| author | Gregory Szorc <gregory.szorc@gmail.com> |
| Mon, 04 Jul 2016 10:04:11 -0700 | |
| changeset 29489 | 54ad81b0665f |
| parent 29481 | 5caa415aa48b |
| child 29499 | 9c5325c79683 |
| permissions | -rw-r--r-- |
|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
1 |
#require serve ssl |
|
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
2 |
|
|
22046
7a9cbb315d84
tests: replace exit 80 with #require
Matt Mackall <mpm@selenic.com>
parents:
18682
diff
changeset
|
3 |
Proper https client requires the built-in ssl from Python 2.6. |
|
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
4 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
5 |
Make server certificates: |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
6 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
7 |
$ CERTSDIR="$TESTDIR/sslcerts" |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
8 |
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
9 |
$ PRIV=`pwd`/server.pem |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
10 |
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
11 |
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
12 |
|
| 12446 | 13 |
$ hg init test |
14 |
$ cd test |
|
15 |
$ echo foo>foo |
|
16 |
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg |
|
17 |
$ echo foo>foo.d/foo |
|
18 |
$ echo bar>foo.d/bAr.hg.d/BaR |
|
19 |
$ echo bar>foo.d/baR.d.hg/bAR |
|
20 |
$ hg commit -A -m 1 |
|
21 |
adding foo |
|
22 |
adding foo.d/bAr.hg.d/BaR |
|
23 |
adding foo.d/baR.d.hg/bAR |
|
24 |
adding foo.d/foo |
|
|
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
25 |
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV |
|
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
26 |
$ cat ../hg0.pid >> $DAEMON_PIDS |
| 12446 | 27 |
|
|
13544
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
28 |
cacert not found |
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
29 |
|
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
30 |
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ |
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
31 |
abort: could not find web.cacerts: no-such.pem |
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
32 |
[255] |
|
66d65bccbf06
cacert: improve error report when web.cacert file does not exist
timeless <timeless@gmail.com>
parents:
13439
diff
changeset
|
33 |
|
| 12446 | 34 |
Test server address cannot be reused |
|
4289
e17598881509
test-http: use printenv.py
Alexis S. L. Carvalho <alexis@cecm.usp.br>
parents:
4130
diff
changeset
|
35 |
|
|
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
36 |
#if windows |
|
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
37 |
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
|
18682
408f2202bd80
tests: remove glob from output lines containing no glob character
Simon Heimberg <simohe@besonet.ch>
parents:
18588
diff
changeset
|
38 |
abort: cannot start server at ':$HGPORT': |
|
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
39 |
[255] |
|
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
40 |
#else |
|
12740
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
41 |
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1 |
|
b86c6954ec4c
serve: fix https mode and add test
Mads Kiilerich <mads@kiilerich.com>
parents:
12643
diff
changeset
|
42 |
abort: cannot start server at ':$HGPORT': Address already in use |
| 12446 | 43 |
[255] |
|
17023
3e2d8120528b
test-http and test-https: partially adapt for Windows
Adrian Buehlmann <adrian@cadifra.com>
parents:
17018
diff
changeset
|
44 |
#endif |
| 12446 | 45 |
$ cd .. |
|
2612
ffb895f16925
add support for streaming clone.
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
diff
changeset
|
46 |
|
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
47 |
Our test cert is not signed by a trusted CA. It should fail to verify if |
|
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
48 |
we are able to load CA certs. |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
49 |
|
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
50 |
#if sslcontext defaultcacerts no-defaultcacertsloaded |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
51 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
52 |
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
53 |
abort: error: *certificate verify failed* (glob) |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
54 |
[255] |
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
55 |
#endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
56 |
|
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
57 |
#if no-sslcontext defaultcacerts |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
58 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
59 |
abort: error: *certificate verify failed* (glob) |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
60 |
[255] |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
61 |
#endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
62 |
|
|
29489
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
63 |
#if no-sslcontext windows |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
64 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
65 |
(unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
66 |
abort: error: *certificate verify failed* (glob) |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
67 |
[255] |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
68 |
#endif |
|
54ad81b0665f
sslutil: handle default CA certificate loading on Windows
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29481
diff
changeset
|
69 |
|
|
29481
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
70 |
#if defaultcacertsloaded |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
71 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
72 |
abort: error: *certificate verify failed* (glob) |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
73 |
[255] |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
74 |
#endif |
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
75 |
|
|
5caa415aa48b
tests: better testing of loaded certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29449
diff
changeset
|
76 |
#if no-defaultcacerts |
|
29448
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
77 |
$ hg clone https://localhost:$HGPORT/ copy-pull |
|
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
78 |
abort: localhost certificate error: no certificate received |
|
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
79 |
(set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) |
|
afbe1fe4c44e
tests: test case where default ca certs not available
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29446
diff
changeset
|
80 |
[255] |
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
81 |
#endif |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
82 |
|
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
83 |
Specifying a per-host certificate file that doesn't exist will abort |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
84 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
85 |
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
86 |
abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
87 |
[255] |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
88 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
89 |
A malformed per-host certificate file will raise an error |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
90 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
91 |
$ echo baddata > badca.pem |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
92 |
#if sslcontext |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
93 |
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
94 |
abort: error loading CA file badca.pem: * (glob) |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
95 |
(file is empty or malformed?) |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
96 |
[255] |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
97 |
#else |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
98 |
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ |
|
29356
93b83ef78d1e
tests: increase test-https malform error glob
Durham Goode <durham@fb.com>
parents:
29334
diff
changeset
|
99 |
abort: error: * (glob) |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
100 |
[255] |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
101 |
#endif |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
102 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
103 |
A per-host certificate mismatching the server will fail verification |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
104 |
|
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
105 |
(modern ssl is able to discern whether the loaded cert is a CA cert) |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
106 |
#if sslcontext |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
107 |
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
108 |
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
109 |
abort: error: *certificate verify failed* (glob) |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
110 |
[255] |
|
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
111 |
#else |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
112 |
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
113 |
abort: error: *certificate verify failed* (glob) |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
114 |
[255] |
|
29449
5b71a8d7f7ff
sslutil: emit warning when no CA certificates loaded
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29448
diff
changeset
|
115 |
#endif |
|
29334
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
116 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
117 |
A per-host certificate matching the server's cert will be accepted |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
118 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
119 |
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
120 |
requesting all changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
121 |
adding changesets |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
122 |
adding manifests |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
123 |
adding file changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
124 |
added 1 changesets with 4 changes to 4 files |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
125 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
126 |
A per-host certificate with multiple certs and one matching will be accepted |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
127 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
128 |
$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
129 |
$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
130 |
requesting all changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
131 |
adding changesets |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
132 |
adding manifests |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
133 |
adding file changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
134 |
added 1 changesets with 4 changes to 4 files |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
135 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
136 |
Defining both per-host certificate and a fingerprint will print a warning |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
137 |
|
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
138 |
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
139 |
(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
140 |
requesting all changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
141 |
adding changesets |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
142 |
adding manifests |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
143 |
adding file changes |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
144 |
added 1 changesets with 4 changes to 4 files |
|
ecc9b788fd69
sslutil: per-host config option to define certificates
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29331
diff
changeset
|
145 |
|
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
146 |
$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
|
22575
d7f7f1860f00
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs
Mads Kiilerich <madski@unity3d.com>
parents:
22046
diff
changeset
|
147 |
|
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
148 |
Inability to verify peer certificate will result in abort |
|
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
149 |
|
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
150 |
$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
151 |
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
152 |
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server) |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
153 |
[255] |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
154 |
|
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
155 |
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
156 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
| 12446 | 157 |
requesting all changes |
158 |
adding changesets |
|
159 |
adding manifests |
|
160 |
adding file changes |
|
161 |
added 1 changesets with 4 changes to 4 files |
|
162 |
updating to branch default |
|
163 |
4 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
164 |
$ hg verify -R copy-pull |
|
165 |
checking changesets |
|
166 |
checking manifests |
|
167 |
crosschecking files in changesets and manifests |
|
168 |
checking files |
|
169 |
4 files, 1 changesets, 4 total revisions |
|
170 |
$ cd test |
|
171 |
$ echo bar > bar |
|
172 |
$ hg commit -A -d '1 0' -m 2 |
|
173 |
adding bar |
|
174 |
$ cd .. |
|
|
2673
109a22f5434a
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks
Vadim Gelfer <vadim.gelfer@gmail.com>
parents:
2622
diff
changeset
|
175 |
|
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
176 |
pull without cacert |
| 12446 | 177 |
|
178 |
$ cd copy-pull |
|
179 |
$ echo '[hooks]' >> .hg/hgrc |
|
|
25478
d19787db6fe0
tests: simplify printenv calls
Matt Mackall <mpm@selenic.com>
parents:
25472
diff
changeset
|
180 |
$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc |
|
29288
7dee15dee53c
sslutil: add devel.disableloaddefaultcerts to disable CA loading
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29268
diff
changeset
|
181 |
$ hg pull $DISABLECACERTS |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
182 |
pulling from https://localhost:$HGPORT/ |
|
29411
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
183 |
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
184 |
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server) |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
185 |
[255] |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
186 |
|
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
187 |
$ hg pull --insecure |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
188 |
pulling from https://localhost:$HGPORT/ |
|
e1778b9c8d53
sslutil: abort when unable to verify peer connection (BC)
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29356
diff
changeset
|
189 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
| 12446 | 190 |
searching for changes |
191 |
adding changesets |
|
192 |
adding manifests |
|
193 |
adding file changes |
|
194 |
added 1 changesets with 1 changes to 1 files |
|
|
27739
d6d3cf5fda6f
hooks: add HG_NODE_LAST to txnclose and changegroup hook environments
Mateusz Kwapich <mitrandir@fb.com>
parents:
25478
diff
changeset
|
195 |
changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob) |
| 12446 | 196 |
(run 'hg update' to get a working copy) |
197 |
$ cd .. |
|
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
198 |
|
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
199 |
cacert configured in local repo |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
200 |
|
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
201 |
$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
202 |
$ echo "[web]" >> copy-pull/.hg/hgrc |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
203 |
$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
204 |
$ hg -R copy-pull pull --traceback |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
205 |
pulling from https://localhost:$HGPORT/ |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
206 |
searching for changes |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
207 |
no changes found |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
208 |
$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
209 |
|
|
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
210 |
cacert configured globally, also testing expansion of environment |
|
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
211 |
variables in the filename |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
212 |
|
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
213 |
$ echo "[web]" >> $HGRCPATH |
|
13231
b335882c2f21
url: expand path for web.cacerts
Eduard-Cristian Stefan <alexandrul.ct@gmail.com>
parents:
13192
diff
changeset
|
214 |
$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
215 |
$ P="$CERTSDIR" hg -R copy-pull pull |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
216 |
pulling from https://localhost:$HGPORT/ |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
217 |
searching for changes |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
218 |
no changes found |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
219 |
$ P="$CERTSDIR" hg -R copy-pull pull --insecure |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
220 |
pulling from https://localhost:$HGPORT/ |
|
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
221 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
222 |
searching for changes |
|
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
223 |
no changes found |
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
224 |
|
|
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
225 |
empty cacert file |
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
226 |
|
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
227 |
$ touch emptycafile |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
228 |
|
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
229 |
#if sslcontext |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
230 |
$ hg --config web.cacerts=emptycafile -R copy-pull pull |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
231 |
pulling from https://localhost:$HGPORT/ |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
232 |
abort: error loading CA file emptycafile: * (glob) |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
233 |
(file is empty or malformed?) |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
234 |
[255] |
|
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
235 |
#else |
|
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
236 |
$ hg --config web.cacerts=emptycafile -R copy-pull pull |
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
237 |
pulling from https://localhost:$HGPORT/ |
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
238 |
abort: error: * (glob) |
|
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
239 |
[255] |
|
29446
2f7f1e10f840
sslutil: display a better error message when CA file loading fails
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29445
diff
changeset
|
240 |
#endif |
|
29445
072e4a595607
tests: add test for empty CA certs file
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29411
diff
changeset
|
241 |
|
|
13192
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
242 |
cacert mismatch |
|
4d03707916d3
https: use web.cacerts configuration from local repo to validate remote repo
Mads Kiilerich <mads@kiilerich.com>
parents:
13163
diff
changeset
|
243 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
244 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
245 |
> https://127.0.0.1:$HGPORT/ |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
246 |
pulling from https://127.0.0.1:$HGPORT/ |
|
15814
c3e958b50a22
sslutil: show fingerprint when cacerts validation fails
Mads Kiilerich <mads@kiilerich.com>
parents:
15650
diff
changeset
|
247 |
abort: 127.0.0.1 certificate error: certificate is for localhost |
|
29292
bc5f55493397
sslutil: make cert fingerprints messages more actionable
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29290
diff
changeset
|
248 |
(set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
249 |
[255] |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
250 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
251 |
> https://127.0.0.1:$HGPORT/ --insecure |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
252 |
pulling from https://127.0.0.1:$HGPORT/ |
|
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
253 |
warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
254 |
searching for changes |
|
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
255 |
no changes found |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
256 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
257 |
pulling from https://localhost:$HGPORT/ |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
258 |
abort: error: *certificate verify failed* (glob) |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
259 |
[255] |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
260 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
261 |
> --insecure |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
262 |
pulling from https://localhost:$HGPORT/ |
|
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
263 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
13328
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
264 |
searching for changes |
|
a939f08fae9c
url: add --insecure option to bypass verification of ssl certificates
Yuya Nishihara <yuya@tcha.org>
parents:
13314
diff
changeset
|
265 |
no changes found |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
266 |
|
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
267 |
Test server cert which isn't valid yet |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
268 |
|
| 28549 | 269 |
$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
270 |
$ cat hg1.pid >> $DAEMON_PIDS |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
271 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
272 |
> https://localhost:$HGPORT1/ |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
273 |
pulling from https://localhost:$HGPORT1/ |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
274 |
abort: error: *certificate verify failed* (glob) |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
275 |
[255] |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
276 |
|
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
277 |
Test server cert which no longer is valid |
|
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
278 |
|
| 28549 | 279 |
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
280 |
$ cat hg2.pid >> $DAEMON_PIDS |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
281 |
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
282 |
> https://localhost:$HGPORT2/ |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
283 |
pulling from https://localhost:$HGPORT2/ |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
284 |
abort: error: *certificate verify failed* (glob) |
|
12741
949dfdb3ad2d
test-https: test web.cacerts functionality
Mads Kiilerich <mads@kiilerich.com>
parents:
12740
diff
changeset
|
285 |
[255] |
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
286 |
|
|
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
287 |
Fingerprints |
|
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
288 |
|
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
289 |
- works without cacerts (hostkeyfingerprints) |
|
29263
817ee3cfe862
tests: don't save host fingerprints in hgrc
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28847
diff
changeset
|
290 |
$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
291 |
5fed3813f7f5 |
|
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
292 |
|
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
293 |
- works without cacerts (hostsecurity) |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
294 |
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
295 |
5fed3813f7f5 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
296 |
|
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
297 |
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
298 |
5fed3813f7f5 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
299 |
|
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
300 |
- multiple fingerprints specified and first matches |
|
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
301 |
$ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
302 |
5fed3813f7f5 |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
303 |
|
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
304 |
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
305 |
5fed3813f7f5 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
306 |
|
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
307 |
- multiple fingerprints specified and last matches |
|
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
308 |
$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
309 |
5fed3813f7f5 |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
310 |
|
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
311 |
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
312 |
5fed3813f7f5 |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
313 |
|
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
314 |
- multiple fingerprints specified and none match |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
315 |
|
|
28847
3e576fe66715
tests: use --insecure instead of web.cacerts=!
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28549
diff
changeset
|
316 |
$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure |
|
28525
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
317 |
abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
318 |
(check hostfingerprint configuration) |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
319 |
[255] |
|
dfb21c34e07d
sslutil: allow multiple fingerprints per host
Gregory Szorc <gregory.szorc@gmail.com>
parents:
27739
diff
changeset
|
320 |
|
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
321 |
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ |
|
29293
1b3a0b0c414f
sslutil: print the fingerprint from the last hash used
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29292
diff
changeset
|
322 |
abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca |
|
29268
f200b58497f1
sslutil: reference appropriate config section in messaging
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29267
diff
changeset
|
323 |
(check hostsecurity configuration) |
|
29267
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
324 |
[255] |
|
f0ccb6cde3e5
sslutil: allow fingerprints to be specified in [hostsecurity]
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29263
diff
changeset
|
325 |
|
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
326 |
- fails when cert doesn't match hostname (port is ignored) |
|
29263
817ee3cfe862
tests: don't save host fingerprints in hgrc
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28847
diff
changeset
|
327 |
$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca |
|
15997
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
328 |
abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b |
|
a45516cb8d9f
sslutil: more helpful fingerprint mismatch message
Matt Mackall <mpm@selenic.com>
parents:
15814
diff
changeset
|
329 |
(check hostfingerprint configuration) |
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
330 |
[255] |
|
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
331 |
|
|
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
332 |
|
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
333 |
- ignores that certificate doesn't match hostname |
|
29263
817ee3cfe862
tests: don't save host fingerprints in hgrc
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28847
diff
changeset
|
334 |
$ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca |
|
13314
8dc488dfcdb4
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates
Mads Kiilerich <mads@kiilerich.com>
parents:
13231
diff
changeset
|
335 |
5fed3813f7f5 |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
336 |
|
|
18588
3241fc65e3cd
test-https.t: stop using kill `cat $pidfile`
Augie Fackler <raf@durin42.com>
parents:
18354
diff
changeset
|
337 |
HGPORT1 is reused below for tinyproxy tests. Kill that server. |
|
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
338 |
$ killdaemons.py hg1.pid |
|
16300
74e114ac6ec1
tests: fix startup/shutdown races in test-https
Matt Mackall <mpm@selenic.com>
parents:
16107
diff
changeset
|
339 |
|
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
340 |
Prepare for connecting through proxy |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
341 |
|
|
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
342 |
$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & |
|
16496
abbabbbe4ec2
tests: use 'do sleep 0' instead of 'do true', also on first line of command
Mads Kiilerich <mads@kiilerich.com>
parents:
16300
diff
changeset
|
343 |
$ while [ ! -f proxy.pid ]; do sleep 0; done |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
344 |
$ cat proxy.pid >> $DAEMON_PIDS |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
345 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
346 |
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
347 |
$ echo "always=True" >> copy-pull/.hg/hgrc |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
348 |
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
349 |
$ echo "localhost =" >> copy-pull/.hg/hgrc |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
350 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
351 |
Test unvalidated https through proxy |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
352 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
353 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
354 |
pulling from https://localhost:$HGPORT/ |
|
29289
3536673a25ae
sslutil: move and change warning when cert verification is disabled
Gregory Szorc <gregory.szorc@gmail.com>
parents:
29288
diff
changeset
|
355 |
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
356 |
searching for changes |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
357 |
no changes found |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
358 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
359 |
Test https with cacert and fingerprint through proxy |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
360 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
361 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
362 |
> --config web.cacerts="$CERTSDIR/pub.pem" |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
363 |
pulling from https://localhost:$HGPORT/ |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
364 |
searching for changes |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
365 |
no changes found |
|
29263
817ee3cfe862
tests: don't save host fingerprints in hgrc
Gregory Szorc <gregory.szorc@gmail.com>
parents:
28847
diff
changeset
|
366 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca |
|
13423
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
367 |
pulling from https://127.0.0.1:$HGPORT/ |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
368 |
searching for changes |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
369 |
no changes found |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
370 |
|
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
371 |
Test https with cert problems through proxy |
|
4e60dad2261f
tests: test https through http proxy
Mads Kiilerich <mads@kiilerich.com>
parents:
13401
diff
changeset
|
372 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
373 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
374 |
> --config web.cacerts="$CERTSDIR/pub-other.pem" |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
375 |
pulling from https://localhost:$HGPORT/ |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
376 |
abort: error: *certificate verify failed* (glob) |
|
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
377 |
[255] |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
378 |
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
379 |
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
|
24138
eabe44ec5af5
pull: print "pulling from foo" before accessing the other repo
Thomas Arendsen Hein <thomas@intevation.de>
parents:
23823
diff
changeset
|
380 |
pulling from https://localhost:$HGPORT2/ |
|
23823
bd72e75f09e7
test-https: glob error messages more so we pass on Python 2.7.9
Augie Fackler <augie@google.com>
parents:
23042
diff
changeset
|
381 |
abort: error: *certificate verify failed* (glob) |
|
13424
08f9c587141f
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
Mads Kiilerich <mads@kiilerich.com>
parents:
13423
diff
changeset
|
382 |
[255] |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
383 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
384 |
|
|
25472
4d2b9b304ad0
tests: drop explicit $TESTDIR from executables
Matt Mackall <mpm@selenic.com>
parents:
25428
diff
changeset
|
385 |
$ killdaemons.py hg0.pid |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
386 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
387 |
#if sslcontext |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
388 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
389 |
Start patched hgweb that requires client certificates: |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
390 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
391 |
$ cat << EOT > reqclientcert.py |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
392 |
> import ssl |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
393 |
> from mercurial.hgweb import server |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
394 |
> class _httprequesthandlersslclientcert(server._httprequesthandlerssl): |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
395 |
> @staticmethod |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
396 |
> def preparehttpserver(httpserver, ssl_cert): |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
397 |
> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1) |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
398 |
> sslcontext.verify_mode = ssl.CERT_REQUIRED |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
399 |
> sslcontext.load_cert_chain(ssl_cert) |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
400 |
> # verify clients by server certificate |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
401 |
> sslcontext.load_verify_locations(ssl_cert) |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
402 |
> httpserver.socket = sslcontext.wrap_socket(httpserver.socket, |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
403 |
> server_side=True) |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
404 |
> server._httprequesthandlerssl = _httprequesthandlersslclientcert |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
405 |
> EOT |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
406 |
$ cd test |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
407 |
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
408 |
> --config extensions.reqclientcert=../reqclientcert.py |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
409 |
$ cat ../hg0.pid >> $DAEMON_PIDS |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
410 |
$ cd .. |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
411 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
412 |
without client certificate: |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
413 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
414 |
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
415 |
abort: error: *handshake failure* (glob) |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
416 |
[255] |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
417 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
418 |
with client certificate: |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
419 |
|
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
420 |
$ cat << EOT >> $HGRCPATH |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
421 |
> [auth] |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
422 |
> l.prefix = localhost |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
423 |
> l.cert = $CERTSDIR/client-cert.pem |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
424 |
> l.key = $CERTSDIR/client-key.pem |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
425 |
> EOT |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
426 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
427 |
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
428 |
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem" |
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
429 |
5fed3813f7f5 |
|
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
430 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
431 |
$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
432 |
> --config ui.interactive=True --config ui.nontty=True |
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
433 |
passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
|
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
434 |
|
|
29331
1e02d9576194
tests: extract SSL certificates from test-https.t
Yuya Nishihara <yuya@tcha.org>
parents:
29293
diff
changeset
|
435 |
$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
|
25415
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
436 |
abort: error: * (glob) |
|
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
437 |
[255] |
|
21b536f01eda
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)
Yuya Nishihara <yuya@tcha.org>
parents:
25413
diff
changeset
|
438 |
|
|
25413
4d705f6a3c35
test-https: test basic functions of client certificate authentication
Yuya Nishihara <yuya@tcha.org>
parents:
24740
diff
changeset
|
439 |
#endif |