Mercurial > hg

comparison tests/test-https.t @ 32054:616e788321cc stable 4.2-rc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
freeze: merge default into stable for 4.2 code freeze
author Augie Fackler <augie@google.com>
date Tue, 18 Apr 2017 12:24:34 -0400
parents 68bd8cd381a3
children 9a86d936670f ab89d2f7dc9a
comparison
equal deleted inserted replaced
32053:52902059edc7 32054:616e788321cc
34 34
35 Test server address cannot be reused 35 Test server address cannot be reused
36 36
37 #if windows 37 #if windows
38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 38 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
39 abort: cannot start server at ':$HGPORT': 39 abort: cannot start server at 'localhost:$HGPORT': * (glob)
40 [255] 40 [255]
41 #else 41 #else
42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 42 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
43 abort: cannot start server at ':$HGPORT': Address already in use 43 abort: cannot start server at 'localhost:$HGPORT': Address already in use
44 [255] 44 [255]
45 #endif 45 #endif
46 $ cd .. 46 $ cd ..
47 47
48 Our test cert is not signed by a trusted CA. It should fail to verify if 48 Our test cert is not signed by a trusted CA. It should fail to verify if
95 abort: localhost certificate error: no certificate received 95 abort: localhost certificate error: no certificate received
96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) 96 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
97 [255] 97 [255]
98 #endif 98 #endif
99 99
100 Specifying a per-host certificate file that doesn't exist will abort 100 Specifying a per-host certificate file that doesn't exist will abort. The full
101 C:/path/to/msysroot will print on Windows.
101 102
102 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ 103 $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
103 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 104 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
104 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist 105 abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
105 [255] 106 [255]
106 107
107 A malformed per-host certificate file will raise an error 108 A malformed per-host certificate file will raise an error
108 109
109 $ echo baddata > badca.pem 110 $ echo baddata > badca.pem
221 searching for changes 222 searching for changes
222 adding changesets 223 adding changesets
223 adding manifests 224 adding manifests
224 adding file changes 225 adding file changes
225 added 1 changesets with 1 changes to 1 files 226 added 1 changesets with 1 changes to 1 files
226 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob) 227 changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
227 (run 'hg update' to get a working copy) 228 (run 'hg update' to get a working copy)
228 $ cd .. 229 $ cd ..
229 230
230 cacert configured in local repo 231 cacert configured in local repo
231 232
276 #endif 277 #endif
277 278
278 cacert mismatch 279 cacert mismatch
279 280
280 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ 281 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
281 > https://127.0.0.1:$HGPORT/ 282 > https://$LOCALIP:$HGPORT/
282 pulling from https://127.0.0.1:$HGPORT/ (glob) 283 pulling from https://*:$HGPORT/ (glob)
283 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 284 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
284 abort: 127.0.0.1 certificate error: certificate is for localhost (glob) 285 abort: $LOCALIP certificate error: certificate is for localhost (glob)
285 (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) (glob) 286 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
286 [255] 287 [255]
287 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ 288 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
288 > https://127.0.0.1:$HGPORT/ --insecure 289 > https://$LOCALIP:$HGPORT/ --insecure
289 pulling from https://127.0.0.1:$HGPORT/ (glob) 290 pulling from https://*:$HGPORT/ (glob)
290 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 291 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
291 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) 292 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
292 searching for changes 293 searching for changes
293 no changes found 294 no changes found
294 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" 295 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
295 pulling from https://localhost:$HGPORT/ 296 pulling from https://localhost:$HGPORT/
296 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 297 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
380 Fingerprints 381 Fingerprints
381 382
382 - works without cacerts (hostfingerprints) 383 - works without cacerts (hostfingerprints)
383 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
384 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 385 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
386 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
385 5fed3813f7f5 387 5fed3813f7f5
386 388
387 - works without cacerts (hostsecurity) 389 - works without cacerts (hostsecurity)
388 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 390 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
389 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 391 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
394 5fed3813f7f5 396 5fed3813f7f5
395 397
396 - multiple fingerprints specified and first matches 398 - multiple fingerprints specified and first matches
397 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure 399 $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
398 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 400 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
401 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
399 5fed3813f7f5 402 5fed3813f7f5
400 403
401 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ 404 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
402 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 405 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
403 5fed3813f7f5 406 5fed3813f7f5
404 407
405 - multiple fingerprints specified and last matches 408 - multiple fingerprints specified and last matches
406 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure 409 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
407 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 410 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
411 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
408 5fed3813f7f5 412 5fed3813f7f5
409 413
410 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ 414 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
411 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 415 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
412 5fed3813f7f5 416 5fed3813f7f5
432 (check hostfingerprint configuration) 436 (check hostfingerprint configuration)
433 [255] 437 [255]
434 438
435 439
436 - ignores that certificate doesn't match hostname 440 - ignores that certificate doesn't match hostname
437 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 441 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
438 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 442 warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
443 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
439 5fed3813f7f5 444 5fed3813f7f5
440 445
441 Ports used by next test. Kill servers. 446 Ports used by next test. Kill servers.
442 447
443 $ killdaemons.py hg0.pid 448 $ killdaemons.py hg0.pid
569 > --config web.cacerts="$CERTSDIR/pub.pem" 574 > --config web.cacerts="$CERTSDIR/pub.pem"
570 pulling from https://localhost:$HGPORT/ 575 pulling from https://localhost:$HGPORT/
571 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 576 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
572 searching for changes 577 searching for changes
573 no changes found 578 no changes found
574 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 579 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
575 pulling from https://127.0.0.1:$HGPORT/ (glob) 580 pulling from https://*:$HGPORT/ (glob)
576 warning: connecting to 127.0.0.1 using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) 581 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
582 (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
577 searching for changes 583 searching for changes
578 no changes found 584 no changes found
579 585
580 Test https with cert problems through proxy 586 Test https with cert problems through proxy
581 587