Mercurial > hg
comparison tests/test-patchbomb-tls.t @ 33494:30f2715be123
sslutil: inform the user about how to fix an incomplete certificate chain
This is a Windows only thing. Unfortunately, the socket is closed at this point
(so the certificate is unavailable to check the chain). That means it's printed
out when verification fails as a guess, on the assumption that 1) most of the
time verification won't fail, and 2) sites using expired or certs that are too
new will be rare. Maybe this is an argument for adding more functionality to
debugssl, to test for problems and print certificate info. Or maybe it's an
argument for bundling certificates with the Windows builds. That idea was set
aside when the enhanced SSL code went in last summer, and it looks like there
were issues with using certifi on Windows anyway[1].
This was tested by deleting the certificate out of certmgr.msc > "Third-Party
Root Certification Authorities" > "Certificates", seeing `hg pull` fail (with
the new message), trying this command, and then successfully performing the pull
command.
[1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2016-October/089573.html
| author | Matt Harbison <matt_harbison@yahoo.com> |
|---|---|
| date | Wed, 12 Jul 2017 18:37:13 -0400 |
| parents | 75be14993fda |
| children | 5abc47d4ca6b |
comparison
equal
deleted
inserted
replaced
| 33493:9a9f95214f46 | 33494:30f2715be123 |
|---|---|
| 65 this patch series consists of 1 patches. | 65 this patch series consists of 1 patches. |
| 66 | 66 |
| 67 | 67 |
| 68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | 68 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
| 69 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | 69 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
| 70 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | |
| 70 (?i)abort: .*?certificate.verify.failed.* (re) | 71 (?i)abort: .*?certificate.verify.failed.* (re) |
| 71 [255] | 72 [255] |
| 72 | 73 |
| 73 #endif | 74 #endif |
| 74 | 75 |
| 116 $ try --config web.cacerts="$CERTSDIR/pub-other.pem" | 117 $ try --config web.cacerts="$CERTSDIR/pub-other.pem" |
| 117 this patch series consists of 1 patches. | 118 this patch series consists of 1 patches. |
| 118 | 119 |
| 119 | 120 |
| 120 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) | 121 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
| 122 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) | |
| 121 (?i)abort: .*?certificate.verify.failed.* (re) | 123 (?i)abort: .*?certificate.verify.failed.* (re) |
| 122 [255] | 124 [255] |
| 123 | 125 |
| 124 $ cd .. | 126 $ cd .. |