Mercurial > hg
comparison tests/test-https.t @ 45915:8f50dc096cf4
errors: introduce SecurityError and use it in a few places
This is part of
https://www.mercurial-scm.org/wiki/ErrorCategoriesPlan. There are
perhaps more errors in `sslutil.py` that should raise `SecurityError`;
I picked the most clear ones to start with.
Differential Revision: https://phab.mercurial-scm.org/D9390
author | Martin von Zweigbergk <martinvonz@google.com> |
---|---|
date | Mon, 23 Nov 2020 16:20:02 -0800 |
parents | 6da22a068281 |
children | 7ea2bd2043d1 51b07ac1991c |
comparison
equal
deleted
inserted
replaced
45914:be25b66f86ab | 45915:8f50dc096cf4 |
---|---|
123 Inability to verify peer certificate will result in abort | 123 Inability to verify peer certificate will result in abort |
124 | 124 |
125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS | 125 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect | 126 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) | 127 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
128 [255] | 128 [150] |
129 | 129 |
130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull | 130 $ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | 131 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
132 requesting all changes | 132 requesting all changes |
133 adding changesets | 133 adding changesets |
158 > EOF | 158 > EOF |
159 $ hg pull $DISABLECACERTS | 159 $ hg pull $DISABLECACERTS |
160 pulling from https://localhost:$HGPORT/ | 160 pulling from https://localhost:$HGPORT/ |
161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect | 161 abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) | 162 (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
163 [255] | 163 [150] |
164 | 164 |
165 $ hg pull --insecure | 165 $ hg pull --insecure |
166 pulling from https://localhost:$HGPORT/ | 166 pulling from https://localhost:$HGPORT/ |
167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | 167 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
168 searching for changes | 168 searching for changes |
225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ | 225 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
226 > https://$LOCALIP:$HGPORT/ | 226 > https://$LOCALIP:$HGPORT/ |
227 pulling from https://*:$HGPORT/ (glob) | 227 pulling from https://*:$HGPORT/ (glob) |
228 abort: $LOCALIP certificate error: certificate is for localhost (glob) | 228 abort: $LOCALIP certificate error: certificate is for localhost (glob) |
229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) | 229 (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
230 [255] | 230 [150] |
231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ | 231 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
232 > https://$LOCALIP:$HGPORT/ --insecure | 232 > https://$LOCALIP:$HGPORT/ --insecure |
233 pulling from https://*:$HGPORT/ (glob) | 233 pulling from https://*:$HGPORT/ (glob) |
234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) | 234 warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob) |
235 searching for changes | 235 searching for changes |
317 - multiple fingerprints specified and none match | 317 - multiple fingerprints specified and none match |
318 | 318 |
319 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure | 319 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
320 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 | 320 abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
321 (check hostfingerprint configuration) | 321 (check hostfingerprint configuration) |
322 [255] | 322 [150] |
323 | 323 |
324 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | 324 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
325 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 | 325 abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
326 (check hostsecurity configuration) | 326 (check hostsecurity configuration) |
327 [255] | 327 [150] |
328 | 328 |
329 - fails when cert doesn't match hostname (port is ignored) | 329 - fails when cert doesn't match hostname (port is ignored) |
330 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | 330 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
331 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 | 331 abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
332 (check hostfingerprint configuration) | 332 (check hostfingerprint configuration) |
333 [255] | 333 [150] |
334 | 334 |
335 | 335 |
336 - ignores that certificate doesn't match hostname | 336 - ignores that certificate doesn't match hostname |
337 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 | 337 $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
338 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) | 338 (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |