47 $ cd .. |
47 $ cd .. |
48 |
48 |
49 Our test cert is not signed by a trusted CA. It should fail to verify if |
49 Our test cert is not signed by a trusted CA. It should fail to verify if |
50 we are able to load CA certs. |
50 we are able to load CA certs. |
51 |
51 |
52 #if sslcontext no-defaultcacertsloaded |
52 #if no-defaultcacertsloaded |
53 $ hg clone https://localhost:$HGPORT/ copy-pull |
53 $ hg clone https://localhost:$HGPORT/ copy-pull |
54 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
54 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
55 abort: error: *certificate verify failed* (glob) |
55 abort: error: *certificate verify failed* (glob) |
56 [255] |
56 [255] |
57 #endif |
57 #endif |
58 |
58 |
59 #if no-sslcontext |
|
60 $ hg clone https://localhost:$HGPORT/ copy-pull |
|
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
62 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
|
63 abort: error: *certificate verify failed* (glob) |
|
64 [255] |
|
65 #endif |
|
66 |
|
67 #if no-sslcontext windows |
|
68 $ hg clone https://localhost:$HGPORT/ copy-pull |
|
69 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
70 (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
|
71 abort: error: *certificate verify failed* (glob) |
|
72 [255] |
|
73 #endif |
|
74 |
|
75 #if no-sslcontext osx |
|
76 $ hg clone https://localhost:$HGPORT/ copy-pull |
|
77 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
78 (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
|
79 abort: localhost certificate error: no certificate received |
|
80 (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
|
81 [255] |
|
82 #endif |
|
83 |
|
84 #if defaultcacertsloaded |
59 #if defaultcacertsloaded |
85 $ hg clone https://localhost:$HGPORT/ copy-pull |
60 $ hg clone https://localhost:$HGPORT/ copy-pull |
86 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
61 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
87 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
62 (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
88 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
63 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
99 [255] |
74 [255] |
100 |
75 |
101 A malformed per-host certificate file will raise an error |
76 A malformed per-host certificate file will raise an error |
102 |
77 |
103 $ echo baddata > badca.pem |
78 $ echo baddata > badca.pem |
104 #if sslcontext |
|
105 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
79 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
106 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
80 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
107 abort: error loading CA file badca.pem: * (glob) |
81 abort: error loading CA file badca.pem: * (glob) |
108 (file is empty or malformed?) |
82 (file is empty or malformed?) |
109 [255] |
83 [255] |
110 #else |
|
111 $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
|
112 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
113 abort: error: * (glob) |
|
114 [255] |
|
115 #endif |
|
116 |
84 |
117 A per-host certificate mismatching the server will fail verification |
85 A per-host certificate mismatching the server will fail verification |
118 |
86 |
119 (modern ssl is able to discern whether the loaded cert is a CA cert) |
87 (modern ssl is able to discern whether the loaded cert is a CA cert) |
120 #if sslcontext |
|
121 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
88 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
122 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
89 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
123 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
90 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
124 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
91 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
125 abort: error: *certificate verify failed* (glob) |
92 abort: error: *certificate verify failed* (glob) |
126 [255] |
93 [255] |
127 #else |
|
128 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
|
129 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
130 abort: error: *certificate verify failed* (glob) |
|
131 [255] |
|
132 #endif |
|
133 |
94 |
134 A per-host certificate matching the server's cert will be accepted |
95 A per-host certificate matching the server's cert will be accepted |
135 |
96 |
136 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
97 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
137 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
98 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
267 |
228 |
268 empty cacert file |
229 empty cacert file |
269 |
230 |
270 $ touch emptycafile |
231 $ touch emptycafile |
271 |
232 |
272 #if sslcontext |
|
273 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
233 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
274 pulling from https://localhost:$HGPORT/ |
234 pulling from https://localhost:$HGPORT/ |
275 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
235 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
276 abort: error loading CA file emptycafile: * (glob) |
236 abort: error loading CA file emptycafile: * (glob) |
277 (file is empty or malformed?) |
237 (file is empty or malformed?) |
278 [255] |
238 [255] |
279 #else |
|
280 $ hg --config web.cacerts=emptycafile -R copy-pull pull |
|
281 pulling from https://localhost:$HGPORT/ |
|
282 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
283 abort: error: * (glob) |
|
284 [255] |
|
285 #endif |
|
286 |
239 |
287 cacert mismatch |
240 cacert mismatch |
288 |
241 |
289 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
242 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
290 > https://$LOCALIP:$HGPORT/ |
243 > https://$LOCALIP:$HGPORT/ |
342 $ hg -R copy-pull id https://localhost:$HGPORT/ \ |
295 $ hg -R copy-pull id https://localhost:$HGPORT/ \ |
343 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \ |
296 > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \ |
344 > --config hostsecurity.disabletls10warning=true |
297 > --config hostsecurity.disabletls10warning=true |
345 5fed3813f7f5 |
298 5fed3813f7f5 |
346 |
299 |
347 Error message for setting ciphers is different depending on SSLContext support |
|
348 |
|
349 #if no-sslcontext |
|
350 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
|
351 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
352 abort: *No cipher can be selected. (glob) |
|
353 [255] |
|
354 |
|
355 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
|
356 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
357 5fed3813f7f5 |
|
358 #endif |
|
359 |
|
360 #if sslcontext |
|
361 Setting ciphers to an invalid value aborts |
300 Setting ciphers to an invalid value aborts |
362 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
301 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
363 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
302 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
364 abort: could not set ciphers: No cipher can be selected. |
303 abort: could not set ciphers: No cipher can be selected. |
365 (change cipher string (invalid) in config) |
304 (change cipher string (invalid) in config) |
374 Changing the cipher string works |
313 Changing the cipher string works |
375 |
314 |
376 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
315 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
377 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
316 warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
378 5fed3813f7f5 |
317 5fed3813f7f5 |
379 #endif |
|
380 |
318 |
381 Fingerprints |
319 Fingerprints |
382 |
320 |
383 - works without cacerts (hostfingerprints) |
321 - works without cacerts (hostfingerprints) |
384 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
322 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
447 |
385 |
448 $ killdaemons.py hg0.pid |
386 $ killdaemons.py hg0.pid |
449 $ killdaemons.py hg1.pid |
387 $ killdaemons.py hg1.pid |
450 $ killdaemons.py hg2.pid |
388 $ killdaemons.py hg2.pid |
451 |
389 |
452 #if sslcontext tls1.2 |
390 #if tls1.2 |
453 Start servers running supported TLS versions |
391 Start servers running supported TLS versions |
454 |
392 |
455 $ cd test |
393 $ cd test |
456 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
394 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
457 > --config devel.serverexactprotocol=tls1.0 |
395 > --config devel.serverexactprotocol=tls1.0 |