Mercurial > hg
comparison tests/test-https.t @ 24290:b76d8c641746
ssl: set explicit symbol "!" to web.cacerts to disable SSL verification (BC)
The next patch will enable verification by using the system's CA store if
possible, which means we would have to distinguish None (=use default) from
'' (=--insecure). This smells bug-prone and provides no way to override
web.cacerts to forcibly use the system's store by --config argument.
This patch changes the meaning of web.cacerts as follows:
value behavior
------- ---------------------------------------
None/'' use default
'!' never use CA certs (set by --insecure)
<path> verify by the specified CA certificates
Values other than <path> are for internal use and therefore undocumented.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Wed, 04 Mar 2015 23:27:04 +0900 |
| parents | 07fafcd4bc74 |
| children | d283517b260b |
comparison
equal
deleted
inserted
replaced
| 24289:07fafcd4bc74 | 24290:b76d8c641746 |
|---|---|
| 122 #if defaultcacerts | 122 #if defaultcacerts |
| 123 $ hg clone https://localhost:$HGPORT/ copy-pull | 123 $ hg clone https://localhost:$HGPORT/ copy-pull |
| 124 abort: error: *certificate verify failed* (glob) | 124 abort: error: *certificate verify failed* (glob) |
| 125 [255] | 125 [255] |
| 126 | 126 |
| 127 $ DISABLEOSXDUMMYCERT="--config=web.cacerts=" | 127 $ DISABLEOSXDUMMYCERT="--config=web.cacerts=!" |
| 128 #endif | 128 #endif |
| 129 | 129 |
| 130 clone via pull | 130 clone via pull |
| 131 | 131 |
| 132 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT | 132 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT |
| 238 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc | 238 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc |
| 239 $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc | 239 $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc |
| 240 $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc | 240 $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc |
| 241 | 241 |
| 242 - works without cacerts | 242 - works without cacerts |
| 243 $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts= | 243 $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=! |
| 244 5fed3813f7f5 | 244 5fed3813f7f5 |
| 245 | 245 |
| 246 - fails when cert doesn't match hostname (port is ignored) | 246 - fails when cert doesn't match hostname (port is ignored) |
| 247 $ hg -R copy-pull id https://localhost:$HGPORT1/ | 247 $ hg -R copy-pull id https://localhost:$HGPORT1/ |
| 248 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b | 248 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b |