| author | Pierre-Yves David <pierre-yves.david@ens-lyon.org> |
| Fri, 31 Mar 2017 11:08:11 +0200 | |
| changeset 31746 | 0fa30fbccc34 |
| parent 31741 | 728d37353e1e |
| child 31747 | aff7b32b3c05 |
| permissions | -rw-r--r-- |
|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
1 |
#require serve ssl |
|
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 |
|
|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
3 |
Proper https client requires the built-in ssl from Python 2.6. |
|
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
4 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
5 |
Make server certificates: |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
6 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
7 |
$ CERTSDIR="$TESTDIR/sslcerts" |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
8 |
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
9 |
$ PRIV=`pwd`/server.pem |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
10 |
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
11 |
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
12 |
|
| 12446 | 13 |
$ hg init test |
14 |
$ cd test |
|
15 |
$ echo foo>foo |
|
16 |
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg |
|
17 |
$ echo foo>foo.d/foo |
|
18 |
$ echo bar>foo.d/bAr.hg.d/BaR |
|
19 |
$ echo bar>foo.d/baR.d.hg/bAR |
|
20 |
$ hg commit -A -m 1 |
|
21 |
adding foo |
|
22 |
adding foo.d/bAr.hg.d/BaR |
|
23 |
adding foo.d/baR.d.hg/bAR |
|
24 |
adding foo.d/foo |
|
|
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
25 |
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV |
|
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
26 |
$ cat ../hg0.pid >> $DAEMON_PIDS |
| 12446 | 27 |
|
|
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
28 |
cacert not found |
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
29 |
|
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
30 |
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
31 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
32 |
abort: could not find web.cacerts: no-such.pem |
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
33 |
[255] |
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
34 |
|
| 12446 | 35 |
Test server address cannot be reused |
|
4289
e17598881509
test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents:
4130
diff
changeset
|
36 |
|
|
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
37 |
#if windows |
|
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
38 |
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
|
31009
161ab32b44a1
runtests: set web.address to localhost
Jun Wu <quark@fb.com>
parents:
31008
diff
changeset
|
39 |
abort: cannot start server at 'localhost:$HGPORT': |
|
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
40 |
[255] |
|
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
41 |
#else |
|
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
42 |
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
|
31009
161ab32b44a1
runtests: set web.address to localhost
Jun Wu <quark@fb.com>
parents:
31008
diff
changeset
|
43 |
abort: cannot start server at 'localhost:$HGPORT': Address already in use |
| 12446 | 44 |
[255] |
|
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
45 |
#endif |
| 12446 | 46 |
$ cd .. |
|
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
47 |
|
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
48 |
Our test cert is not signed by a trusted CA. It should fail to verify if |
|
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
49 |
we are able to load CA certs. |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
50 |
|
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
51 |
#if sslcontext defaultcacerts no-defaultcacertsloaded |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
52 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
53 |
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
54 |
abort: error: *certificate verify failed* (glob) |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
55 |
[255] |
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
56 |
#endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
57 |
|
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
58 |
#if no-sslcontext defaultcacerts |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
59 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
60 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29500
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
61 |
(using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
62 |
abort: error: *certificate verify failed* (glob) |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
63 |
[255] |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
64 |
#endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
65 |
|
|
29489
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
66 |
#if no-sslcontext windows |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
67 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
68 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
29489
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
69 |
(unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
70 |
abort: error: *certificate verify failed* (glob) |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
71 |
[255] |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
72 |
#endif |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
73 |
|
|
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
74 |
#if no-sslcontext osx |
|
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
75 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
76 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
77 |
(unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
|
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
78 |
abort: localhost certificate error: no certificate received |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
79 |
(set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
|
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
80 |
[255] |
|
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
81 |
#endif |
|
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
82 |
|
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
83 |
#if defaultcacertsloaded |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
84 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
85 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29500
4b16a5bd9948
sslutil: try to find CA certficates in well-known locations
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29499
diff
changeset
|
86 |
(using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
87 |
abort: error: *certificate verify failed* (glob) |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
88 |
[255] |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
89 |
#endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
90 |
|
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
91 |
#if no-defaultcacerts |
|
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
92 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
93 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29499
9c5325c79683
sslutil: issue warning when unable to load certificates on OS X
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29489
diff
changeset
|
94 |
(unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) |
|
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
95 |
abort: localhost certificate error: no certificate received |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
96 |
(set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
|
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
97 |
[255] |
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
98 |
#endif |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
99 |
|
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
100 |
Specifying a per-host certificate file that doesn't exist will abort |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
101 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
102 |
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
103 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
104 |
abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
105 |
[255] |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
106 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
107 |
A malformed per-host certificate file will raise an error |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
108 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
109 |
$ echo baddata > badca.pem |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
110 |
#if sslcontext |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
111 |
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
112 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
113 |
abort: error loading CA file badca.pem: * (glob) |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
114 |
(file is empty or malformed?) |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
115 |
[255] |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
116 |
#else |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
117 |
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
118 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29356
93b83ef78d1e
tests: increase test-https malform error glob
Durham Goode <durham@fb.com>
parents:
29334
diff
changeset
|
119 |
abort: error: * (glob) |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
120 |
[255] |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
121 |
#endif |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
122 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
123 |
A per-host certificate mismatching the server will fail verification |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
124 |
|
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
125 |
(modern ssl is able to discern whether the loaded cert is a CA cert) |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
126 |
#if sslcontext |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
127 |
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
128 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
129 |
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
130 |
abort: error: *certificate verify failed* (glob) |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
131 |
[255] |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
132 |
#else |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
133 |
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
134 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
135 |
abort: error: *certificate verify failed* (glob) |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
136 |
[255] |
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
137 |
#endif |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
138 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
139 |
A per-host certificate matching the server's cert will be accepted |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
140 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
141 |
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
142 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
143 |
requesting all changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
144 |
adding changesets |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
145 |
adding manifests |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
146 |
adding file changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
147 |
added 1 changesets with 4 changes to 4 files |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
148 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
149 |
A per-host certificate with multiple certs and one matching will be accepted |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
150 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
151 |
$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
152 |
$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
153 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
154 |
requesting all changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
155 |
adding changesets |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
156 |
adding manifests |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
157 |
adding file changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
158 |
added 1 changesets with 4 changes to 4 files |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
159 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
160 |
Defining both per-host certificate and a fingerprint will print a warning |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
161 |
|
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
162 |
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
163 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
164 |
(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
165 |
requesting all changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
166 |
adding changesets |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
167 |
adding manifests |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
168 |
adding file changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
169 |
added 1 changesets with 4 changes to 4 files |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
170 |
|
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
171 |
$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
172 |
|
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
173 |
Inability to verify peer certificate will result in abort |
|
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
174 |
|
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
175 |
$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
176 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
177 |
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
178 |
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
179 |
[255] |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
180 |
|
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
181 |
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
182 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
183 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
| 12446 | 184 |
requesting all changes |
185 |
adding changesets |
|
186 |
adding manifests |
|
187 |
adding file changes |
|
188 |
added 1 changesets with 4 changes to 4 files |
|
189 |
updating to branch default |
|
190 |
4 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
191 |
$ hg verify -R copy-pull |
|
192 |
checking changesets |
|
193 |
checking manifests |
|
194 |
crosschecking files in changesets and manifests |
|
195 |
checking files |
|
196 |
4 files, 1 changesets, 4 total revisions |
|
197 |
$ cd test |
|
198 |
$ echo bar > bar |
|
199 |
$ hg commit -A -d '1 0' -m 2 |
|
200 |
adding bar |
|
201 |
$ cd .. |
|
|
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
202 |
|
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
203 |
pull without cacert |
| 12446 | 204 |
|
205 |
$ cd copy-pull |
|
|
30234
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
206 |
$ cat >> .hg/hgrc <<EOF |
|
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
207 |
> [hooks] |
|
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
208 |
> changegroup = sh -c "printenv.py changegroup" |
|
34a5f6c66bc5
tests: invoke printenv.py via sh -c for test portability
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
29842
diff
changeset
|
209 |
> EOF |
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
210 |
$ hg pull $DISABLECACERTS |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
211 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
212 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
213 |
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
214 |
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
215 |
[255] |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
216 |
|
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
217 |
$ hg pull --insecure |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
218 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
219 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
220 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
| 12446 | 221 |
searching for changes |
222 |
adding changesets |
|
223 |
adding manifests |
|
224 |
adding file changes |
|
225 |
added 1 changesets with 1 changes to 1 files |
|
|
31746
0fa30fbccc34
hook: provide hook type information to external hook
Pierre-Yves David <pierre-yves.david@ens-lyon.org>
parents:
31741
diff
changeset
|
226 |
changegroup hook: HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/ |
| 12446 | 227 |
(run 'hg update' to get a working copy) |
228 |
$ cd .. |
|
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
229 |
|
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
230 |
cacert configured in local repo |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
231 |
|
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
232 |
$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
233 |
$ echo "[web]" >> copy-pull/.hg/hgrc |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
234 |
$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc |
|
29842
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
235 |
$ hg -R copy-pull pull |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
236 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
237 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
238 |
searching for changes |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
239 |
no changes found |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
240 |
$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
241 |
|
|
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
242 |
cacert configured globally, also testing expansion of environment |
|
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
243 |
variables in the filename |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
244 |
|
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
245 |
$ echo "[web]" >> $HGRCPATH |
|
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
246 |
$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
247 |
$ P="$CERTSDIR" hg -R copy-pull pull |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
248 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
249 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
250 |
searching for changes |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
251 |
no changes found |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
252 |
$ P="$CERTSDIR" hg -R copy-pull pull --insecure |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
253 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
254 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
255 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
256 |
searching for changes |
|
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
257 |
no changes found |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
258 |
|
|
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
259 |
empty cacert file |
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
260 |
|
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
261 |
$ touch emptycafile |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
262 |
|
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
263 |
#if sslcontext |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
264 |
$ hg --config web.cacerts=emptycafile -R copy-pull pull |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
265 |
pulling from https://localhost:$HGPORT/ |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
266 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
267 |
abort: error loading CA file emptycafile: * (glob) |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
268 |
(file is empty or malformed?) |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
269 |
[255] |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
270 |
#else |
|
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
271 |
$ hg --config web.cacerts=emptycafile -R copy-pull pull |
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
272 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
273 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
274 |
abort: error: * (glob) |
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
275 |
[255] |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
276 |
#endif |
|
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
277 |
|
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
278 |
cacert mismatch |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
279 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
280 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
| 31008 | 281 |
> https://$LOCALIP:$HGPORT/ |
282 |
pulling from https://*:$HGPORT/ (glob) |
|
283 |
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
284 |
abort: $LOCALIP certificate error: certificate is for localhost |
|
285 |
(set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) |
|
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
286 |
[255] |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
287 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
| 31008 | 288 |
> https://$LOCALIP:$HGPORT/ --insecure |
289 |
pulling from https://*:$HGPORT/ (glob) |
|
290 |
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
291 |
warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
|
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
292 |
searching for changes |
|
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
293 |
no changes found |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
294 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
295 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
296 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
297 |
abort: error: *certificate verify failed* (glob) |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
298 |
[255] |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
299 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
300 |
> --insecure |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
301 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
302 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
303 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
304 |
searching for changes |
|
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
305 |
no changes found |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
306 |
|
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
307 |
Test server cert which isn't valid yet |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
308 |
|
| 28549 | 309 |
$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
310 |
$ cat hg1.pid >> $DAEMON_PIDS |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
311 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
312 |
> https://localhost:$HGPORT1/ |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
313 |
pulling from https://localhost:$HGPORT1/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
314 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
315 |
abort: error: *certificate verify failed* (glob) |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
316 |
[255] |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
317 |
|
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
318 |
Test server cert which no longer is valid |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
319 |
|
| 28549 | 320 |
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
321 |
$ cat hg2.pid >> $DAEMON_PIDS |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
322 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
323 |
> https://localhost:$HGPORT2/ |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
324 |
pulling from https://localhost:$HGPORT2/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
325 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
326 |
abort: error: *certificate verify failed* (glob) |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
327 |
[255] |
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
328 |
|
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
329 |
Disabling the TLS 1.0 warning works |
|
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
330 |
$ hg -R copy-pull id https://localhost:$HGPORT/ \ |
|
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
331 |
> --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \ |
|
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
332 |
> --config hostsecurity.disabletls10warning=true |
|
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
333 |
5fed3813f7f5 |
|
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
334 |
|
|
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
335 |
#if no-sslcontext no-py27+ |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
336 |
Setting ciphers doesn't work in Python 2.6 |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
337 |
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
338 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
339 |
abort: setting ciphers in [hostsecurity] is not supported by this version of Python |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
340 |
(remove the config option or run Mercurial with a modern Python version (preferred)) |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
341 |
[255] |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
342 |
#endif |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
343 |
|
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
344 |
Setting ciphers works in Python 2.7+ but the error message is different on |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
345 |
legacy ssl. We test legacy once and do more feature checking on modern |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
346 |
configs. |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
347 |
|
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
348 |
#if py27+ no-sslcontext |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
349 |
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
350 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
351 |
abort: *No cipher can be selected. (glob) |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
352 |
[255] |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
353 |
|
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
354 |
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
355 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
356 |
5fed3813f7f5 |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
357 |
#endif |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
358 |
|
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
359 |
#if sslcontext |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
360 |
Setting ciphers to an invalid value aborts |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
361 |
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
362 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
363 |
abort: could not set ciphers: No cipher can be selected. |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
364 |
(change cipher string (invalid) in config) |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
365 |
[255] |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
366 |
|
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
367 |
$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
368 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
369 |
abort: could not set ciphers: No cipher can be selected. |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
370 |
(change cipher string (invalid) in config) |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
371 |
[255] |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
372 |
|
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
373 |
Changing the cipher string works |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
374 |
|
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
375 |
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/ |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
376 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29577
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
377 |
5fed3813f7f5 |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
378 |
#endif |
|
9654ef41f7cc
sslutil: support defining cipher list
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29561
diff
changeset
|
379 |
|
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
380 |
Fingerprints |
|
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
381 |
|
|
30332
318a24b52eeb
spelling: fixes of non-dictionary words
Mads Kiilerich <madski@unity3d.com>
parents:
30234
diff
changeset
|
382 |
- works without cacerts (hostfingerprints) |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
383 |
$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
384 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
31290
f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31009
diff
changeset
|
385 |
(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
386 |
5fed3813f7f5 |
|
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
387 |
|
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
388 |
- works without cacerts (hostsecurity) |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
389 |
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
390 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
391 |
5fed3813f7f5 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
392 |
|
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
393 |
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
394 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
395 |
5fed3813f7f5 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
396 |
|
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
397 |
- multiple fingerprints specified and first matches |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
398 |
$ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
399 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
31290
f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31009
diff
changeset
|
400 |
(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
401 |
5fed3813f7f5 |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
402 |
|
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
403 |
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
404 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
405 |
5fed3813f7f5 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
406 |
|
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
407 |
- multiple fingerprints specified and last matches |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
408 |
$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
409 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
31290
f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31009
diff
changeset
|
410 |
(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
411 |
5fed3813f7f5 |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
412 |
|
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
413 |
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
414 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
415 |
5fed3813f7f5 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
416 |
|
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
417 |
- multiple fingerprints specified and none match |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
418 |
|
|
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
419 |
$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
420 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
421 |
abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
422 |
(check hostfingerprint configuration) |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
423 |
[255] |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
424 |
|
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
425 |
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
426 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
427 |
abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03 |
|
29268
f200b58497f1
sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29267
diff
changeset
|
428 |
(check hostsecurity configuration) |
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
429 |
[255] |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
430 |
|
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
431 |
- fails when cert doesn't match hostname (port is ignored) |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
432 |
$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
433 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29526
9d02bed8477b
tests: regenerate x509 test certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29519
diff
changeset
|
434 |
abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84 |
|
15997
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
435 |
(check hostfingerprint configuration) |
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
436 |
[255] |
|
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
437 |
|
|
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
438 |
|
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
439 |
- ignores that certificate doesn't match hostname |
| 31008 | 440 |
$ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 |
441 |
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
|
31290
f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31009
diff
changeset
|
442 |
(SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: $LOCALIP.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
443 |
5fed3813f7f5 |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
444 |
|
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
445 |
Ports used by next test. Kill servers. |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
446 |
|
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
447 |
$ killdaemons.py hg0.pid |
|
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
448 |
$ killdaemons.py hg1.pid |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
449 |
$ killdaemons.py hg2.pid |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
450 |
|
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
451 |
#if sslcontext tls1.2 |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
452 |
Start servers running supported TLS versions |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
453 |
|
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
454 |
$ cd test |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
455 |
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
456 |
> --config devel.serverexactprotocol=tls1.0 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
457 |
$ cat ../hg0.pid >> $DAEMON_PIDS |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
458 |
$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
459 |
> --config devel.serverexactprotocol=tls1.1 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
460 |
$ cat ../hg1.pid >> $DAEMON_PIDS |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
461 |
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
462 |
> --config devel.serverexactprotocol=tls1.2 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
463 |
$ cat ../hg2.pid >> $DAEMON_PIDS |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
464 |
$ cd .. |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
465 |
|
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
466 |
Clients talking same TLS versions work |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
467 |
|
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
468 |
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
469 |
5fed3813f7f5 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
470 |
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
471 |
5fed3813f7f5 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
472 |
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
473 |
5fed3813f7f5 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
474 |
|
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
475 |
Clients requiring newer TLS version than what server supports fail |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
476 |
|
|
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
477 |
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
|
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
478 |
(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
479 |
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
480 |
(see https://mercurial-scm.org/wiki/SecureConnections for more info) |
|
29560
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
481 |
abort: error: *unsupported protocol* (glob) |
|
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
482 |
[255] |
|
303e9300772a
sslutil: require TLS 1.1+ when supported
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29559
diff
changeset
|
483 |
|
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
484 |
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
|
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
485 |
(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
486 |
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
487 |
(see https://mercurial-scm.org/wiki/SecureConnections for more info) |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
488 |
abort: error: *unsupported protocol* (glob) |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
489 |
[255] |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
490 |
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
|
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
491 |
(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
492 |
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
493 |
(see https://mercurial-scm.org/wiki/SecureConnections for more info) |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
494 |
abort: error: *unsupported protocol* (glob) |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
495 |
[255] |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
496 |
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
|
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
497 |
(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
498 |
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
499 |
(see https://mercurial-scm.org/wiki/SecureConnections for more info) |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
500 |
abort: error: *unsupported protocol* (glob) |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
501 |
[255] |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
502 |
|
|
29617
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
503 |
--insecure will allow TLS 1.0 connections and override configs |
|
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
504 |
|
|
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
505 |
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ |
|
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
506 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
507 |
5fed3813f7f5 |
|
2960ceee1948
sslutil: allow TLS 1.0 when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29616
diff
changeset
|
508 |
|
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
509 |
The per-host config option overrides the default |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
510 |
|
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
511 |
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
512 |
> --config hostsecurity.minimumprotocol=tls1.2 \ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
513 |
> --config hostsecurity.localhost:minimumprotocol=tls1.0 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
514 |
5fed3813f7f5 |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
515 |
|
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
516 |
The per-host config option by itself works |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
517 |
|
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
518 |
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
519 |
> --config hostsecurity.localhost:minimumprotocol=tls1.2 |
|
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
520 |
(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
521 |
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
522 |
(see https://mercurial-scm.org/wiki/SecureConnections for more info) |
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
523 |
abort: error: *unsupported protocol* (glob) |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
524 |
[255] |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
525 |
|
|
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
526 |
.hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) |
|
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
527 |
|
|
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
528 |
$ cat >> copy-pull/.hg/hgrc << EOF |
|
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
529 |
> [hostsecurity] |
|
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
530 |
> localhost:minimumprotocol=tls1.2 |
|
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
531 |
> EOF |
|
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
532 |
$ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
|
29619
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
533 |
(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
534 |
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
|
53e80179bd6a
sslutil: improve messaging around unsupported protocols (issue5303)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29617
diff
changeset
|
535 |
(see https://mercurial-scm.org/wiki/SecureConnections for more info) |
|
29635
dee24c87dbf0
tests: glob over ssl error
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29619
diff
changeset
|
536 |
abort: error: *unsupported protocol* (glob) |
|
29616
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
537 |
[255] |
|
3fde328d0913
hg: copy [hostsecurity] options to remote ui instances (issue5305)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29601
diff
changeset
|
538 |
|
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
539 |
$ killdaemons.py hg0.pid |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
540 |
$ killdaemons.py hg1.pid |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
541 |
$ killdaemons.py hg2.pid |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
542 |
#endif |
|
16300
74e114ac6ec1
tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents:
16107
diff
changeset
|
543 |
|
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
544 |
Prepare for connecting through proxy |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
545 |
|
|
29559
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
546 |
$ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
547 |
$ cat hg0.pid >> $DAEMON_PIDS |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
548 |
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
549 |
$ cat hg2.pid >> $DAEMON_PIDS |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
550 |
tinyproxy.py doesn't fully detach, so killing it may result in extra output |
|
7dec5e441bf7
sslutil: config option to specify TLS protocol version
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29555
diff
changeset
|
551 |
from the shell. So don't kill it. |
|
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
552 |
$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
|
16496
abbabbbe4ec2
tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents:
16300
diff
changeset
|
553 |
$ while [ ! -f proxy.pid ]; do sleep 0; done |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
554 |
$ cat proxy.pid >> $DAEMON_PIDS |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
555 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
556 |
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
557 |
$ echo "always=True" >> copy-pull/.hg/hgrc |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
558 |
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
559 |
$ echo "localhost =" >> copy-pull/.hg/hgrc |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
560 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
561 |
Test unvalidated https through proxy |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
562 |
|
|
29842
d5497eb1d768
test-https: drop two spurious --traceback flags
Augie Fackler <augie@google.com>
parents:
29635
diff
changeset
|
563 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
564 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
565 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
566 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
567 |
searching for changes |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
568 |
no changes found |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
569 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
570 |
Test https with cacert and fingerprint through proxy |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
571 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
572 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
573 |
> --config web.cacerts="$CERTSDIR/pub.pem" |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
574 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
575 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
576 |
searching for changes |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
577 |
no changes found |
| 31008 | 578 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace |
579 |
pulling from https://*:$HGPORT/ (glob) |
|
580 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
|
31290
f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
31009
diff
changeset
|
581 |
(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, set the following config value in [hostsecurity] and remove the old one from [hostfingerprints] to upgrade to a more secure SHA-256 fingerprint: localhost.fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e) |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
582 |
searching for changes |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
583 |
no changes found |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
584 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
585 |
Test https with cert problems through proxy |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
586 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
587 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
588 |
> --config web.cacerts="$CERTSDIR/pub-other.pem" |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
589 |
pulling from https://localhost:$HGPORT/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
590 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
591 |
abort: error: *certificate verify failed* (glob) |
|
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
592 |
[255] |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
593 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
594 |
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
595 |
pulling from https://localhost:$HGPORT2/ |
|
29561
1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29560
diff
changeset
|
596 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
597 |
abort: error: *certificate verify failed* (glob) |
|
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
598 |
[255] |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
599 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
600 |
|
|
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
601 |
$ killdaemons.py hg0.pid |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
602 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
603 |
#if sslcontext |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
604 |
|
|
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
605 |
Start hgweb that requires client certificates: |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
606 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
607 |
$ cd test |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
608 |
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
|
29555
121d11814c62
hgweb: use sslutil.wrapserversocket()
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29553
diff
changeset
|
609 |
> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
610 |
$ cat ../hg0.pid >> $DAEMON_PIDS |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
611 |
$ cd .. |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
612 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
613 |
without client certificate: |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
614 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
615 |
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
616 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
617 |
abort: error: *handshake failure* (glob) |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
618 |
[255] |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
619 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
620 |
with client certificate: |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
621 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
622 |
$ cat << EOT >> $HGRCPATH |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
623 |
> [auth] |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
624 |
> l.prefix = localhost |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
625 |
> l.cert = $CERTSDIR/client-cert.pem |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
626 |
> l.key = $CERTSDIR/client-key.pem |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
627 |
> EOT |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
628 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
629 |
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
630 |
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem" |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
631 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
632 |
5fed3813f7f5 |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
633 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
634 |
$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
635 |
> --config ui.interactive=True --config ui.nontty=True |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
636 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
637 |
passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
|
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
638 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
639 |
$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
|
29601
6cff2ac0ccb9
sslutil: more robustly detect protocol support
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29577
diff
changeset
|
640 |
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) |
|
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
641 |
abort: error: * (glob) |
|
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
642 |
[255] |
|
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
643 |
|
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
644 |
#endif |