annotate tests/test-https.t @ 27246:b288fb2724bf

wireproto: config options to disable bundle1 bundle2 is the new and preferred wire protocol format. For various reasons, server operators may wish to force clients to use it. One reason is performance. If a repository is stored in generaldelta, the server must recompute deltas in order to produce the bundle1 changegroup. This can be extremely expensive. For mozilla-central, bundle generation typically takes a few minutes. However, generating a non-gd bundle from a generaldelta encoded mozilla-central requires over 30 minutes of CPU! If a large repository like mozilla-central were encoded in generaldelta and non-gd clients connected, they could easily flood a server by cloning. This patch gives server operators config knobs to control whether bundle1 is allowed for push and pull operations. The default is to support legacy bundle1 clients, making this patch backwards compatible.
author Gregory Szorc <gregory.szorc@gmail.com>
date Fri, 04 Dec 2015 15:12:11 -0800
parents d19787db6fe0
children d6d3cf5fda6f
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
1 #require serve ssl
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
2
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
3 Proper https client requires the built-in ssl from Python 2.6.
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
4
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
5 Certificates created with:
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
6 printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
7 openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
8 Can be dumped with:
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
9 openssl x509 -in pub.pem -text
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
10
14193
c4de16642861 test-https.t: clean up superfluous trailing whitespace
Augie Fackler <durin42@gmail.com>
parents: 13654
diff changeset
11 $ cat << EOT > priv.pem
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
12 > -----BEGIN PRIVATE KEY-----
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
13 > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
14 > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
15 > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
16 > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
17 > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
18 > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
19 > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
20 > HY8gUVkVRVs=
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
21 > -----END PRIVATE KEY-----
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
22 > EOT
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
23
14193
c4de16642861 test-https.t: clean up superfluous trailing whitespace
Augie Fackler <durin42@gmail.com>
parents: 13654
diff changeset
24 $ cat << EOT > pub.pem
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
25 > -----BEGIN CERTIFICATE-----
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
26 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
27 > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
28 > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
29 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
30 > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
31 > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
32 > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
33 > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
34 > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
35 > -----END CERTIFICATE-----
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
36 > EOT
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
37 $ cat priv.pem pub.pem >> server.pem
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
38 $ PRIV=`pwd`/server.pem
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
39
14193
c4de16642861 test-https.t: clean up superfluous trailing whitespace
Augie Fackler <durin42@gmail.com>
parents: 13654
diff changeset
40 $ cat << EOT > pub-other.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
41 > -----BEGIN CERTIFICATE-----
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
42 > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
43 > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
44 > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
45 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
46 > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
47 > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
48 > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
49 > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
50 > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
51 > -----END CERTIFICATE-----
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
52 > EOT
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
53
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
54 pub.pem patched with other notBefore / notAfter:
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
55
14193
c4de16642861 test-https.t: clean up superfluous trailing whitespace
Augie Fackler <durin42@gmail.com>
parents: 13654
diff changeset
56 $ cat << EOT > pub-not-yet.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
57 > -----BEGIN CERTIFICATE-----
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
58 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
59 > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
60 > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
61 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
62 > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
63 > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
64 > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
65 > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
66 > -----END CERTIFICATE-----
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
67 > EOT
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
68 $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
69
14193
c4de16642861 test-https.t: clean up superfluous trailing whitespace
Augie Fackler <durin42@gmail.com>
parents: 13654
diff changeset
70 $ cat << EOT > pub-expired.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
71 > -----BEGIN CERTIFICATE-----
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
72 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
73 > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
74 > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
75 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
76 > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
77 > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
78 > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
79 > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
80 > -----END CERTIFICATE-----
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
81 > EOT
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
82 $ cat priv.pem pub-expired.pem > server-expired.pem
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
83
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
84 Client certificates created with:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
85 openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
86 openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
87 printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
88 openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
89 openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
90 -set_serial 01 -out client-cert.pem
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
91
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
92 $ cat << EOT > client-key.pem
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
93 > -----BEGIN RSA PRIVATE KEY-----
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
94 > Proc-Type: 4,ENCRYPTED
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
95 > DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
96 >
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
97 > JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
98 > BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
99 > jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
100 > Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
101 > u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
102 > CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
103 > bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
104 > -----END RSA PRIVATE KEY-----
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
105 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
106
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
107 $ cat << EOT > client-key-decrypted.pem
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
108 > -----BEGIN RSA PRIVATE KEY-----
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
109 > MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
110 > FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
111 > AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
112 > AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
113 > 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
114 > +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
115 > mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
116 > -----END RSA PRIVATE KEY-----
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
117 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
118
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
119 $ cat << EOT > client-cert.pem
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
120 > -----BEGIN CERTIFICATE-----
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
121 > MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
122 > GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
123 > OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
124 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
125 > R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
126 > MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
127 > NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
128 > -----END CERTIFICATE-----
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
129 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
130
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
131 $ hg init test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
132 $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
133 $ echo foo>foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
134 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
135 $ echo foo>foo.d/foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
136 $ echo bar>foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
137 $ echo bar>foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
138 $ hg commit -A -m 1
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
139 adding foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
140 adding foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
141 adding foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
142 adding foo.d/foo
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
143 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
144 $ cat ../hg0.pid >> $DAEMON_PIDS
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
145
13544
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
146 cacert not found
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
147
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
148 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
149 abort: could not find web.cacerts: no-such.pem
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
150 [255]
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
151
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
152 Test server address cannot be reused
4289
e17598881509 test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents: 4130
diff changeset
153
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
154 #if windows
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
155 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
18682
408f2202bd80 tests: remove glob from output lines containing no glob character
Simon Heimberg <simohe@besonet.ch>
parents: 18588
diff changeset
156 abort: cannot start server at ':$HGPORT':
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
157 [255]
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
158 #else
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
159 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
160 abort: cannot start server at ':$HGPORT': Address already in use
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
161 [255]
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
162 #endif
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
163 $ cd ..
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
164
23042
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents: 22960
diff changeset
165 OS X has a dummy CA cert that enables use of the system CA store when using
2cd3fa4412dc ssl: only use the dummy cert hack if using an Apple Python (issue4410)
Mads Kiilerich <madski@unity3d.com>
parents: 22960
diff changeset
166 Apple's OpenSSL. This trick do not work with plain OpenSSL.
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
167
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
168 $ DISABLEOSXDUMMYCERT=
24289
07fafcd4bc74 test-https: enable dummycert test only if Apple python is used (issue4500)
Yuya Nishihara <yuya@tcha.org>
parents: 24138
diff changeset
169 #if defaultcacerts
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
170 $ hg clone https://localhost:$HGPORT/ copy-pull
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
171 abort: error: *certificate verify failed* (glob)
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
172 [255]
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
173
24290
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents: 24289
diff changeset
174 $ DISABLEOSXDUMMYCERT="--config=web.cacerts=!"
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
175 #endif
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
176
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
177 clone via pull
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
178
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
179 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
180 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
181 requesting all changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
182 adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
183 adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
184 adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
185 added 1 changesets with 4 changes to 4 files
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
186 updating to branch default
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
187 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
188 $ hg verify -R copy-pull
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
189 checking changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
190 checking manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
191 crosschecking files in changesets and manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
192 checking files
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
193 4 files, 1 changesets, 4 total revisions
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
194 $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
195 $ echo bar > bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
196 $ hg commit -A -d '1 0' -m 2
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
197 adding bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
198 $ cd ..
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
199
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
200 pull without cacert
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
201
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
202 $ cd copy-pull
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
203 $ echo '[hooks]' >> .hg/hgrc
25478
d19787db6fe0 tests: simplify printenv calls
Matt Mackall <mpm@selenic.com>
parents: 25472
diff changeset
204 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
205 $ hg pull $DISABLEOSXDUMMYCERT
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
206 pulling from https://localhost:$HGPORT/
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
207 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
208 searching for changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
209 adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
210 adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
211 adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
212 added 1 changesets with 1 changes to 1 files
24740
d283517b260b transaction: introduce a transaction ID, to be available to all hooks
Pierre-Yves David <pierre-yves.david@fb.com>
parents: 24290
diff changeset
213 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
214 (run 'hg update' to get a working copy)
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
215 $ cd ..
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
216
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
217 cacert configured in local repo
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
218
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
219 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
220 $ echo "[web]" >> copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
221 $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
222 $ hg -R copy-pull pull --traceback
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
223 pulling from https://localhost:$HGPORT/
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
224 searching for changes
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
225 no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
226 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
227
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
228 cacert configured globally, also testing expansion of environment
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
229 variables in the filename
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
230
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
231 $ echo "[web]" >> $HGRCPATH
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
232 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
233 $ P=`pwd` hg -R copy-pull pull
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
234 pulling from https://localhost:$HGPORT/
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
235 searching for changes
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
236 no changes found
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
237 $ P=`pwd` hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
238 pulling from https://localhost:$HGPORT/
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
239 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
240 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
241 no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
242
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
243 cacert mismatch
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
244
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
245 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
246 pulling from https://127.0.0.1:$HGPORT/
15814
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents: 15650
diff changeset
247 abort: 127.0.0.1 certificate error: certificate is for localhost
c3e958b50a22 sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents: 15650
diff changeset
248 (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
249 [255]
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
250 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
251 pulling from https://127.0.0.1:$HGPORT/
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
252 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
253 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
254 no changes found
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
255 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
256 pulling from https://localhost:$HGPORT/
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
257 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
258 [255]
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
259 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
260 pulling from https://localhost:$HGPORT/
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
261 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
262 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
263 no changes found
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
264
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
265 Test server cert which isn't valid yet
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
266
14193
c4de16642861 test-https.t: clean up superfluous trailing whitespace
Augie Fackler <durin42@gmail.com>
parents: 13654
diff changeset
267 $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
268 $ cat hg1.pid >> $DAEMON_PIDS
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
269 $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
270 pulling from https://localhost:$HGPORT1/
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
271 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
272 [255]
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
273
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
274 Test server cert which no longer is valid
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
275
14193
c4de16642861 test-https.t: clean up superfluous trailing whitespace
Augie Fackler <durin42@gmail.com>
parents: 13654
diff changeset
276 $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
277 $ cat hg2.pid >> $DAEMON_PIDS
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
278 $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
279 pulling from https://localhost:$HGPORT2/
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
280 abort: error: *certificate verify failed* (glob)
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
281 [255]
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
282
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
283 Fingerprints
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
284
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
285 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
286 $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
287 $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
288
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
289 - works without cacerts
24290
b76d8c641746 ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
Yuya Nishihara <yuya@tcha.org>
parents: 24289
diff changeset
290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
291 5fed3813f7f5
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
292
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
293 - fails when cert doesn't match hostname (port is ignored)
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
294 $ hg -R copy-pull id https://localhost:$HGPORT1/
15997
a45516cb8d9f sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents: 15814
diff changeset
295 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
a45516cb8d9f sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents: 15814
diff changeset
296 (check hostfingerprint configuration)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
297 [255]
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
298
18588
3241fc65e3cd test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents: 18354
diff changeset
299
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
300 - ignores that certificate doesn't match hostname
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
301 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
302 5fed3813f7f5
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
303
18588
3241fc65e3cd test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents: 18354
diff changeset
304 HGPORT1 is reused below for tinyproxy tests. Kill that server.
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
305 $ killdaemons.py hg1.pid
16300
74e114ac6ec1 tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents: 16107
diff changeset
306
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
307 Prepare for connecting through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
308
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
309 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
16496
abbabbbe4ec2 tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents: 16300
diff changeset
310 $ while [ ! -f proxy.pid ]; do sleep 0; done
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
311 $ cat proxy.pid >> $DAEMON_PIDS
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
312
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
313 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
314 $ echo "always=True" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
315 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
316 $ echo "localhost =" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
317
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
318 Test unvalidated https through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
319
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
320 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
321 pulling from https://localhost:$HGPORT/
13438
48463d889d4e tests: update test-https.t output
Mads Kiilerich <mads@kiilerich.com>
parents: 13424
diff changeset
322 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
323 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
324 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
325
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
326 Test https with cacert and fingerprint through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
327
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
328 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
329 pulling from https://localhost:$HGPORT/
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
330 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
331 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
332 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
333 pulling from https://127.0.0.1:$HGPORT/
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
334 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
335 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
336
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
337 Test https with cert problems through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
338
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
339 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
340 pulling from https://localhost:$HGPORT/
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
341 abort: error: *certificate verify failed* (glob)
13424
08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents: 13423
diff changeset
342 [255]
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
343 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
344 pulling from https://localhost:$HGPORT2/
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
345 abort: error: *certificate verify failed* (glob)
13424
08f9c587141f url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents: 13423
diff changeset
346 [255]
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
347
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
348
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
349 $ killdaemons.py hg0.pid
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
350
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
351 #if sslcontext
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
352
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
353 Start patched hgweb that requires client certificates:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
354
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
355 $ cat << EOT > reqclientcert.py
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
356 > import ssl
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
357 > from mercurial.hgweb import server
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
358 > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
359 > @staticmethod
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
360 > def preparehttpserver(httpserver, ssl_cert):
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
361 > sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
362 > sslcontext.verify_mode = ssl.CERT_REQUIRED
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
363 > sslcontext.load_cert_chain(ssl_cert)
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
364 > # verify clients by server certificate
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
365 > sslcontext.load_verify_locations(ssl_cert)
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
366 > httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
367 > server_side=True)
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
368 > server._httprequesthandlerssl = _httprequesthandlersslclientcert
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
369 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
370 $ cd test
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
371 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
372 > --config extensions.reqclientcert=../reqclientcert.py
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
373 $ cat ../hg0.pid >> $DAEMON_PIDS
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
374 $ cd ..
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
375
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
376 without client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
377
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
378 $ P=`pwd` hg id https://localhost:$HGPORT/
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
379 abort: error: *handshake failure* (glob)
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
380 [255]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
381
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
382 with client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
383
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
384 $ cat << EOT >> $HGRCPATH
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
385 > [auth]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
386 > l.prefix = localhost
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
387 > l.cert = client-cert.pem
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
388 > l.key = client-key.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
389 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
390
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
391 $ P=`pwd` hg id https://localhost:$HGPORT/ \
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
392 > --config auth.l.key=client-key-decrypted.pem
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
393 5fed3813f7f5
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
394
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
395 $ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
396 > --config ui.interactive=True --config ui.nontty=True
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
397 passphrase for client-key.pem: 5fed3813f7f5
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
398
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
399 $ env P=`pwd` hg id https://localhost:$HGPORT/
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
400 abort: error: * (glob)
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
401 [255]
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
402
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
403 #endif