Mercurial Mercurial > mercurial / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-https.t
changeset 44881 89f83e47e9c9
parent 44879 ab5348bbc55e
child 44886 1409da2148c8
equal deleted inserted replaced
44880:7dd63a8cb1ee 44881:89f83e47e9c9 
    47   $ cd ..
 
    47   $ cd ..
 
    48 
    48 
    49 Our test cert is not signed by a trusted CA. It should fail to verify if
 
    49 Our test cert is not signed by a trusted CA. It should fail to verify if
 
    50 we are able to load CA certs.
 
    50 we are able to load CA certs.
 
    51 
    51 
    52 #if sslcontext no-defaultcacertsloaded
 
    52 #if no-defaultcacertsloaded
 
    53   $ hg clone https://localhost:$HGPORT/ copy-pull
 
    53   $ hg clone https://localhost:$HGPORT/ copy-pull
 
    54   (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
 
    54   (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
 
    55   abort: error: *certificate verify failed* (glob)
 
    55   abort: error: *certificate verify failed* (glob)
 
    56   [255]
 
    56   [255]
 
    57 #endif
 
    57 #endif
 
    58 
    58 
    59 #if no-sslcontext
 
       
    60   $ hg clone https://localhost:$HGPORT/ copy-pull
 
       
    61   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
       
    62   (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
 
       
    63   abort: error: *certificate verify failed* (glob)
 
       
    64   [255]
 
       
    65 #endif
 
       
    66 
       
    67 #if no-sslcontext windows
 
       
    68   $ hg clone https://localhost:$HGPORT/ copy-pull
 
       
    69   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
 
       
    70   (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
 
       
    71   abort: error: *certificate verify failed* (glob)
 
       
    72   [255]
 
       
    73 #endif
 
       
    74 
       
    75 #if no-sslcontext osx
 
       
    76   $ hg clone https://localhost:$HGPORT/ copy-pull
 
       
    77   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
 
       
    78   (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
 
       
    79   abort: localhost certificate error: no certificate received
 
       
    80   (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
 
       
    81   [255]
 
       
    82 #endif
 
       
    83 
       
    84 #if defaultcacertsloaded
 
    59 #if defaultcacertsloaded
 
    85   $ hg clone https://localhost:$HGPORT/ copy-pull
 
    60   $ hg clone https://localhost:$HGPORT/ copy-pull
 
    86   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
    61   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
    87   (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
 
    62   (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
 
    88   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
 
    63   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
 
    99   [255]
 
    74   [255]
 
   100 
    75 
   101 A malformed per-host certificate file will raise an error
 
    76 A malformed per-host certificate file will raise an error
 
   102 
    77 
   103   $ echo baddata > badca.pem
 
    78   $ echo baddata > badca.pem
 
   104 #if sslcontext
 
       
   105   $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
 
    79   $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
 
   106   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
    80   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   107   abort: error loading CA file badca.pem: * (glob)
 
    81   abort: error loading CA file badca.pem: * (glob)
 
   108   (file is empty or malformed?)
 
    82   (file is empty or malformed?)
 
   109   [255]
 
    83   [255]
 
   110 #else
 
       
   111   $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
 
       
   112   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
       
   113   abort: error: * (glob)
 
       
   114   [255]
 
       
   115 #endif
 
       
   116 
    84 
   117 A per-host certificate mismatching the server will fail verification
 
    85 A per-host certificate mismatching the server will fail verification
 
   118 
    86 
   119 (modern ssl is able to discern whether the loaded cert is a CA cert)
 
    87 (modern ssl is able to discern whether the loaded cert is a CA cert)
 
   120 #if sslcontext
 
       
   121   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
 
    88   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
 
   122   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
    89   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   123   (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
 
    90   (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
 
   124   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
 
    91   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
 
   125   abort: error: *certificate verify failed* (glob)
 
    92   abort: error: *certificate verify failed* (glob)
 
   126   [255]
 
    93   [255]
 
   127 #else
 
       
   128   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
 
       
   129   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
       
   130   abort: error: *certificate verify failed* (glob)
 
       
   131   [255]
 
       
   132 #endif
 
       
   133 
    94 
   134 A per-host certificate matching the server's cert will be accepted
 
    95 A per-host certificate matching the server's cert will be accepted
 
   135 
    96 
   136   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
 
    97   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
 
   137   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
    98   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   267 
   228 
   268 empty cacert file
 
   229 empty cacert file
 
   269 
   230 
   270   $ touch emptycafile
 
   231   $ touch emptycafile
 
   271 
   232 
   272 #if sslcontext
 
       
   273   $ hg --config web.cacerts=emptycafile -R copy-pull pull
 
   233   $ hg --config web.cacerts=emptycafile -R copy-pull pull
 
   274   pulling from https://localhost:$HGPORT/
 
   234   pulling from https://localhost:$HGPORT/
 
   275   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   235   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   276   abort: error loading CA file emptycafile: * (glob)
 
   236   abort: error loading CA file emptycafile: * (glob)
 
   277   (file is empty or malformed?)
 
   237   (file is empty or malformed?)
 
   278   [255]
 
   238   [255]
 
   279 #else
 
       
   280   $ hg --config web.cacerts=emptycafile -R copy-pull pull
 
       
   281   pulling from https://localhost:$HGPORT/
 
       
   282   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
       
   283   abort: error: * (glob)
 
       
   284   [255]
 
       
   285 #endif
 
       
   286 
   239 
   287 cacert mismatch
 
   240 cacert mismatch
 
   288 
   241 
   289   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
 
   242   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
 
   290   > https://$LOCALIP:$HGPORT/
 
   243   > https://$LOCALIP:$HGPORT/
 
   342   $ hg -R copy-pull id https://localhost:$HGPORT/ \
 
   295   $ hg -R copy-pull id https://localhost:$HGPORT/ \
 
   343   > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
 
   296   > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
 
   344   > --config hostsecurity.disabletls10warning=true
 
   297   > --config hostsecurity.disabletls10warning=true
 
   345   5fed3813f7f5
 
   298   5fed3813f7f5
 
   346 
   299 
   347 Error message for setting ciphers is different depending on SSLContext support
 
       
   348 
       
   349 #if no-sslcontext
 
       
   350   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
 
       
   351   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
 
       
   352   abort: *No cipher can be selected. (glob)
 
       
   353   [255]
 
       
   354 
       
   355   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
 
       
   356   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
 
       
   357   5fed3813f7f5
 
       
   358 #endif
 
       
   359 
       
   360 #if sslcontext
 
       
   361 Setting ciphers to an invalid value aborts
 
   300 Setting ciphers to an invalid value aborts
 
   362   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
 
   301   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
 
   363   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   302   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   364   abort: could not set ciphers: No cipher can be selected.
 
   303   abort: could not set ciphers: No cipher can be selected.
 
   365   (change cipher string (invalid) in config)
 
   304   (change cipher string (invalid) in config)
 
   374 Changing the cipher string works
 
   313 Changing the cipher string works
 
   375 
   314 
   376   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
 
   315   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
 
   377   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   316   warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
 
   378   5fed3813f7f5
 
   317   5fed3813f7f5
 
   379 #endif
 
       
   380 
   318 
   381 Fingerprints
 
   319 Fingerprints
 
   382 
   320 
   383 - works without cacerts (hostfingerprints)
 
   321 - works without cacerts (hostfingerprints)
 
   384   $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
 
   322   $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
 
   447 
   385 
   448   $ killdaemons.py hg0.pid
 
   386   $ killdaemons.py hg0.pid
 
   449   $ killdaemons.py hg1.pid
 
   387   $ killdaemons.py hg1.pid
 
   450   $ killdaemons.py hg2.pid
 
   388   $ killdaemons.py hg2.pid
 
   451 
   389 
   452 #if sslcontext tls1.2
 
   390 #if tls1.2
 
   453 Start servers running supported TLS versions
 
   391 Start servers running supported TLS versions
 
   454 
   392 
   455   $ cd test
 
   393   $ cd test
 
   456   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
 
   394   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
 
   457   > --config devel.serverexactprotocol=tls1.0
 
   395   > --config devel.serverexactprotocol=tls1.0
 
   601   [255]
 
   539   [255]
 
   602 
   540 
   603 
   541 
   604   $ killdaemons.py hg0.pid
 
   542   $ killdaemons.py hg0.pid
 
   605 
   543 
   606 #if sslcontext
 
       
   607 
       
   608   $ cd test
 
   544   $ cd test
 
   609 
   545 
   610 Missing certificate file(s) are detected
 
   546 Missing certificate file(s) are detected
 
   611 
   547 
   612   $ hg serve -p $HGPORT --certificate=/missing/certificate \
 
   548   $ hg serve -p $HGPORT --certificate=/missing/certificate \
 
   666 
   602 
   667   $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
 
   603   $ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
 
   668   abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
 
   604   abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
 
   669   (restore missing file or fix references in Mercurial config)
 
   605   (restore missing file or fix references in Mercurial config)
 
   670   [255]
 
   606   [255]
 
   671 
       
   672 #endif
mercurial