#require serve ssl

Proper https client requires the built-in ssl from Python 2.6.

Disable the system configuration which may set stricter TLS requirements.

This test expects that legacy TLS versions are supported.

  $ OPENSSL_CONF=

  $ export OPENSSL_CONF

Make server certificates:

  $ CERTSDIR="$TESTDIR/sslcerts"

  $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem

  $ PRIV=`pwd`/server.pem

  $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem

  $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem

  $ hg init test

  $ cd test

  $ echo foo>foo

  $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg

  $ echo foo>foo.d/foo

  $ echo bar>foo.d/bAr.hg.d/BaR

  $ echo bar>foo.d/baR.d.hg/bAR

  $ hg commit -A -m 1

  adding foo

  adding foo.d/bAr.hg.d/BaR

  adding foo.d/baR.d.hg/bAR

  adding foo.d/foo

  $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV

  $ cat ../hg0.pid >> $DAEMON_PIDS

cacert not found

  $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/

  abort: could not find web.cacerts: no-such.pem

  [255]

Test server address cannot be reused

  $ hg serve -p $HGPORT --certificate=$PRIV 2>&1

  abort: cannot start server at 'localhost:$HGPORT': $EADDRINUSE$

  [255]

  $ cd ..

Our test cert is not signed by a trusted CA. It should fail to verify if

we are able to load CA certs.

#if no-defaultcacertsloaded

  $ hg clone https://localhost:$HGPORT/ copy-pull

  (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)

  abort: error: *certificate verify failed* (glob)

  [100]

#endif

#if defaultcacertsloaded

  $ hg clone https://localhost:$HGPORT/ copy-pull

  (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

  abort: error: *certificate verify failed* (glob)

  [100]

#endif

Specifying a per-host certificate file that doesn't exist will abort.  The full

C:/path/to/msysroot will print on Windows.

  $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/

  abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)

  [255]

A malformed per-host certificate file will raise an error

  $ echo baddata > badca.pem

  $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/

  abort: error loading CA file badca.pem: * (glob)

  (file is empty or malformed?)

  [255]

A per-host certificate mismatching the server will fail verification

(modern ssl is able to discern whether the loaded cert is a CA cert)

  $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

  (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)

  (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

  abort: error: *certificate verify failed* (glob)

  [100]

A per-host certificate matching the server's cert will be accepted

  $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

  requesting all changes

  adding changesets

  adding manifests

  adding file changes

  added 1 changesets with 4 changes to 4 files

  new changesets 8b6053c928fe

A per-host certificate with multiple certs and one matching will be accepted

  $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem

  $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2

  requesting all changes

  adding changesets

  adding manifests

  adding file changes

  added 1 changesets with 4 changes to 4 files

  new changesets 8b6053c928fe

Defining both per-host certificate and a fingerprint will print a warning

  $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning

  (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)

  requesting all changes

  adding changesets

  adding manifests

  adding file changes

  added 1 changesets with 4 changes to 4 files

  new changesets 8b6053c928fe

  $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"

Inability to verify peer certificate will result in abort

  $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS

  abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

  (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)

  [150]

  $ hg clone --insecure https://localhost:$HGPORT/ copy-pull

  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

  requesting all changes

  adding changesets

  adding manifests

  adding file changes

  added 1 changesets with 4 changes to 4 files

  new changesets 8b6053c928fe

  updating to branch default

  4 files updated, 0 files merged, 0 files removed, 0 files unresolved

  $ hg verify -R copy-pull -q

  $ cd test

  $ echo bar > bar

  $ hg commit -A -d '1 0' -m 2

  adding bar

  $ cd ..

pull without cacert

  $ cd copy-pull

  $ cat >> .hg/hgrc <<EOF

  > [hooks]

  > changegroup = sh -c "printenv.py --line changegroup"

  > EOF

  $ hg pull $DISABLECACERTS

  pulling from https://localhost:$HGPORT/

  abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect

  (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)

  [150]

  $ hg pull --insecure

  pulling from https://localhost:$HGPORT/

  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

  searching for changes

  adding changesets

  adding manifests

  adding file changes

  added 1 changesets with 1 changes to 1 files

  new changesets 5fed3813f7f5

  changegroup hook: HG_HOOKNAME=changegroup

  HG_HOOKTYPE=changegroup

  HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d

  HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d

  HG_SOURCE=pull

  HG_TXNID=TXN:$ID$

  HG_TXNNAME=pull

  https://localhost:$HGPORT/

  HG_URL=https://localhost:$HGPORT/

  (run 'hg update' to get a working copy)

  $ cd ..

cacert configured in local repo

  $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu

  $ echo "[web]" >> copy-pull/.hg/hgrc

  $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc

  $ hg -R copy-pull pull

  pulling from https://localhost:$HGPORT/

  searching for changes

  no changes found

  $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc

cacert configured globally, also testing expansion of environment

variables in the filename

  $ echo "[web]" >> $HGRCPATH

  $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH

  $ P="$CERTSDIR" hg -R copy-pull pull

  pulling from https://localhost:$HGPORT/

  searching for changes

  no changes found

  $ P="$CERTSDIR" hg -R copy-pull pull --insecure

  pulling from https://localhost:$HGPORT/

  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

  searching for changes

  no changes found

empty cacert file

  $ touch emptycafile

  $ hg --config web.cacerts=emptycafile -R copy-pull pull

  pulling from https://localhost:$HGPORT/

  abort: error loading CA file emptycafile: * (glob)

  (file is empty or malformed?)

  [255]

cacert mismatch

  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

  > https://$LOCALIP:$HGPORT/

  pulling from https://*:$HGPORT/ (glob)

  abort: $LOCALIP certificate error: certificate is for localhost (glob)

  (set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)

  [150]

  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \

  > https://$LOCALIP:$HGPORT/ --insecure

  pulling from https://*:$HGPORT/ (glob)

  warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)

  searching for changes

  no changes found

  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

  pulling from https://localhost:$HGPORT/

  (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

  abort: error: *certificate verify failed* (glob)

  [100]

  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

  > --insecure

  pulling from https://localhost:$HGPORT/

  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

  searching for changes

  no changes found

Test server cert which isn't valid yet

  $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem

  $ cat hg1.pid >> $DAEMON_PIDS

  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

  > https://localhost:$HGPORT1/

  pulling from https://localhost:$HGPORT1/

  (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

  abort: error: *certificate verify failed* (glob)

  [100]

Test server cert which no longer is valid

  $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

  $ cat hg2.pid >> $DAEMON_PIDS

  $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

  > https://localhost:$HGPORT2/

  pulling from https://localhost:$HGPORT2/

  (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

  abort: error: *certificate verify failed* (glob)

  [100]

Setting ciphers to an invalid value aborts

  $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/

  abort: could not set ciphers: No cipher can be selected.

  (change cipher string (invalid) in config)

  [255]

  $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/

  abort: could not set ciphers: No cipher can be selected.

  (change cipher string (invalid) in config)

  [255]

Changing the cipher string works

  $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/

  5fed3813f7f5

Fingerprints

- works without cacerts (hostfingerprints)

  $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

  5fed3813f7f5

- works without cacerts (hostsecurity)

  $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

  5fed3813f7f5

  $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e

  5fed3813f7f5

- multiple fingerprints specified and first matches

  $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

  5fed3813f7f5

  $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

  5fed3813f7f5

- multiple fingerprints specified and last matches

  $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure

  (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

  5fed3813f7f5

  $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/

  5fed3813f7f5

- multiple fingerprints specified and none match

  $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure

  abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

  (check hostfingerprint configuration)

  [150]

  $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/

  abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03

  (check hostsecurity configuration)

  [150]

- fails when cert doesn't match hostname (port is ignored)

  $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

  abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84

  (check hostfingerprint configuration)

  [150]

- ignores that certificate doesn't match hostname

  $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03

  (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)

  5fed3813f7f5

Ports used by next test. Kill servers.

  $ killdaemons.py hg0.pid

  $ killdaemons.py hg1.pid

  $ killdaemons.py hg2.pid

#if tls1.2

Start servers running supported TLS versions

  $ cd test

  $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \

  > --config devel.server-insecure-exact-protocol=tls1.0

  $ cat ../hg0.pid >> $DAEMON_PIDS

  $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \

  > --config devel.server-insecure-exact-protocol=tls1.1

  $ cat ../hg1.pid >> $DAEMON_PIDS

  $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \

  > --config devel.server-insecure-exact-protocol=tls1.2

  $ cat ../hg2.pid >> $DAEMON_PIDS

  $ cd ..

Clients talking same TLS versions work

  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT/

  5fed3813f7f5

  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT1/

  5fed3813f7f5

  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/

  5fed3813f7f5

Clients requiring newer TLS version than what server supports fail

  $ P="$CERTSDIR" hg id https://localhost:$HGPORT/

  (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

  (see https://mercurial-scm.org/wiki/SecureConnections for more info)

  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)

  [100]

  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/