Mercurial > hg

view tests/sslcerts/README @ 29555:121d11814c62

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: use sslutil.wrapserversocket() This patch transitions the built-in HTTPS server to use sslutil for creating the server socket. As part of this transition, we implement developer-only config options to control CA loading and whether to require client certificates. This eliminates the need for the custom extension in test-https.t to define these. There is a slight change in behavior with regards to protocol selection. Before, we would always use the TLS 1.0 constant to define the protocol version. This would *only* use TLS 1.0. sslutil defaults to TLS 1.0+. So this patch improves the security of `hg serve` out of the box by allowing it to use TLS 1.1 and 1.2 (if available).
author Gregory Szorc <gregory.szorc@gmail.com>
date Tue, 12 Jul 2016 23:12:03 -0700
parents 9d02bed8477b
children 43f3c0df2fab
line wrap: on
line source

Generate a private key (priv.pem):

  $ openssl genrsa -out priv.pem 2048

Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):

  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem

  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem

Now generate an expired certificate by turning back the system time:

  $ date --set='2016-01-01T00:00:00Z'
  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem

Generate a certificate not yet active by advancing the system time:

  $ date --set='2030-01-01T00:00:00Z'
  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem

Note: When adjusting system time, verify the time change sticks. If running
systemd, you may want to use `timedatectl set-ntp false` and e.g.
`timedatectl set-time '2016-01-01 00:00:00'` to set system time.

Generate a passphrase protected client certificate private key:

  $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048

Create a copy of the private key without a passphrase:

  $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem

Create a CSR and sign the key using the server keypair:

  $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
    openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
  $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
    -set_serial 01 -out client-cert.pem

When replacing the certificates, references to certificate fingerprints will
need to be updated in test files.

Fingerprints for certs can be obtained by running:

  $ openssl x509 -in pub.pem -noout -sha1 -fingerprint
  $ openssl x509 -in pub.pem -noout -sha256 -fingerprint