57 

    57 

    58 #if defaultcacertsloaded

    58 #if defaultcacertsloaded

    59   $ hg clone https://localhost:$HGPORT/ copy-pull

    59   $ hg clone https://localhost:$HGPORT/ copy-pull

    60   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

    60   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

    61   abort: error: *certificate verify failed* (glob)

    61   abort: error: *certificate verify failed* (glob)

    63 #endif

    63 #endif

    64 

    64 

    65 Specifying a per-host certificate file that doesn't exist will abort.  The full

    65 Specifying a per-host certificate file that doesn't exist will abort.  The full

    66 C:/path/to/msysroot will print on Windows.

    66 C:/path/to/msysroot will print on Windows.

    67 

    67 

    82 (modern ssl is able to discern whether the loaded cert is a CA cert)

    82 (modern ssl is able to discern whether the loaded cert is a CA cert)

    83   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

    83   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/

    84   (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)

    84   (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)

    85   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

    85   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

    86   abort: error: *certificate verify failed* (glob)

    86   abort: error: *certificate verify failed* (glob)

    88 

    88 

    89 A per-host certificate matching the server's cert will be accepted

    89 A per-host certificate matching the server's cert will be accepted

    90 

    90 

    91   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

    91   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1

    92   requesting all changes

    92   requesting all changes

   236   no changes found

   236   no changes found

   237   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

   237   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"

   238   pulling from https://localhost:$HGPORT/

   238   pulling from https://localhost:$HGPORT/

   239   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   239   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   240   abort: error: *certificate verify failed* (glob)

   240   abort: error: *certificate verify failed* (glob)

   242   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

   242   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \

   243   > --insecure

   243   > --insecure

   244   pulling from https://localhost:$HGPORT/

   244   pulling from https://localhost:$HGPORT/

   245   warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

   245   warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

   246   searching for changes

   246   searching for changes

   253   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

   253   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \

   254   > https://localhost:$HGPORT1/

   254   > https://localhost:$HGPORT1/

   255   pulling from https://localhost:$HGPORT1/

   255   pulling from https://localhost:$HGPORT1/

   256   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   256   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   257   abort: error: *certificate verify failed* (glob)

   257   abort: error: *certificate verify failed* (glob)

   259 

   259 

   260 Test server cert which no longer is valid

   260 Test server cert which no longer is valid

   261 

   261 

   262   $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

   262   $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem

   263   $ cat hg2.pid >> $DAEMON_PIDS

   263   $ cat hg2.pid >> $DAEMON_PIDS

   264   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

   264   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \

   265   > https://localhost:$HGPORT2/

   265   > https://localhost:$HGPORT2/

   266   pulling from https://localhost:$HGPORT2/

   266   pulling from https://localhost:$HGPORT2/

   267   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   267   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   268   abort: error: *certificate verify failed* (glob)

   268   abort: error: *certificate verify failed* (glob)

   270 

   270 

   271 Setting ciphers to an invalid value aborts

   271 Setting ciphers to an invalid value aborts

   272   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/

   272   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/

   273   abort: could not set ciphers: No cipher can be selected.

   273   abort: could not set ciphers: No cipher can be selected.

   274   (change cipher string (invalid) in config)

   274   (change cipher string (invalid) in config)

   373   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/

   373   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/

   374   (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   374   (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   375   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   375   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   376   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   376   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   377   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   377   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   379 

   379 

   380   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/

   380   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/

   381   (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   381   (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   382   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   382   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   383   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   383   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   384   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   384   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   386   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/

   386   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/

   387   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   387   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   388   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   388   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   389   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   389   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   390   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   390   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   392   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/

   392   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/

   393   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   393   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   394   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   394   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   395   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   395   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   396   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   396   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   398 

   398 

   399 --insecure will allow TLS 1.0 connections and override configs

   399 --insecure will allow TLS 1.0 connections and override configs

   400 

   400 

   401   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/

   401   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/

   402   warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

   402   warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering

   415   > --config hostsecurity.localhost:minimumprotocol=tls1.2

   415   > --config hostsecurity.localhost:minimumprotocol=tls1.2

   416   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   416   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   417   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   417   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   418   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   418   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   419   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   419   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   421 

   421 

   422 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)

   422 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)

   423 

   423 

   424   $ cat >> copy-pull/.hg/hgrc << EOF

   424   $ cat >> copy-pull/.hg/hgrc << EOF

   425   > [hostsecurity]

   425   > [hostsecurity]

   428   $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/

   428   $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/

   429   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   429   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)

   430   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   430   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)

   431   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   431   (see https://mercurial-scm.org/wiki/SecureConnections for more info)

   432   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   432   abort: error: .*(unsupported protocol|wrong ssl version).* (re)

   434 

   434 

   435   $ killdaemons.py hg0.pid

   435   $ killdaemons.py hg0.pid

   436   $ killdaemons.py hg1.pid

   436   $ killdaemons.py hg1.pid

   437   $ killdaemons.py hg2.pid

   437   $ killdaemons.py hg2.pid

   438 #endif

   438 #endif

   480   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

   480   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

   481   > --config web.cacerts="$CERTSDIR/pub-other.pem"

   481   > --config web.cacerts="$CERTSDIR/pub-other.pem"

   482   pulling from https://localhost:$HGPORT/

   482   pulling from https://localhost:$HGPORT/

   483   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   483   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   484   abort: error: *certificate verify failed* (glob)

   484   abort: error: *certificate verify failed* (glob)

   486   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

   486   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \

   487   > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/

   487   > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/

   488   pulling from https://localhost:$HGPORT2/

   488   pulling from https://localhost:$HGPORT2/

   489   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   489   (the full certificate chain may not be available locally; see "hg help debugssl") (windows !)

   490   abort: error: *certificate verify failed* (glob)

   490   abort: error: *certificate verify failed* (glob)

   492 

   492 

   493 

   493 

   494   $ killdaemons.py hg0.pid

   494   $ killdaemons.py hg0.pid

   495 

   495 

   496   $ cd test

   496   $ cd test

   516 

   516 

   517 without client certificate:

   517 without client certificate:

   518 

   518 

   519   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/

   519   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/

   520   abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)

   520   abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).* (re)

   522 

   522 

   523 with client certificate:

   523 with client certificate:

   524 

   524 

   525   $ cat << EOT >> $HGRCPATH

   525   $ cat << EOT >> $HGRCPATH

   526   > [auth]

   526   > [auth]

   537   > --config ui.interactive=True --config ui.nontty=True

   537   > --config ui.interactive=True --config ui.nontty=True

   538   passphrase for */client-key.pem: 5fed3813f7f5 (glob)

   538   passphrase for */client-key.pem: 5fed3813f7f5 (glob)

   539 

   539 

   540   $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/

   540   $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/

   541   abort: error: * (glob)

   541   abort: error: * (glob)

   543 

   543 

   544 Missing certficate and key files result in error

   544 Missing certficate and key files result in error

   545 

   545 

   546   $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert

   546   $ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert

   547   abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)

   547   abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)