Mercurial > hg
comparison tests/test-https.t @ 29268:f200b58497f1
sslutil: reference appropriate config section in messaging
Error messages reference the config section defining the host
fingerprint. Now that we have multiple sections where this config
setting could live, we need to point the user at the appropriate
one.
We default to the new "hostsecurity" section. But we will still
refer them to the "hostfingerprint" section if a value is defined
there.
There are some corner cases where the messaging might be off. e.g.
they could define a SHA-1 fingerprint in both sections. IMO the
messaging needs a massive overhaul. I plan to do this as part
of future refactoring to security settings.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Sat, 28 May 2016 12:58:46 -0700 |
parents | f0ccb6cde3e5 |
children | 7dee15dee53c |
comparison
equal
deleted
inserted
replaced
29267:f0ccb6cde3e5 | 29268:f200b58497f1 |
---|---|
175 #endif | 175 #endif |
176 | 176 |
177 clone via pull | 177 clone via pull |
178 | 178 |
179 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT | 179 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT |
180 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) | 180 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
181 requesting all changes | 181 requesting all changes |
182 adding changesets | 182 adding changesets |
183 adding manifests | 183 adding manifests |
184 adding file changes | 184 adding file changes |
185 added 1 changesets with 4 changes to 4 files | 185 added 1 changesets with 4 changes to 4 files |
202 $ cd copy-pull | 202 $ cd copy-pull |
203 $ echo '[hooks]' >> .hg/hgrc | 203 $ echo '[hooks]' >> .hg/hgrc |
204 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc | 204 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc |
205 $ hg pull $DISABLEOSXDUMMYCERT | 205 $ hg pull $DISABLEOSXDUMMYCERT |
206 pulling from https://localhost:$HGPORT/ | 206 pulling from https://localhost:$HGPORT/ |
207 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) | 207 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
208 searching for changes | 208 searching for changes |
209 adding changesets | 209 adding changesets |
210 adding manifests | 210 adding manifests |
211 adding file changes | 211 adding file changes |
212 added 1 changesets with 1 changes to 1 files | 212 added 1 changesets with 1 changes to 1 files |
234 pulling from https://localhost:$HGPORT/ | 234 pulling from https://localhost:$HGPORT/ |
235 searching for changes | 235 searching for changes |
236 no changes found | 236 no changes found |
237 $ P=`pwd` hg -R copy-pull pull --insecure | 237 $ P=`pwd` hg -R copy-pull pull --insecure |
238 pulling from https://localhost:$HGPORT/ | 238 pulling from https://localhost:$HGPORT/ |
239 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) | 239 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
240 searching for changes | 240 searching for changes |
241 no changes found | 241 no changes found |
242 | 242 |
243 cacert mismatch | 243 cacert mismatch |
244 | 244 |
245 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ | 245 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ |
246 pulling from https://127.0.0.1:$HGPORT/ | 246 pulling from https://127.0.0.1:$HGPORT/ |
247 abort: 127.0.0.1 certificate error: certificate is for localhost | 247 abort: 127.0.0.1 certificate error: certificate is for localhost |
248 (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely) | 248 (configure hostsecurity 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely) |
249 [255] | 249 [255] |
250 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure | 250 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure |
251 pulling from https://127.0.0.1:$HGPORT/ | 251 pulling from https://127.0.0.1:$HGPORT/ |
252 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) | 252 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
253 searching for changes | 253 searching for changes |
254 no changes found | 254 no changes found |
255 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem | 255 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem |
256 pulling from https://localhost:$HGPORT/ | 256 pulling from https://localhost:$HGPORT/ |
257 abort: error: *certificate verify failed* (glob) | 257 abort: error: *certificate verify failed* (glob) |
258 [255] | 258 [255] |
259 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure | 259 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure |
260 pulling from https://localhost:$HGPORT/ | 260 pulling from https://localhost:$HGPORT/ |
261 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) | 261 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
262 searching for changes | 262 searching for changes |
263 no changes found | 263 no changes found |
264 | 264 |
265 Test server cert which isn't valid yet | 265 Test server cert which isn't valid yet |
266 | 266 |
314 (check hostfingerprint configuration) | 314 (check hostfingerprint configuration) |
315 [255] | 315 [255] |
316 | 316 |
317 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ | 317 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
318 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca | 318 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
319 (check hostfingerprint configuration) | 319 (check hostsecurity configuration) |
320 [255] | 320 [255] |
321 | 321 |
322 - fails when cert doesn't match hostname (port is ignored) | 322 - fails when cert doesn't match hostname (port is ignored) |
323 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca | 323 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca |
324 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b | 324 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b |
346 | 346 |
347 Test unvalidated https through proxy | 347 Test unvalidated https through proxy |
348 | 348 |
349 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback | 349 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback |
350 pulling from https://localhost:$HGPORT/ | 350 pulling from https://localhost:$HGPORT/ |
351 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting) | 351 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostsecurity or web.cacerts config setting) |
352 searching for changes | 352 searching for changes |
353 no changes found | 353 no changes found |
354 | 354 |
355 Test https with cacert and fingerprint through proxy | 355 Test https with cacert and fingerprint through proxy |
356 | 356 |