82 (modern ssl is able to discern whether the loaded cert is a CA cert) |
82 (modern ssl is able to discern whether the loaded cert is a CA cert) |
83 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
83 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ |
84 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
84 (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
85 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
85 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
86 abort: error: *certificate verify failed* (glob) |
86 abort: error: *certificate verify failed* (glob) |
87 [255] |
87 [100] |
88 |
88 |
89 A per-host certificate matching the server's cert will be accepted |
89 A per-host certificate matching the server's cert will be accepted |
90 |
90 |
91 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
91 $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 |
92 requesting all changes |
92 requesting all changes |
236 no changes found |
236 no changes found |
237 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
237 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" |
238 pulling from https://localhost:$HGPORT/ |
238 pulling from https://localhost:$HGPORT/ |
239 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
239 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
240 abort: error: *certificate verify failed* (glob) |
240 abort: error: *certificate verify failed* (glob) |
241 [255] |
241 [100] |
242 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
242 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \ |
243 > --insecure |
243 > --insecure |
244 pulling from https://localhost:$HGPORT/ |
244 pulling from https://localhost:$HGPORT/ |
245 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
245 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
246 searching for changes |
246 searching for changes |
253 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
253 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \ |
254 > https://localhost:$HGPORT1/ |
254 > https://localhost:$HGPORT1/ |
255 pulling from https://localhost:$HGPORT1/ |
255 pulling from https://localhost:$HGPORT1/ |
256 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
256 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
257 abort: error: *certificate verify failed* (glob) |
257 abort: error: *certificate verify failed* (glob) |
258 [255] |
258 [100] |
259 |
259 |
260 Test server cert which no longer is valid |
260 Test server cert which no longer is valid |
261 |
261 |
262 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
262 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem |
263 $ cat hg2.pid >> $DAEMON_PIDS |
263 $ cat hg2.pid >> $DAEMON_PIDS |
264 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
264 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \ |
265 > https://localhost:$HGPORT2/ |
265 > https://localhost:$HGPORT2/ |
266 pulling from https://localhost:$HGPORT2/ |
266 pulling from https://localhost:$HGPORT2/ |
267 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
267 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
268 abort: error: *certificate verify failed* (glob) |
268 abort: error: *certificate verify failed* (glob) |
269 [255] |
269 [100] |
270 |
270 |
271 Setting ciphers to an invalid value aborts |
271 Setting ciphers to an invalid value aborts |
272 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
272 $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ |
273 abort: could not set ciphers: No cipher can be selected. |
273 abort: could not set ciphers: No cipher can be selected. |
274 (change cipher string (invalid) in config) |
274 (change cipher string (invalid) in config) |
373 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
373 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
374 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
374 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
375 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
375 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
376 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
376 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
377 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
377 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
378 [255] |
378 [100] |
379 |
379 |
380 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
380 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
381 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
381 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
382 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
382 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
383 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
383 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
384 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
384 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
385 [255] |
385 [100] |
386 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
386 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
387 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
387 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
388 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
388 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
389 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
389 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
390 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
390 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
391 [255] |
391 [100] |
392 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
392 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
393 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
393 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
394 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
394 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
395 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
395 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
396 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
396 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
397 [255] |
397 [100] |
398 |
398 |
399 --insecure will allow TLS 1.0 connections and override configs |
399 --insecure will allow TLS 1.0 connections and override configs |
400 |
400 |
401 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ |
401 $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ |
402 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
402 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering |
415 > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
415 > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
416 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
416 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
417 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
417 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
418 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
418 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
419 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
419 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
420 [255] |
420 [100] |
421 |
421 |
422 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) |
422 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) |
423 |
423 |
424 $ cat >> copy-pull/.hg/hgrc << EOF |
424 $ cat >> copy-pull/.hg/hgrc << EOF |
425 > [hostsecurity] |
425 > [hostsecurity] |
428 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
428 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
429 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
429 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) |
430 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
430 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) |
431 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
431 (see https://mercurial-scm.org/wiki/SecureConnections for more info) |
432 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
432 abort: error: .*(unsupported protocol|wrong ssl version).* (re) |
433 [255] |
433 [100] |
434 |
434 |
435 $ killdaemons.py hg0.pid |
435 $ killdaemons.py hg0.pid |
436 $ killdaemons.py hg1.pid |
436 $ killdaemons.py hg1.pid |
437 $ killdaemons.py hg2.pid |
437 $ killdaemons.py hg2.pid |
438 #endif |
438 #endif |
480 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
480 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
481 > --config web.cacerts="$CERTSDIR/pub-other.pem" |
481 > --config web.cacerts="$CERTSDIR/pub-other.pem" |
482 pulling from https://localhost:$HGPORT/ |
482 pulling from https://localhost:$HGPORT/ |
483 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
483 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
484 abort: error: *certificate verify failed* (glob) |
484 abort: error: *certificate verify failed* (glob) |
485 [255] |
485 [100] |
486 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
486 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \ |
487 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
487 > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/ |
488 pulling from https://localhost:$HGPORT2/ |
488 pulling from https://localhost:$HGPORT2/ |
489 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
489 (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
490 abort: error: *certificate verify failed* (glob) |
490 abort: error: *certificate verify failed* (glob) |
491 [255] |
491 [100] |
492 |
492 |
493 |
493 |
494 $ killdaemons.py hg0.pid |
494 $ killdaemons.py hg0.pid |
495 |
495 |
496 $ cd test |
496 $ cd test |
537 > --config ui.interactive=True --config ui.nontty=True |
537 > --config ui.interactive=True --config ui.nontty=True |
538 passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
538 passphrase for */client-key.pem: 5fed3813f7f5 (glob) |
539 |
539 |
540 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
540 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
541 abort: error: * (glob) |
541 abort: error: * (glob) |
542 [255] |
542 [100] |
543 |
543 |
544 Missing certficate and key files result in error |
544 Missing certficate and key files result in error |
545 |
545 |
546 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert |
546 $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert |
547 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob) |
547 abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob) |