343 |
343 |
344 - ignores that certificate doesn't match hostname |
344 - ignores that certificate doesn't match hostname |
345 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
345 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
346 5fed3813f7f5 |
346 5fed3813f7f5 |
347 |
347 |
348 HGPORT1 is reused below for tinyproxy tests. Kill that server. |
348 Ports used by next test. Kill servers. |
|
349 |
|
350 $ killdaemons.py hg0.pid |
349 $ killdaemons.py hg1.pid |
351 $ killdaemons.py hg1.pid |
|
352 $ killdaemons.py hg2.pid |
|
353 |
|
354 #if sslcontext |
|
355 Start servers running supported TLS versions |
|
356 |
|
357 $ cd test |
|
358 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
|
359 > --config devel.serverexactprotocol=tls1.0 |
|
360 $ cat ../hg0.pid >> $DAEMON_PIDS |
|
361 $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \ |
|
362 > --config devel.serverexactprotocol=tls1.1 |
|
363 $ cat ../hg1.pid >> $DAEMON_PIDS |
|
364 $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ |
|
365 > --config devel.serverexactprotocol=tls1.2 |
|
366 $ cat ../hg2.pid >> $DAEMON_PIDS |
|
367 $ cd .. |
|
368 |
|
369 Clients talking same TLS versions work |
|
370 |
|
371 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ |
|
372 5fed3813f7f5 |
|
373 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ |
|
374 5fed3813f7f5 |
|
375 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ |
|
376 5fed3813f7f5 |
|
377 |
|
378 Clients requiring newer TLS version than what server supports fail |
|
379 |
|
380 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
|
381 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
382 abort: error: *unsupported protocol* (glob) |
|
383 [255] |
|
384 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
|
385 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
386 abort: error: *unsupported protocol* (glob) |
|
387 [255] |
|
388 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
|
389 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
390 abort: error: *unsupported protocol* (glob) |
|
391 [255] |
|
392 |
|
393 The per-host config option overrides the default |
|
394 |
|
395 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
396 > --config hostsecurity.minimumprotocol=tls1.2 \ |
|
397 > --config hostsecurity.localhost:minimumprotocol=tls1.0 |
|
398 5fed3813f7f5 |
|
399 |
|
400 The per-host config option by itself works |
|
401 |
|
402 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
403 > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
|
404 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
405 abort: error: *unsupported protocol* (glob) |
|
406 [255] |
|
407 |
|
408 $ killdaemons.py hg0.pid |
|
409 $ killdaemons.py hg1.pid |
|
410 $ killdaemons.py hg2.pid |
|
411 #endif |
350 |
412 |
351 Prepare for connecting through proxy |
413 Prepare for connecting through proxy |
352 |
414 |
|
415 $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV |
|
416 $ cat hg0.pid >> $DAEMON_PIDS |
|
417 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
|
418 $ cat hg2.pid >> $DAEMON_PIDS |
|
419 tinyproxy.py doesn't fully detach, so killing it may result in extra output |
|
420 from the shell. So don't kill it. |
353 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
421 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
354 $ while [ ! -f proxy.pid ]; do sleep 0; done |
422 $ while [ ! -f proxy.pid ]; do sleep 0; done |
355 $ cat proxy.pid >> $DAEMON_PIDS |
423 $ cat proxy.pid >> $DAEMON_PIDS |
356 |
424 |
357 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc |
425 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc |