Mercurial > hg
comparison tests/test-https.t @ 29292:bc5f55493397
sslutil: make cert fingerprints messages more actionable
The previous warning and abort messages were difficult to understand.
This patch makes them slightly better.
I think there is still room to tweak the messaging. And as we adopt
new security defaults, these messages will certainly change again.
But at least this takes us a step in the right direction.
References to "section" have been removed because if no fingerprint
is defined, "section" can never be "hostfingerprints." So just print
"hostsecurity" every time.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Tue, 31 May 2016 19:21:08 -0700 |
| parents | 01248c37a68e |
| children | 1b3a0b0c414f |
comparison
equal
deleted
inserted
replaced
| 29291:15e533b7909c | 29292:bc5f55493397 |
|---|---|
| 174 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" | 174 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
| 175 | 175 |
| 176 clone via pull | 176 clone via pull |
| 177 | 177 |
| 178 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS | 178 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
| 179 warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting) | 179 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings) |
| 180 requesting all changes | 180 requesting all changes |
| 181 adding changesets | 181 adding changesets |
| 182 adding manifests | 182 adding manifests |
| 183 adding file changes | 183 adding file changes |
| 184 added 1 changesets with 4 changes to 4 files | 184 added 1 changesets with 4 changes to 4 files |
| 201 $ cd copy-pull | 201 $ cd copy-pull |
| 202 $ echo '[hooks]' >> .hg/hgrc | 202 $ echo '[hooks]' >> .hg/hgrc |
| 203 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc | 203 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc |
| 204 $ hg pull $DISABLECACERTS | 204 $ hg pull $DISABLECACERTS |
| 205 pulling from https://localhost:$HGPORT/ | 205 pulling from https://localhost:$HGPORT/ |
| 206 warning: localhost certificate with fingerprint sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 not verified (check hostsecurity or web.cacerts config setting) | 206 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings) |
| 207 searching for changes | 207 searching for changes |
| 208 adding changesets | 208 adding changesets |
| 209 adding manifests | 209 adding manifests |
| 210 adding file changes | 210 adding file changes |
| 211 added 1 changesets with 1 changes to 1 files | 211 added 1 changesets with 1 changes to 1 files |
| 242 cacert mismatch | 242 cacert mismatch |
| 243 | 243 |
| 244 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ | 244 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ |
| 245 pulling from https://127.0.0.1:$HGPORT/ | 245 pulling from https://127.0.0.1:$HGPORT/ |
| 246 abort: 127.0.0.1 certificate error: certificate is for localhost | 246 abort: 127.0.0.1 certificate error: certificate is for localhost |
| 247 (configure hostsecurity sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or use --insecure to connect insecurely) | 247 (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) |
| 248 [255] | 248 [255] |
| 249 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure | 249 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure |
| 250 pulling from https://127.0.0.1:$HGPORT/ | 250 pulling from https://127.0.0.1:$HGPORT/ |
| 251 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering | 251 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering |
| 252 searching for changes | 252 searching for changes |