Mercurial > hg
view tests/sslcerts/README @ 44261:04a3ae7aba14
chg: force-set LC_CTYPE on server start to actual value from the environment
Python 3.7+ will "coerce" the LC_CTYPE variable in many instances, and this can
cause issues with chg being able to start up. D7550 attempted to fix this, but a
combination of a misreading of the way that python3.7 does the coercion and an
untested state (LC_CTYPE being set to an invalid value) meant that this was
still not quite working.
This change will cause differences between chg and hg: hg will have the LC_CTYPE
environment variable coerced, while chg will not. This is unlikely to cause any
detectable behavior differences in what Mercurial itself outputs, but it does
have two known effects:
- When using hg, the coerced LC_CTYPE will be passed to subprocesses, even
non-python ones. Using chg will remove the coercion, and this will not
happen. This is arguably more correct behavior on chg's part.
- On macOS, if you set your region to Brazil but your language to English,
this isn't representable in locale strings, so macOS sets LC_CTYPE=UTF-8. If
this value is passed along when ssh'ing to a non-macOS machine, some
functions (such as locale.setlocale()) may raise an exception due to an
unsupported locale setting. This is most easily encountered when doing an
interactive commit/split/etc. when using ui.interface=curses.
Differential Revision: https://phab.mercurial-scm.org/D8039
author | Kyle Lippincott <spectral@google.com> |
---|---|
date | Wed, 29 Jan 2020 13:39:50 -0800 |
parents | 43f3c0df2fab |
children |
line wrap: on
line source
Generate a private key (priv.pem): $ openssl genrsa -out priv.pem 2048 Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Now generate an expired certificate by turning back the system time: $ faketime 2016-01-01T00:00:00Z \ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Generate a certificate not yet active by advancing the system time: $ faketime 2030-01-1T00:00:00Z \ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Generate a passphrase protected client certificate private key: $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 Create a copy of the private key without a passphrase: $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem Create a CSR and sign the key using the server keypair: $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ -set_serial 01 -out client-cert.pem When replacing the certificates, references to certificate fingerprints will need to be updated in test files. Fingerprints for certs can be obtained by running: $ openssl x509 -in pub.pem -noout -sha1 -fingerprint $ openssl x509 -in pub.pem -noout -sha256 -fingerprint