Mercurial > hg

comparison tests/test-https.t @ 45915:8f50dc096cf4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
errors: introduce SecurityError and use it in a few places This is part of https://www.mercurial-scm.org/wiki/ErrorCategoriesPlan. There are perhaps more errors in `sslutil.py` that should raise `SecurityError`; I picked the most clear ones to start with. Differential Revision: https://phab.mercurial-scm.org/D9390
author Martin von Zweigbergk <martinvonz@google.com>
date Mon, 23 Nov 2020 16:20:02 -0800
parents 6da22a068281
children 7ea2bd2043d1 51b07ac1991c
comparison
equal deleted inserted replaced
45914:be25b66f86ab 45915:8f50dc096cf4
123 Inability to verify peer certificate will result in abort 123 Inability to verify peer certificate will result in abort
124 124
125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS 125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect 126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) 127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
128 [255] 128 [150]
129 129
130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull 130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering 131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
132 requesting all changes 132 requesting all changes
133 adding changesets 133 adding changesets
158 > EOF 158 > EOF
159 $ hg pull $DISABLECACERTS 159 $ hg pull $DISABLECACERTS
160 pulling from https://localhost:$HGPORT/ 160 pulling from https://localhost:$HGPORT/
161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect 161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) 162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
163 [255] 163 [150]
164 164
165 $ hg pull --insecure 165 $ hg pull --insecure
166 pulling from https://localhost:$HGPORT/ 166 pulling from https://localhost:$HGPORT/
167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering 167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
168 searching for changes 168 searching for changes
225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ 225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
226 > https://$LOCALIP:$HGPORT/ 226 > https://$LOCALIP:$HGPORT/
227 pulling from https://*:$HGPORT/ (glob) 227 pulling from https://*:$HGPORT/ (glob)
228 abort: $LOCALIP certificate error: certificate is for localhost (glob) 228 abort: $LOCALIP certificate error: certificate is for localhost (glob)
229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) 229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
230 [255] 230 [150]
231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ 231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
232 > https://$LOCALIP:$HGPORT/ --insecure 232 > https://$LOCALIP:$HGPORT/ --insecure
233 pulling from https://*:$HGPORT/ (glob) 233 pulling from https://*:$HGPORT/ (glob)
234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) 234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
235 searching for changes 235 searching for changes
317 - multiple fingerprints specified and none match 317 - multiple fingerprints specified and none match
318 318
319 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure 319 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
320 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 320 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
321 (check hostfingerprint configuration) 321 (check hostfingerprint configuration)
322 [255] 322 [150]
323 323
324 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ 324 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
325 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 325 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
326 (check hostsecurity configuration) 326 (check hostsecurity configuration)
327 [255] 327 [150]
328 328
329 - fails when cert doesn't match hostname (port is ignored) 329 - fails when cert doesn't match hostname (port is ignored)
330 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 330 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
331 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 331 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
332 (check hostfingerprint configuration) 332 (check hostfingerprint configuration)
333 [255] 333 [150]
334 334
335 335
336 - ignores that certificate doesn't match hostname 336 - ignores that certificate doesn't match hostname
337 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 337 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
338 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) 338 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)