annotate tests/test-https.t @ 52290:e03bc88776d3

tests: stop killing (most) https servers individually This is easier to manage, and avoids one nested conditional. There is one final sweep of killing individual servers near the end, but that's left alone because there's a comment about not killing `tinyproxy.py`, due to potentially emitting additional output.
author Matt Harbison <matt_harbison@yahoo.com>
date Mon, 11 Nov 2024 12:08:26 -0500
parents 323e3626929a
children 085cc409847d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
1 #require serve ssl
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
2
22046
7a9cbb315d84 tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents: 18682
diff changeset
3 Proper https client requires the built-in ssl from Python 2.6.
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
4
41974
4748938ee0c7 test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents: 39489
diff changeset
5 Disable the system configuration which may set stricter TLS requirements.
4748938ee0c7 test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents: 39489
diff changeset
6 This test expects that legacy TLS versions are supported.
4748938ee0c7 test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents: 39489
diff changeset
7
4748938ee0c7 test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents: 39489
diff changeset
8 $ OPENSSL_CONF=
4748938ee0c7 test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents: 39489
diff changeset
9 $ export OPENSSL_CONF
4748938ee0c7 test-https: turn off system OpenSSL configuration
Yuya Nishihara <yuya@tcha.org>
parents: 39489
diff changeset
10
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
11 Make server certificates:
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
12
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
13 $ CERTSDIR="$TESTDIR/sslcerts"
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
14 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
15 $ PRIV=`pwd`/server.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
16 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
17 $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
18
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
19 $ hg init test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
20 $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
21 $ echo foo>foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
22 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
23 $ echo foo>foo.d/foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
24 $ echo bar>foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
25 $ echo bar>foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
26 $ hg commit -A -m 1
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
27 adding foo
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
28 adding foo.d/bAr.hg.d/BaR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
29 adding foo.d/baR.d.hg/bAR
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
30 adding foo.d/foo
12740
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
31 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
b86c6954ec4c serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents: 12643
diff changeset
32 $ cat ../hg0.pid >> $DAEMON_PIDS
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
33
13544
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
34 cacert not found
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
35
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
36 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
37 abort: could not find web.cacerts: no-such.pem
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
38 [255]
66d65bccbf06 cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents: 13439
diff changeset
39
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
40 Test server address cannot be reused
4289
e17598881509 test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents: 4130
diff changeset
41
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
35233
1b22d325089c tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages
Matt Harbison <matt_harbison@yahoo.com>
parents: 34661
diff changeset
43 abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$
17023
3e2d8120528b test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents: 17018
diff changeset
44 [255]
35233
1b22d325089c tests: add a substitution for EADDRINUSE/WSAEADDRINUSE messages
Matt Harbison <matt_harbison@yahoo.com>
parents: 34661
diff changeset
45
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
46 $ cd ..
2612
ffb895f16925 add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff changeset
47
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
48 Our test cert is not signed by a trusted CA. It should fail to verify if
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
49 we are able to load CA certs.
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
50
44881
89f83e47e9c9 tests: remove "sslcontext" check
Manuel Jacob <me@manueljacob.de>
parents: 44879
diff changeset
51 #if no-defaultcacertsloaded
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
52 $ hg clone https://localhost:$HGPORT/ copy-pull
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
53 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
54 abort: error: *certificate verify failed* (glob)
45902
6da22a068281 tests: update test-https.t's #no-defaultcacertsloaded block with new exit code
Martin von Zweigbergk <martinvonz@google.com>
parents: 45839
diff changeset
55 [100]
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
56 #endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
57
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
58 #if defaultcacertsloaded
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
59 $ hg clone https://localhost:$HGPORT/ copy-pull
33494
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents: 33422
diff changeset
60 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
61 abort: error: *certificate verify failed* (glob)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
62 [100]
29481
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
63 #endif
5caa415aa48b tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29449
diff changeset
64
31766
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31747
diff changeset
65 Specifying a per-host certificate file that doesn't exist will abort. The full
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31747
diff changeset
66 C:/path/to/msysroot will print on Windows.
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
67
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
68 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
31766
bdcaf612e75a tests: add globs for Windows
Matt Harbison <matt_harbison@yahoo.com>
parents: 31747
diff changeset
69 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
70 [255]
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
71
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
72 A malformed per-host certificate file will raise an error
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
73
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
74 $ echo baddata > badca.pem
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
75 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
76 abort: error loading CA file badca.pem: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
77 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
78 [255]
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
79
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
80 A per-host certificate mismatching the server will fail verification
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
81
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
82 (modern ssl is able to discern whether the loaded cert is a CA cert)
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
83 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
84 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
33494
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents: 33422
diff changeset
85 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
29449
5b71a8d7f7ff sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29448
diff changeset
86 abort: error: *certificate verify failed* (glob)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
87 [100]
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
88
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
89 A per-host certificate matching the server's cert will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
90
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
91 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
92 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
93 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
94 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
95 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
96 added 1 changesets with 4 changes to 4 files
34661
eb586ed5d8ce transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents: 33695
diff changeset
97 new changesets 8b6053c928fe
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
98
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
99 A per-host certificate with multiple certs and one matching will be accepted
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
100
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
101 $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
102 $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
103 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
104 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
105 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
106 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
107 added 1 changesets with 4 changes to 4 files
34661
eb586ed5d8ce transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents: 33695
diff changeset
108 new changesets 8b6053c928fe
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
109
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
110 Defining both per-host certificate and a fingerprint will print a warning
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
111
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
112 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
113 (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
114 requesting all changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
115 adding changesets
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
116 adding manifests
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
117 adding file changes
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
118 added 1 changesets with 4 changes to 4 files
34661
eb586ed5d8ce transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents: 33695
diff changeset
119 new changesets 8b6053c928fe
29334
ecc9b788fd69 sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29331
diff changeset
120
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
121 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
22575
d7f7f1860f00 ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents: 22046
diff changeset
122
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
123 Inability to verify peer certificate will result in abort
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
124
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
45915
8f50dc096cf4 errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents: 45902
diff changeset
128 [150]
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
129
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
132 requesting all changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
133 adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
134 adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
135 adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
136 added 1 changesets with 4 changes to 4 files
34661
eb586ed5d8ce transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents: 33695
diff changeset
137 new changesets 8b6053c928fe
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
138 updating to branch default
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
139 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
49825
2f2682f40ea0 tests: use the `--quiet` flag for verify when applicable
Raphaël Gomès <rgomes@octobus.net>
parents: 49525
diff changeset
140 $ hg verify -R copy-pull -q
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
141 $ cd test
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
142 $ echo bar > bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
143 $ hg commit -A -d '1 0' -m 2
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
144 adding bar
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
145 $ cd ..
2673
109a22f5434a hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents: 2622
diff changeset
146
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
147 pull without cacert
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
148
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
149 $ cd copy-pull
30234
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
150 $ cat >> .hg/hgrc <<EOF
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
151 > [hooks]
41641
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
152 > changegroup = sh -c "printenv.py --line changegroup"
30234
34a5f6c66bc5 tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 29842
diff changeset
153 > EOF
29288
7dee15dee53c sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29268
diff changeset
154 $ hg pull $DISABLECACERTS
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
155 pulling from https://localhost:$HGPORT/
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
156 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
157 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
45915
8f50dc096cf4 errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents: 45902
diff changeset
158 [150]
29411
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
159
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
160 $ hg pull --insecure
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
161 pulling from https://localhost:$HGPORT/
e1778b9c8d53 sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29356
diff changeset
162 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
163 searching for changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
164 adding changesets
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
165 adding manifests
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
166 adding file changes
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
167 added 1 changesets with 1 changes to 1 files
34661
eb586ed5d8ce transaction-summary: show the range of new revisions upon pull/unbundle (BC)
Denis Laxalde <denis.laxalde@logilab.fr>
parents: 33695
diff changeset
168 new changesets 5fed3813f7f5
41641
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
169 changegroup hook: HG_HOOKNAME=changegroup
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
170 HG_HOOKTYPE=changegroup
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
171 HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
172 HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
173 HG_SOURCE=pull
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
174 HG_TXNID=TXN:$ID$
41896
94faa2e84094 transaction: include txnname in the hookargs dictionary
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 41641
diff changeset
175 HG_TXNNAME=pull
94faa2e84094 transaction: include txnname in the hookargs dictionary
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 41641
diff changeset
176 https://localhost:$HGPORT/
41641
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
177 HG_URL=https://localhost:$HGPORT/
e857dbb02dc3 test: use `printenv.py --line` in `test-https.t`
Boris Feld <boris.feld@octobus.net>
parents: 39489
diff changeset
178
12446
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
179 (run 'hg update' to get a working copy)
df57227a72bf tests: unify test-http
Matt Mackall <mpm@selenic.com>
parents: 10414
diff changeset
180 $ cd ..
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
181
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
182 cacert configured in local repo
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
183
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
184 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
185 $ echo "[web]" >> copy-pull/.hg/hgrc
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
186 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
29842
d5497eb1d768 test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents: 29635
diff changeset
187 $ hg -R copy-pull pull
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
188 pulling from https://localhost:$HGPORT/
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
189 searching for changes
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
190 no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
191 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
192
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
193 cacert configured globally, also testing expansion of environment
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
194 variables in the filename
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
195
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
196 $ echo "[web]" >> $HGRCPATH
13231
b335882c2f21 url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents: 13192
diff changeset
197 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
198 $ P="$CERTSDIR" hg -R copy-pull pull
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
199 pulling from https://localhost:$HGPORT/
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
200 searching for changes
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
201 no changes found
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
202 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
203 pulling from https://localhost:$HGPORT/
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
204 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
205 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
206 no changes found
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
207
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
208 empty cacert file
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
209
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
210 $ touch emptycafile
29446
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
211
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
212 $ hg --config web.cacerts=emptycafile -R copy-pull pull
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
213 pulling from https://localhost:$HGPORT/
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
214 abort: error loading CA file emptycafile: * (glob)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
215 (file is empty or malformed?)
2f7f1e10f840 sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29445
diff changeset
216 [255]
29445
072e4a595607 tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29411
diff changeset
217
13192
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
218 cacert mismatch
4d03707916d3 https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents: 13163
diff changeset
219
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
220 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
221 > https://$LOCALIP:$HGPORT/
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
222 pulling from https://*:$HGPORT/ (glob)
31813
68bd8cd381a3 tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents: 31768
diff changeset
223 abort: $LOCALIP certificate error: certificate is for localhost (glob)
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
224 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
45915
8f50dc096cf4 errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents: 45902
diff changeset
225 [150]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
226 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
227 > https://$LOCALIP:$HGPORT/ --insecure
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
228 pulling from https://*:$HGPORT/ (glob)
31813
68bd8cd381a3 tests: fix missing (glob) annotations in test-https.t
Augie Fackler <augie@google.com>
parents: 31768
diff changeset
229 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
230 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
231 no changes found
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
232 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
233 pulling from https://localhost:$HGPORT/
33494
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents: 33422
diff changeset
234 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
235 abort: error: *certificate verify failed* (glob)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
236 [100]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
237 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
238 > --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
239 pulling from https://localhost:$HGPORT/
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
240 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13328
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
241 searching for changes
a939f08fae9c url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents: 13314
diff changeset
242 no changes found
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
243
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
244 Test server cert which isn't valid yet
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
245
28549
e01bd7385f4f tests: reorder hg serve commands
Jun Wu <quark@fb.com>
parents: 28525
diff changeset
246 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
247 $ cat hg1.pid >> $DAEMON_PIDS
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
248 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
249 > https://localhost:$HGPORT1/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
250 pulling from https://localhost:$HGPORT1/
33494
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents: 33422
diff changeset
251 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
252 abort: error: *certificate verify failed* (glob)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
253 [100]
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
254
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
255 Test server cert which no longer is valid
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
256
28549
e01bd7385f4f tests: reorder hg serve commands
Jun Wu <quark@fb.com>
parents: 28525
diff changeset
257 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
12741
949dfdb3ad2d test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents: 12740
diff changeset
258 $ cat hg2.pid >> $DAEMON_PIDS
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
259 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
260 > https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
261 pulling from https://localhost:$HGPORT2/
33494
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents: 33422
diff changeset
262 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
263 abort: error: *certificate verify failed* (glob)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
264 [100]
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
265
29577
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
266 Setting ciphers to an invalid value aborts
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
267 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
268 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
269 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
270 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
271
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
272 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
273 abort: could not set ciphers: No cipher can be selected.
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
274 (change cipher string (invalid) in config)
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
275 [255]
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
276
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
277 Changing the cipher string works
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
278
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
279 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
280 5fed3813f7f5
9654ef41f7cc sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29561
diff changeset
281
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
282 Fingerprints
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
283
30332
318a24b52eeb spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents: 30234
diff changeset
284 - works without cacerts (hostfingerprints)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
285 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
32273
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32245
diff changeset
286 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
287 5fed3813f7f5
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
288
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
289 - works without cacerts (hostsecurity)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
291 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
292
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
293 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
294 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
295
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
296 - multiple fingerprints specified and first matches
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
297 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
32273
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32245
diff changeset
298 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
299 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
300
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
301 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
302 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
303
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
304 - multiple fingerprints specified and last matches
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
305 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
32273
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32245
diff changeset
306 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
307 5fed3813f7f5
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
308
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
309 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
310 5fed3813f7f5
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
311
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
312 - multiple fingerprints specified and none match
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
313
28847
3e576fe66715 tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents: 28549
diff changeset
314 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
315 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
316 (check hostfingerprint configuration)
45915
8f50dc096cf4 errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents: 45902
diff changeset
317 [150]
28525
dfb21c34e07d sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents: 27739
diff changeset
318
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
319 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
320 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
29268
f200b58497f1 sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29267
diff changeset
321 (check hostsecurity configuration)
45915
8f50dc096cf4 errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents: 45902
diff changeset
322 [150]
29267
f0ccb6cde3e5 sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29263
diff changeset
323
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
324 - fails when cert doesn't match hostname (port is ignored)
29526
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
325 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
9d02bed8477b tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29519
diff changeset
326 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
15997
a45516cb8d9f sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents: 15814
diff changeset
327 (check hostfingerprint configuration)
45915
8f50dc096cf4 errors: introduce SecurityError and use it in a few places
Martin von Zweigbergk <martinvonz@google.com>
parents: 45902
diff changeset
328 [150]
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
329
18588
3241fc65e3cd test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents: 18354
diff changeset
330
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
331 - ignores that certificate doesn't match hostname
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
332 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
32273
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32245
diff changeset
333 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13314
8dc488dfcdb4 url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents: 13231
diff changeset
334 5fed3813f7f5
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
335
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
336 Ports used by next test. Kill servers.
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
337
52290
e03bc88776d3 tests: stop killing (most) https servers individually
Matt Harbison <matt_harbison@yahoo.com>
parents: 52289
diff changeset
338 $ killdaemons.py $DAEMON_PIDS
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
339
44881
89f83e47e9c9 tests: remove "sslcontext" check
Manuel Jacob <me@manueljacob.de>
parents: 44879
diff changeset
340 #if tls1.2
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
341 Start servers running supported TLS versions
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
342
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
343 $ cd test
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
344 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
50341
698ffff7024b configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents: 49825
diff changeset
345 > --config devel.server-insecure-exact-protocol=tls1.0
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
346 $ cat ../hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
347 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
50341
698ffff7024b configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents: 49825
diff changeset
348 > --config devel.server-insecure-exact-protocol=tls1.1
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
349 $ cat ../hg1.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
350 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
50341
698ffff7024b configitems: make devel.serverexactprotocol look dangerous
pacien <pacien.trangirard@pacien.net>
parents: 49825
diff changeset
351 > --config devel.server-insecure-exact-protocol=tls1.2
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
352 $ cat ../hg2.pid >> $DAEMON_PIDS
52289
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
353 #if tls1.3
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
354 $ hg serve -p $HGPORT3 -d --pid-file=../hg3.pid --certificate=$PRIV \
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
355 > --config devel.server-insecure-exact-protocol=tls1.3
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
356 $ cat ../hg3.pid >> $DAEMON_PIDS
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
357 #endif
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
358 $ cd ..
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
359
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
360 Clients talking same TLS versions work
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
361
50342
c54e9bb5737e sslutil: set context security level for legacy tls testing (issue6760)
pacien <pacien.trangirard@pacien.net>
parents: 50341
diff changeset
362 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT/
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
363 5fed3813f7f5
50342
c54e9bb5737e sslutil: set context security level for legacy tls testing (issue6760)
pacien <pacien.trangirard@pacien.net>
parents: 50341
diff changeset
364 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT1/
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
365 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
366 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
367 5fed3813f7f5
52289
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
368 #if tls1.3
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
369 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT3/
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
370 5fed3813f7f5
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
371 #endif
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
372
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
373 Clients requiring newer TLS version than what server supports fail
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
374
29560
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
375 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
376 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
377 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
378 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
49057
27ef2aa953dd sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents: 49056
diff changeset
379 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
380 [100]
29560
303e9300772a sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29559
diff changeset
381
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
382 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
383 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
384 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
385 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
49057
27ef2aa953dd sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents: 49056
diff changeset
386 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
387 [100]
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
388 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
389 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
390 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
391 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
49057
27ef2aa953dd sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents: 49056
diff changeset
392 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
393 [100]
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
394 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
395 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
396 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
397 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
49057
27ef2aa953dd sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents: 49056
diff changeset
398 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
399 [100]
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
400
52289
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
401 #if tls1.3
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
402 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT/
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
403 (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
404 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
405 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
406 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
407 [100]
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
408 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT1/
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
409 (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
410 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
411 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
412 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
413 [100]
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
414 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT2/
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
415 (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
416 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
417 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
418 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
419 [100]
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
420 #endif
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
421
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
422
29617
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
423 --insecure will allow TLS 1.0 connections and override configs
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
424
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
425 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
426 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
427 5fed3813f7f5
2960ceee1948 sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29616
diff changeset
428
52289
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
429 #if tls1.3
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
430 $ hg --config hostsecurity.minimumprotocol=tls1.3 id --insecure https://localhost:$HGPORT2/
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
431 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
432 5fed3813f7f5
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
433 #endif
323e3626929a sslutil: add support for clients to set TLSv1.3 as the minimum protocol
Matt Harbison <matt_harbison@yahoo.com>
parents: 51942
diff changeset
434
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
435 The per-host config option overrides the default
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
436
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
437 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
50342
c54e9bb5737e sslutil: set context security level for legacy tls testing (issue6760)
pacien <pacien.trangirard@pacien.net>
parents: 50341
diff changeset
438 > --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" \
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
439 > --config hostsecurity.minimumprotocol=tls1.2 \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
440 > --config hostsecurity.localhost:minimumprotocol=tls1.0
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
441 5fed3813f7f5
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
442
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
443 The per-host config option by itself works
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
444
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
445 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
446 > --config hostsecurity.localhost:minimumprotocol=tls1.2
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
447 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
448 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
449 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
49057
27ef2aa953dd sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents: 49056
diff changeset
450 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
451 [100]
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
452
29616
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
453 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
454
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
455 $ cat >> copy-pull/.hg/hgrc << EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
456 > [hostsecurity]
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
457 > localhost:minimumprotocol=tls1.2
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
458 > EOF
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
459 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
29619
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
460 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
461 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
53e80179bd6a sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29617
diff changeset
462 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
49057
27ef2aa953dd sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code
Julien Cristau <jcristau@debian.org>
parents: 49056
diff changeset
463 abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
464 [100]
29616
3fde328d0913 hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29601
diff changeset
465
52290
e03bc88776d3 tests: stop killing (most) https servers individually
Matt Harbison <matt_harbison@yahoo.com>
parents: 52289
diff changeset
466 $ killdaemons.py $DAEMON_PIDS
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
467 #endif
16300
74e114ac6ec1 tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents: 16107
diff changeset
468
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
469 Prepare for connecting through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
470
29559
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
471 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
472 $ cat hg0.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
473 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
474 $ cat hg2.pid >> $DAEMON_PIDS
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
475 tinyproxy.py doesn't fully detach, so killing it may result in extra output
7dec5e441bf7 sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29555
diff changeset
476 from the shell. So don't kill it.
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
477 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
16496
abbabbbe4ec2 tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents: 16300
diff changeset
478 $ while [ ! -f proxy.pid ]; do sleep 0; done
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
479 $ cat proxy.pid >> $DAEMON_PIDS
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
480
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
481 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
482 $ echo "always=True" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
483 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
484 $ echo "localhost =" >> copy-pull/.hg/hgrc
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
485
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
486 Test unvalidated https through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
487
29842
d5497eb1d768 test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents: 29635
diff changeset
488 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
489 pulling from https://localhost:$HGPORT/
29289
3536673a25ae sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29288
diff changeset
490 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
491 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
492 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
493
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
494 Test https with cacert and fingerprint through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
495
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
496 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
497 > --config web.cacerts="$CERTSDIR/pub.pem"
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
498 pulling from https://localhost:$HGPORT/
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
499 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
500 no changes found
31008
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
501 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
636cf3f7620d tests: use LOCALIP
Jun Wu <quark@fb.com>
parents: 30332
diff changeset
502 pulling from https://*:$HGPORT/ (glob)
32273
2e455cbeac50 sslutil: tweak the legacy [hostfingerprints] warning message
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32245
diff changeset
503 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
13423
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
504 searching for changes
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
505 no changes found
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
506
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
507 Test https with cert problems through proxy
4e60dad2261f tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents: 13401
diff changeset
508
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
509 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
510 > --config web.cacerts="$CERTSDIR/pub-other.pem"
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
511 pulling from https://localhost:$HGPORT/
33494
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents: 33422
diff changeset
512 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
513 abort: error: *certificate verify failed* (glob)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
514 [100]
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
515 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
516 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
24138
eabe44ec5af5 pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents: 23823
diff changeset
517 pulling from https://localhost:$HGPORT2/
33494
30f2715be123 sslutil: inform the user about how to fix an incomplete certificate chain
Matt Harbison <matt_harbison@yahoo.com>
parents: 33422
diff changeset
518 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
23823
bd72e75f09e7 test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents: 23042
diff changeset
519 abort: error: *certificate verify failed* (glob)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
520 [100]
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
521
49277
51b07ac1991c url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents: 45915
diff changeset
522 Test when proxy can't connect to server
51b07ac1991c url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents: 45915
diff changeset
523
51b07ac1991c url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents: 45915
diff changeset
524 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure https://localhost:0/
51b07ac1991c url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents: 45915
diff changeset
525 pulling from https://localhost:0/
51942
73a43fe3e6fd tests: use pattern matching to mask `ECONNREFUSED` messages
Matt Harbison <matt_harbison@yahoo.com>
parents: 50342
diff changeset
526 abort: error: Tunnel connection failed: 404 (\$ECONNREFUSED\$|\$EADDRNOTAVAIL\$) (re)
49277
51b07ac1991c url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents: 45915
diff changeset
527 [100]
51b07ac1991c url: raise error if CONNECT request to proxy was unsuccessful
Manuel Jacob <me@manueljacob.de>
parents: 45915
diff changeset
528
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
529
25472
4d2b9b304ad0 tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents: 25428
diff changeset
530 $ killdaemons.py hg0.pid
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
531
33381
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
532 $ cd test
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
533
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
534 Missing certificate file(s) are detected
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
535
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
536 $ hg serve -p $HGPORT --certificate=/missing/certificate \
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
537 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
33575
5b286cfe4fb0 test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents: 33494
diff changeset
538 abort: referenced certificate file (*/missing/certificate) does not exist (glob)
33381
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
539 [255]
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
540
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
541 $ hg serve -p $HGPORT --certificate=$PRIV \
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
542 > --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
33575
5b286cfe4fb0 test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents: 33494
diff changeset
543 abort: referenced certificate file (*/missing/cafile) does not exist (glob)
33381
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
544 [255]
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
545
29555
121d11814c62 hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29553
diff changeset
546 Start hgweb that requires client certificates:
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
547
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
548 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
29555
121d11814c62 hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents: 29553
diff changeset
549 > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
550 $ cat ../hg0.pid >> $DAEMON_PIDS
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
551 $ cd ..
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
552
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
553 without client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
554
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
555 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
49058
d8a38186a092 test: accept another error message on lack of TLS client certificate
Julien Cristau <jcristau@debian.org>
parents: 49057
diff changeset
556 abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure|EOF occurred).* (re)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
557 [100]
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
558
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
559 with client certificate:
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
560
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
561 $ cat << EOT >> $HGRCPATH
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
562 > [auth]
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
563 > l.prefix = localhost
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
564 > l.cert = $CERTSDIR/client-cert.pem
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
565 > l.key = $CERTSDIR/client-key.pem
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
566 > EOT
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
567
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
568 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
569 > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
25413
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
570 5fed3813f7f5
4d705f6a3c35 test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents: 24740
diff changeset
571
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
572 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
573 > --config ui.interactive=True --config ui.nontty=True
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
574 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
575
29331
1e02d9576194 tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents: 29293
diff changeset
576 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
577 abort: error: * (glob)
45839
ebee234d952a errors: set detailed exit code to 100 for some remote errors
Martin von Zweigbergk <martinvonz@google.com>
parents: 44896
diff changeset
578 [100]
25415
21b536f01eda ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents: 25413
diff changeset
579
33381
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
580 Missing certficate and key files result in error
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
581
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
582 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
33575
5b286cfe4fb0 test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents: 33494
diff changeset
583 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
33381
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
584 (restore missing file or fix references in Mercurial config)
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
585 [255]
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
586
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
587 $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
33575
5b286cfe4fb0 test-https: properly conditionalize Windows vs non-Windows output
Matt Harbison <matt_harbison@yahoo.com>
parents: 33494
diff changeset
588 abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
33381
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
589 (restore missing file or fix references in Mercurial config)
3bdbbadddecc sslutil: check for missing certificate and key files (issue5598)
Gregory Szorc <gregory.szorc@gmail.com>
parents: 32273
diff changeset
590 [255]