
072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	275 [255]
29446 2f7f1e10f840 sslutil: display a better error message when CA file loading fails Gregory Szorc <gregory.szorc@gmail.com> parents: 29445 diff changeset	276 #endif
29445 072e4a595607 tests: add test for empty CA certs file Gregory Szorc <gregory.szorc@gmail.com> parents: 29411 diff changeset	277
13192 4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	278 cacert mismatch
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo Mads Kiilerich <mads@kiilerich.com> parents: 13163 diff changeset	279
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	280 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	281 > https://$LOCALIP:$HGPORT/
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	282 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	283 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	284 abort: $LOCALIP certificate error: certificate is for localhost
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	285 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	286 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	287 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	288 > https://$LOCALIP:$HGPORT/ --insecure
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	289 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	290 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	291 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	292 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	293 no changes found
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	294 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	295 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	296 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	297 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	298 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	299 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	300 > --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	301 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	302 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	303 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328 a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	304 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates Yuya Nishihara <yuya@tcha.org> parents: 13314 diff changeset	305 no changes found
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	306
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	307 Test server cert which isn't valid yet
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	308
28549 e01bd7385f4f tests: reorder hg serve commands Jun Wu <quark@fb.com> parents: 28525 diff changeset	309 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	310 $ cat hg1.pid >> $DAEMON_PIDS
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	311 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	312 > https://localhost:$HGPORT1/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	313 pulling from https://localhost:$HGPORT1/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	314 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	315 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	316 [255]
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	317
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	318 Test server cert which no longer is valid
949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	319
28549 e01bd7385f4f tests: reorder hg serve commands Jun Wu <quark@fb.com> parents: 28525 diff changeset	320 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	321 $ cat hg2.pid >> $DAEMON_PIDS
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	322 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	323 > https://localhost:$HGPORT2/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	324 pulling from https://localhost:$HGPORT2/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	325 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	326 abort: error: certificate verify failed (glob)
12741 949dfdb3ad2d test-https: test web.cacerts functionality Mads Kiilerich <mads@kiilerich.com> parents: 12740 diff changeset	327 [255]
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	328
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	329 Disabling the TLS 1.0 warning works
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	330 $ hg -R copy-pull id https://localhost:$HGPORT/ \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	331 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	332 > --config hostsecurity.disabletls10warning=true
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	333 5fed3813f7f5
1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	334
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	335 #if no-sslcontext no-py27+
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	336 Setting ciphers doesn't work in Python 2.6
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	337 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	338 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	339 abort: setting ciphers in [hostsecurity] is not supported by this version of Python
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	340 (remove the config option or run Mercurial with a modern Python version (preferred))
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	341 [255]
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	342 #endif
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	343
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	344 Setting ciphers works in Python 2.7+ but the error message is different on
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	345 legacy ssl. We test legacy once and do more feature checking on modern
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	346 configs.
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	347
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	348 #if py27+ no-sslcontext
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	349 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	350 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	351 abort: *No cipher can be selected. (glob)
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	352 [255]
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	353
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	354 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	355 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	356 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	357 #endif
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	358
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	359 #if sslcontext
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	360 Setting ciphers to an invalid value aborts
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	361 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	362 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	363 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	364 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	365 [255]
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	366
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	367 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	368 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	369 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	370 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	371 [255]
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	372
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	373 Changing the cipher string works
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	374
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	375 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	376 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29577 9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	377 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	378 #endif
9654ef41f7cc sslutil: support defining cipher list Gregory Szorc <gregory.szorc@gmail.com> parents: 29561 diff changeset	379
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	380 Fingerprints
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	381
30332 318a24b52eeb spelling: fixes of non-dictionary words Mads Kiilerich <madski@unity3d.com> parents: 30234 diff changeset	382 - works without cacerts (hostfingerprints)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	383 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	384 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	385 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	386 5fed3813f7f5
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	387
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	388 - works without cacerts (hostsecurity)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	389 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	390 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	391 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	392
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	393 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	394 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	395 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	396
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	397 - multiple fingerprints specified and first matches
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	398 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	399 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	400 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	401 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	402
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	403 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	404 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	405 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	406
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	407 - multiple fingerprints specified and last matches
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	408 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	409 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	410 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	411 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	412
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	413 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	414 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	415 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	416
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	417 - multiple fingerprints specified and none match
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	418
28847 3e576fe66715 tests: use --insecure instead of web.cacerts=! Gregory Szorc <gregory.szorc@gmail.com> parents: 28549 diff changeset	419 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	420 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	421 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
28525 dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	422 (check hostfingerprint configuration)
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	423 [255]
dfb21c34e07d sslutil: allow multiple fingerprints per host Gregory Szorc <gregory.szorc@gmail.com> parents: 27739 diff changeset	424
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	425 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	426 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	427 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29268 f200b58497f1 sslutil: reference appropriate config section in messaging Gregory Szorc <gregory.szorc@gmail.com> parents: 29267 diff changeset	428 (check hostsecurity configuration)
29267 f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	429 [255]
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity] Gregory Szorc <gregory.szorc@gmail.com> parents: 29263 diff changeset	430
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	431 - fails when cert doesn't match hostname (port is ignored)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	432 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	433 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29526 9d02bed8477b tests: regenerate x509 test certificates Gregory Szorc <gregory.szorc@gmail.com> parents: 29519 diff changeset	434 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
15997 a45516cb8d9f sslutil: more helpful fingerprint mismatch message Matt Mackall <mpm@selenic.com> parents: 15814 diff changeset	435 (check hostfingerprint configuration)
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	436 [255]
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	437
18588 3241fc65e3cd test-https.t: stop using kill `cat $pidfile` Augie Fackler <raf@durin42.com> parents: 18354 diff changeset	438
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	439 - ignores that certificate doesn't match hostname
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	440 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	441 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	442 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314 8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates Mads Kiilerich <mads@kiilerich.com> parents: 13231 diff changeset	443 5fed3813f7f5
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	444
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	445 Ports used by next test. Kill servers.
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	446
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	447 $ killdaemons.py hg0.pid
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	448 $ killdaemons.py hg1.pid
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	449 $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	450
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	451 #if sslcontext tls1.2
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	452 Start servers running supported TLS versions
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	453
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	454 $ cd test
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	455 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	456 > --config devel.serverexactprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	457 $ cat ../hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	458 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	459 > --config devel.serverexactprotocol=tls1.1
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	460 $ cat ../hg1.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	461 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	462 > --config devel.serverexactprotocol=tls1.2
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	463 $ cat ../hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	464 $ cd ..
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	465
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	466 Clients talking same TLS versions work
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	467
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	468 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	469 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	470 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	471 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	472 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	473 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	474
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	475 Clients requiring newer TLS version than what server supports fail
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	476
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	477 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	478 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	479 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	480 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29560 303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	481 abort: error: unsupported protocol (glob)
303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	482 [255]
303e9300772a sslutil: require TLS 1.1+ when supported Gregory Szorc <gregory.szorc@gmail.com> parents: 29559 diff changeset	483
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	484 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	485 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	486 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	487 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	488 abort: error: unsupported protocol (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	489 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	490 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	491 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	492 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	493 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	494 abort: error: unsupported protocol (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	495 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	496 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	497 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	498 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	499 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	500 abort: error: unsupported protocol (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	501 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	502
29617 2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	503 --insecure will allow TLS 1.0 connections and override configs
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	504
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	505 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	506 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	507 5fed3813f7f5
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used Gregory Szorc <gregory.szorc@gmail.com> parents: 29616 diff changeset	508
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	509 The per-host config option overrides the default
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	510
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	511 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	512 > --config hostsecurity.minimumprotocol=tls1.2 \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	513 > --config hostsecurity.localhost:minimumprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	514 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	515
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	516 The per-host config option by itself works
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	517
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	518 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	519 > --config hostsecurity.localhost:minimumprotocol=tls1.2
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	520 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	521 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	522 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	523 abort: error: unsupported protocol (glob)
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	524 [255]
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	525
29616 3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	526 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	527
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	528 $ cat >> copy-pull/.hg/hgrc << EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	529 > [hostsecurity]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	530 > localhost:minimumprotocol=tls1.2
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	531 > EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	532 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
29619 53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	533 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	534 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303) Gregory Szorc <gregory.szorc@gmail.com> parents: 29617 diff changeset	535 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
29635 dee24c87dbf0 tests: glob over ssl error Gregory Szorc <gregory.szorc@gmail.com> parents: 29619 diff changeset	536 abort: error: unsupported protocol (glob)
29616 3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	537 [255]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305) Gregory Szorc <gregory.szorc@gmail.com> parents: 29601 diff changeset	538
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	539 $ killdaemons.py hg0.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	540 $ killdaemons.py hg1.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	541 $ killdaemons.py hg2.pid
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	542 #endif
16300 74e114ac6ec1 tests: fix startup/shutdown races in test-https Matt Mackall <mpm@selenic.com> parents: 16107 diff changeset	543
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	544 Prepare for connecting through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	545
29559 7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	546 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	547 $ cat hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	548 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	549 $ cat hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	550 tinyproxy.py doesn't fully detach, so killing it may result in extra output
7dec5e441bf7 sslutil: config option to specify TLS protocol version Gregory Szorc <gregory.szorc@gmail.com> parents: 29555 diff changeset	551 from the shell. So don't kill it.
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	552 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
16496 abbabbbe4ec2 tests: use 'do sleep 0' instead of 'do true', also on first line of command Mads Kiilerich <mads@kiilerich.com> parents: 16300 diff changeset	553 $ while [ ! -f proxy.pid ]; do sleep 0; done
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	554 $ cat proxy.pid >> $DAEMON_PIDS
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	555
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	556 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	557 $ echo "always=True" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	558 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	559 $ echo "localhost =" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	560
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	561 Test unvalidated https through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	562
29842 d5497eb1d768 test-https: drop two spurious --traceback flags Augie Fackler <augie@google.com> parents: 29635 diff changeset	563 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	564 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	565 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29289 3536673a25ae sslutil: move and change warning when cert verification is disabled Gregory Szorc <gregory.szorc@gmail.com> parents: 29288 diff changeset	566 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	567 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	568 no changes found
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	569
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	570 Test https with cacert and fingerprint through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	571
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	572 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	573 > --config web.cacerts="$CERTSDIR/pub.pem"
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	574 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	575 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	576 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	577 no changes found
31008 636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	578 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	579 pulling from https://*:$HGPORT/ (glob)
636cf3f7620d tests: use LOCALIP Jun Wu <quark@fb.com> parents: 30332 diff changeset	580 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
31290 f819aa9dbbf9 sslutil: issue warning when [hostfingerprint] is used Gregory Szorc <gregory.szorc@gmail.com> parents: 31009 diff changeset	581 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13423 4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	582 searching for changes
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	583 no changes found
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	584
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	585 Test https with cert problems through proxy
4e60dad2261f tests: test https through http proxy Mads Kiilerich <mads@kiilerich.com> parents: 13401 diff changeset	586
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	587 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	588 > --config web.cacerts="$CERTSDIR/pub-other.pem"
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	589 pulling from https://localhost:$HGPORT/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	590 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	591 abort: error: certificate verify failed (glob)
13424 08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation Mads Kiilerich <mads@kiilerich.com> parents: 13423 diff changeset	592 [255]
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	593 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	594 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
24138 eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo Thomas Arendsen Hein <thomas@intevation.de> parents: 23823 diff changeset	595 pulling from https://localhost:$HGPORT2/
29561 1a782fabf80d sslutil: print a warning when using TLS 1.0 on legacy Python Gregory Szorc <gregory.szorc@gmail.com> parents: 29560 diff changeset	596 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
23823 bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9 Augie Fackler <augie@google.com> parents: 23042 diff changeset	597 abort: error: certificate verify failed (glob)
13424 08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation Mads Kiilerich <mads@kiilerich.com> parents: 13423 diff changeset	598 [255]
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	599
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	600
25472 4d2b9b304ad0 tests: drop explicit $TESTDIR from executables Matt Mackall <mpm@selenic.com> parents: 25428 diff changeset	601 $ killdaemons.py hg0.pid
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	602
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	603 #if sslcontext
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	604
29555 121d11814c62 hgweb: use sslutil.wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29553 diff changeset	605 Start hgweb that requires client certificates:
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	606
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	607 $ cd test
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	608 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
29555 121d11814c62 hgweb: use sslutil.wrapserversocket() Gregory Szorc <gregory.szorc@gmail.com> parents: 29553 diff changeset	609 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	610 $ cat ../hg0.pid >> $DAEMON_PIDS
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	611 $ cd ..
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	612
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	613 without client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	614
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	615 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	616 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	617 abort: error: handshake failure (glob)
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	618 [255]
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	619
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	620 with client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	621
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	622 $ cat << EOT >> $HGRCPATH
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	623 > [auth]
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	624 > l.prefix = localhost
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	625 > l.cert = $CERTSDIR/client-cert.pem
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	626 > l.key = $CERTSDIR/client-key.pem
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	627 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	628
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	629 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	630 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	631 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	632 5fed3813f7f5
4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	633
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	634 $ printf '1234\n' \| env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	635 > --config ui.interactive=True --config ui.nontty=True
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	636 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	637 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	638
29331 1e02d9576194 tests: extract SSL certificates from test-https.t Yuya Nishihara <yuya@tcha.org> parents: 29293 diff changeset	639 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
29601 6cff2ac0ccb9 sslutil: more robustly detect protocol support Gregory Szorc <gregory.szorc@gmail.com> parents: 29577 diff changeset	640 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
25415 21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	641 abort: error: * (glob)
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	642 [255]
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648) Yuya Nishihara <yuya@tcha.org> parents: 25413 diff changeset	643
25413 4d705f6a3c35 test-https: test basic functions of client certificate authentication Yuya Nishihara <yuya@tcha.org> parents: 24740 diff changeset	644 #endif

Mercurial > hg

annotate tests/test-https.t @ 31315:78ac7061f840