Mercurial > hg
view tests/test-https.t @ 12749:338b4b615d33
patchbomb: move command option help from the extension (patchbomb) to the command (email)
author | timeless <timeless@gmail.com> |
---|---|
date | Sun, 17 Oct 2010 14:00:01 +0300 |
parents | 949dfdb3ad2d |
children | 763be3cd084a |
line wrap: on
line source
Proper https client requires the built-in ssl from Python 2.6, and https serve requires the full OpenSSL module. $ "$TESTDIR/hghave" ssl || exit 80 HTTPS serve seems to be broken on Python 2.7: $ [ "`python -c 'import sys; print sys.version_info[:2]'`" = '(2, 6)' ] || exit 80 Certificates created with: printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \ openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem Can be dumped with: openssl x509 -in pub.pem -text $ cat << EOT > priv.pem > -----BEGIN PRIVATE KEY----- > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8 > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh > HY8gUVkVRVs= > -----END PRIVATE KEY----- > EOT $ cat << EOT > pub.pem > -----BEGIN CERTIFICATE----- > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c= > -----END CERTIFICATE----- > EOT $ cat priv.pem pub.pem >> server.pem $ PRIV=`pwd`/server.pem $ cat << EOT > pub-other.pem > -----BEGIN CERTIFICATE----- > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6 > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig= > -----END CERTIFICATE----- > EOT pub.pem patched with other notBefore / notAfter: $ cat << EOT > pub-not-yet.pem > -----BEGIN CERTIFICATE----- > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0= > -----END CERTIFICATE----- > EOT $ cat priv.pem pub-not-yet.pem > server-not-yet.pem $ cat << EOT > pub-expired.pem > -----BEGIN CERTIFICATE----- > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ= > -----END CERTIFICATE----- > EOT $ cat priv.pem pub-expired.pem > server-expired.pem $ hg init test $ cd test $ echo foo>foo $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg $ echo foo>foo.d/foo $ echo bar>foo.d/bAr.hg.d/BaR $ echo bar>foo.d/baR.d.hg/bAR $ hg commit -A -m 1 adding foo adding foo.d/bAr.hg.d/BaR adding foo.d/baR.d.hg/bAR adding foo.d/foo $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV $ cat ../hg0.pid >> $DAEMON_PIDS Test server address cannot be reused $ hg serve -p $HGPORT --certificate=$PRIV 2>&1 abort: cannot start server at ':$HGPORT': Address already in use [255] $ cd .. clone via pull $ hg clone https://localhost:$HGPORT/ copy-pull requesting all changes adding changesets adding manifests adding file changes added 1 changesets with 4 changes to 4 files updating to branch default 4 files updated, 0 files merged, 0 files removed, 0 files unresolved $ hg verify -R copy-pull checking changesets checking manifests crosschecking files in changesets and manifests checking files 4 files, 1 changesets, 4 total revisions $ cd test $ echo bar > bar $ hg commit -A -d '1 0' -m 2 adding bar $ cd .. pull $ cd copy-pull $ echo '[hooks]' >> .hg/hgrc $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc $ hg pull changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/ pulling from https://localhost:$HGPORT/ searching for changes adding changesets adding manifests adding file changes added 1 changesets with 1 changes to 1 files (run 'hg update' to get a working copy) $ cd .. cacert $ hg -R copy-pull pull --config web.cacerts=pub.pem pulling from https://localhost:$HGPORT/ searching for changes no changes found $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ abort: 127.0.0.1 certificate error: certificate is for localhost [255] $ hg -R copy-pull pull --config web.cacerts=pub-other.pem abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob) [255] Test server cert which isn't valid yet $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem $ cat hg1.pid >> $DAEMON_PIDS $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/ abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob) [255] Test server cert which no longer is valid $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem $ cat hg2.pid >> $DAEMON_PIDS $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/ abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob) [255]