2014-08-06 20:43:59 +04:00
|
|
|
#require serve ssl
|
2010-10-17 06:13:35 +04:00
|
|
|
|
2014-08-06 20:43:59 +04:00
|
|
|
Proper https client requires the built-in ssl from Python 2.6.
|
2010-10-17 06:13:35 +04:00
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
Make server certificates:
|
2010-10-17 06:13:35 +04:00
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
$ CERTSDIR="$TESTDIR/sslcerts"
|
|
|
|
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
|
2010-10-17 06:13:35 +04:00
|
|
|
$ PRIV=`pwd`/server.pem
|
2016-05-27 16:40:09 +03:00
|
|
|
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
|
|
|
|
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
|
2015-05-07 11:38:22 +03:00
|
|
|
|
2010-10-17 06:13:35 +04:00
|
|
|
$ hg init test
|
|
|
|
$ cd test
|
|
|
|
$ echo foo>foo
|
|
|
|
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
|
|
|
|
$ echo foo>foo.d/foo
|
|
|
|
$ echo bar>foo.d/bAr.hg.d/BaR
|
|
|
|
$ echo bar>foo.d/baR.d.hg/bAR
|
|
|
|
$ hg commit -A -m 1
|
|
|
|
adding foo
|
|
|
|
adding foo.d/bAr.hg.d/BaR
|
|
|
|
adding foo.d/baR.d.hg/bAR
|
|
|
|
adding foo.d/foo
|
|
|
|
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
|
|
|
|
$ cat ../hg0.pid >> $DAEMON_PIDS
|
|
|
|
|
2011-03-06 19:27:07 +03:00
|
|
|
cacert not found
|
|
|
|
|
|
|
|
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2011-03-06 19:27:07 +03:00
|
|
|
abort: could not find web.cacerts: no-such.pem
|
|
|
|
[255]
|
|
|
|
|
2010-10-17 06:13:35 +04:00
|
|
|
Test server address cannot be reused
|
|
|
|
|
2012-06-19 21:45:00 +04:00
|
|
|
#if windows
|
|
|
|
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
|
2017-04-02 01:30:51 +03:00
|
|
|
abort: cannot start server at 'localhost:$HGPORT': * (glob)
|
2012-06-19 21:45:00 +04:00
|
|
|
[255]
|
|
|
|
#else
|
2010-10-17 06:13:35 +04:00
|
|
|
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
|
2017-02-16 11:13:29 +03:00
|
|
|
abort: cannot start server at 'localhost:$HGPORT': Address already in use
|
2010-10-17 06:13:35 +04:00
|
|
|
[255]
|
2012-06-19 21:45:00 +04:00
|
|
|
#endif
|
2010-10-17 06:13:35 +04:00
|
|
|
$ cd ..
|
|
|
|
|
2016-06-02 05:57:20 +03:00
|
|
|
Our test cert is not signed by a trusted CA. It should fail to verify if
|
|
|
|
we are able to load CA certs.
|
2010-10-17 06:13:35 +04:00
|
|
|
|
2016-07-02 05:27:34 +03:00
|
|
|
#if sslcontext defaultcacerts no-defaultcacertsloaded
|
2010-10-17 06:13:35 +04:00
|
|
|
$ hg clone https://localhost:$HGPORT/ copy-pull
|
2016-06-30 05:43:27 +03:00
|
|
|
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
|
2015-01-13 23:15:37 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
2014-09-26 04:19:48 +04:00
|
|
|
[255]
|
2016-07-02 05:27:34 +03:00
|
|
|
#endif
|
|
|
|
|
|
|
|
#if no-sslcontext defaultcacerts
|
|
|
|
$ hg clone https://localhost:$HGPORT/ copy-pull
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-07 07:16:00 +03:00
|
|
|
(using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
|
2016-07-02 05:27:34 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
|
|
|
[255]
|
|
|
|
#endif
|
|
|
|
|
2016-07-04 20:04:11 +03:00
|
|
|
#if no-sslcontext windows
|
|
|
|
$ hg clone https://localhost:$HGPORT/ copy-pull
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
|
2016-07-04 20:04:11 +03:00
|
|
|
(unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
|
|
|
|
abort: error: *certificate verify failed* (glob)
|
|
|
|
[255]
|
|
|
|
#endif
|
|
|
|
|
2016-07-07 06:46:05 +03:00
|
|
|
#if no-sslcontext osx
|
|
|
|
$ hg clone https://localhost:$HGPORT/ copy-pull
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
|
2016-07-07 06:46:05 +03:00
|
|
|
(unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
|
|
|
|
abort: localhost certificate error: no certificate received
|
2016-07-13 08:26:04 +03:00
|
|
|
(set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
|
2016-07-07 06:46:05 +03:00
|
|
|
[255]
|
|
|
|
#endif
|
|
|
|
|
2016-07-02 05:27:34 +03:00
|
|
|
#if defaultcacertsloaded
|
|
|
|
$ hg clone https://localhost:$HGPORT/ copy-pull
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-07 07:16:00 +03:00
|
|
|
(using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
|
2017-07-13 01:37:13 +03:00
|
|
|
(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
|
2016-07-02 05:27:34 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
|
|
|
[255]
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if no-defaultcacerts
|
2016-06-30 05:49:39 +03:00
|
|
|
$ hg clone https://localhost:$HGPORT/ copy-pull
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-07 06:46:05 +03:00
|
|
|
(unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
|
2016-06-30 05:49:39 +03:00
|
|
|
abort: localhost certificate error: no certificate received
|
2016-07-13 08:26:04 +03:00
|
|
|
(set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
|
2016-06-30 05:49:39 +03:00
|
|
|
[255]
|
2014-09-26 04:19:48 +04:00
|
|
|
#endif
|
|
|
|
|
2017-04-01 21:48:39 +03:00
|
|
|
Specifying a per-host certificate file that doesn't exist will abort. The full
|
|
|
|
C:/path/to/msysroot will print on Windows.
|
2016-06-08 06:29:54 +03:00
|
|
|
|
|
|
|
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-04-01 21:48:39 +03:00
|
|
|
abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob)
|
2016-06-08 06:29:54 +03:00
|
|
|
[255]
|
|
|
|
|
|
|
|
A malformed per-host certificate file will raise an error
|
|
|
|
|
|
|
|
$ echo baddata > badca.pem
|
2016-06-30 05:37:38 +03:00
|
|
|
#if sslcontext
|
|
|
|
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-30 05:37:38 +03:00
|
|
|
abort: error loading CA file badca.pem: * (glob)
|
|
|
|
(file is empty or malformed?)
|
|
|
|
[255]
|
|
|
|
#else
|
2016-06-08 06:29:54 +03:00
|
|
|
$ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-15 04:14:42 +03:00
|
|
|
abort: error: * (glob)
|
2016-06-08 06:29:54 +03:00
|
|
|
[255]
|
2016-06-30 05:37:38 +03:00
|
|
|
#endif
|
2016-06-08 06:29:54 +03:00
|
|
|
|
|
|
|
A per-host certificate mismatching the server will fail verification
|
|
|
|
|
2016-06-30 05:43:27 +03:00
|
|
|
(modern ssl is able to discern whether the loaded cert is a CA cert)
|
|
|
|
#if sslcontext
|
|
|
|
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-30 05:43:27 +03:00
|
|
|
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
|
2017-07-13 01:37:13 +03:00
|
|
|
(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
|
2016-06-30 05:43:27 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
|
|
|
[255]
|
|
|
|
#else
|
2016-06-08 06:29:54 +03:00
|
|
|
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-08 06:29:54 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
|
|
|
[255]
|
2016-06-30 05:43:27 +03:00
|
|
|
#endif
|
2016-06-08 06:29:54 +03:00
|
|
|
|
|
|
|
A per-host certificate matching the server's cert will be accepted
|
|
|
|
|
|
|
|
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-08 06:29:54 +03:00
|
|
|
requesting all changes
|
|
|
|
adding changesets
|
|
|
|
adding manifests
|
|
|
|
adding file changes
|
|
|
|
added 1 changesets with 4 changes to 4 files
|
2017-10-12 10:39:50 +03:00
|
|
|
new changesets 8b6053c928fe
|
2016-06-08 06:29:54 +03:00
|
|
|
|
|
|
|
A per-host certificate with multiple certs and one matching will be accepted
|
|
|
|
|
|
|
|
$ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
|
|
|
|
$ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-08 06:29:54 +03:00
|
|
|
requesting all changes
|
|
|
|
adding changesets
|
|
|
|
adding manifests
|
|
|
|
adding file changes
|
|
|
|
added 1 changesets with 4 changes to 4 files
|
2017-10-12 10:39:50 +03:00
|
|
|
new changesets 8b6053c928fe
|
2016-06-08 06:29:54 +03:00
|
|
|
|
|
|
|
Defining both per-host certificate and a fingerprint will print a warning
|
|
|
|
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-08 06:29:54 +03:00
|
|
|
(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
|
|
|
|
requesting all changes
|
|
|
|
adding changesets
|
|
|
|
adding manifests
|
|
|
|
adding file changes
|
|
|
|
added 1 changesets with 4 changes to 4 files
|
2017-10-12 10:39:50 +03:00
|
|
|
new changesets 8b6053c928fe
|
2016-06-08 06:29:54 +03:00
|
|
|
|
2016-06-02 05:57:20 +03:00
|
|
|
$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
|
|
|
|
|
2016-06-25 17:26:43 +03:00
|
|
|
Inability to verify peer certificate will result in abort
|
2014-09-26 04:19:48 +04:00
|
|
|
|
2016-06-02 05:57:20 +03:00
|
|
|
$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-25 17:26:43 +03:00
|
|
|
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
|
2016-07-13 08:26:04 +03:00
|
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
|
2016-06-25 17:26:43 +03:00
|
|
|
[255]
|
|
|
|
|
|
|
|
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-25 17:26:43 +03:00
|
|
|
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
|
2010-10-17 06:13:35 +04:00
|
|
|
requesting all changes
|
|
|
|
adding changesets
|
|
|
|
adding manifests
|
|
|
|
adding file changes
|
|
|
|
added 1 changesets with 4 changes to 4 files
|
2017-10-12 10:39:50 +03:00
|
|
|
new changesets 8b6053c928fe
|
2010-10-17 06:13:35 +04:00
|
|
|
updating to branch default
|
|
|
|
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
|
|
|
|
$ hg verify -R copy-pull
|
|
|
|
checking changesets
|
|
|
|
checking manifests
|
|
|
|
crosschecking files in changesets and manifests
|
|
|
|
checking files
|
|
|
|
4 files, 1 changesets, 4 total revisions
|
|
|
|
$ cd test
|
|
|
|
$ echo bar > bar
|
|
|
|
$ hg commit -A -d '1 0' -m 2
|
|
|
|
adding bar
|
|
|
|
$ cd ..
|
|
|
|
|
2010-12-27 19:49:58 +03:00
|
|
|
pull without cacert
|
2010-10-17 06:13:35 +04:00
|
|
|
|
|
|
|
$ cd copy-pull
|
tests: invoke printenv.py via sh -c for test portability
On Windows platform, invoking printenv.py directly via hook is
problematic, because:
- unless binding between *.py suffix and python runtime, application
selector dialog is displayed, and running test is blocked at each
printenv.py invocations
- it isn't safe to assume binding between *.py suffix and python
runtime, because application binding is easily broken
For example, installing IDE (VisualStudio with Python Tools, or
so) often requires binding between source files and IDE itself.
This patch invokes printenv.py via sh -c for test portability. This is
a kind of follow up for 9e4331825bea, which eliminated explicit
"python" for printenv.py. There are already other 'sh -c "printenv.py"'
in *.t files, and this fix should be reasonable.
This changes were confirmed in cases below:
- without any application binding for *.py suffix
- with binding between *.py suffix and VisualStudio
This patch also replaces "echo + redirection" style with "heredoc"
style, because:
- hook command line is parsed by cmd.exe as shell at first, and
- single quotation can't quote arguments on cmd.exe, therefore,
- "printenv.py foobar" should be quoted by double quotation, but
- nested quoting (or tricky escaping) isn't readable
2016-10-28 20:44:45 +03:00
|
|
|
$ cat >> .hg/hgrc <<EOF
|
|
|
|
> [hooks]
|
|
|
|
> changegroup = sh -c "printenv.py changegroup"
|
|
|
|
> EOF
|
2016-06-02 05:57:20 +03:00
|
|
|
$ hg pull $DISABLECACERTS
|
2010-10-17 06:13:35 +04:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-25 17:26:43 +03:00
|
|
|
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
|
2016-07-13 08:26:04 +03:00
|
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
|
2016-06-25 17:26:43 +03:00
|
|
|
[255]
|
|
|
|
|
|
|
|
$ hg pull --insecure
|
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-25 17:26:43 +03:00
|
|
|
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
|
2010-10-17 06:13:35 +04:00
|
|
|
searching for changes
|
|
|
|
adding changesets
|
|
|
|
adding manifests
|
|
|
|
adding file changes
|
|
|
|
added 1 changesets with 1 changes to 1 files
|
2017-10-12 10:39:50 +03:00
|
|
|
new changesets 5fed3813f7f5
|
2017-03-31 12:53:56 +03:00
|
|
|
changegroup hook: HG_HOOKNAME=changegroup HG_HOOKTYPE=changegroup HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:$ID$ HG_URL=https://localhost:$HGPORT/
|
2010-10-17 06:13:35 +04:00
|
|
|
(run 'hg update' to get a working copy)
|
|
|
|
$ cd ..
|
2010-10-17 06:13:50 +04:00
|
|
|
|
2010-12-27 19:49:58 +03:00
|
|
|
cacert configured in local repo
|
2010-10-17 06:13:50 +04:00
|
|
|
|
2010-12-27 19:49:58 +03:00
|
|
|
$ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
|
|
|
|
$ echo "[web]" >> copy-pull/.hg/hgrc
|
2016-05-27 16:40:09 +03:00
|
|
|
$ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
|
2016-08-25 08:00:54 +03:00
|
|
|
$ hg -R copy-pull pull
|
2010-10-17 06:13:50 +04:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2010-10-17 06:13:50 +04:00
|
|
|
searching for changes
|
|
|
|
no changes found
|
2010-12-27 19:49:58 +03:00
|
|
|
$ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
|
|
|
|
|
2011-01-02 16:30:12 +03:00
|
|
|
cacert configured globally, also testing expansion of environment
|
|
|
|
variables in the filename
|
2010-12-27 19:49:58 +03:00
|
|
|
|
|
|
|
$ echo "[web]" >> $HGRCPATH
|
2011-01-02 16:30:12 +03:00
|
|
|
$ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
|
2016-05-27 16:40:09 +03:00
|
|
|
$ P="$CERTSDIR" hg -R copy-pull pull
|
2010-12-27 19:49:58 +03:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2010-12-27 19:49:58 +03:00
|
|
|
searching for changes
|
|
|
|
no changes found
|
2016-05-27 16:40:09 +03:00
|
|
|
$ P="$CERTSDIR" hg -R copy-pull pull --insecure
|
2011-01-29 17:23:24 +03:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-05-30 23:15:53 +03:00
|
|
|
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
|
2011-01-29 17:23:24 +03:00
|
|
|
searching for changes
|
|
|
|
no changes found
|
2010-12-27 19:49:58 +03:00
|
|
|
|
2016-06-30 04:15:28 +03:00
|
|
|
empty cacert file
|
|
|
|
|
|
|
|
$ touch emptycafile
|
2016-06-30 05:37:38 +03:00
|
|
|
|
|
|
|
#if sslcontext
|
|
|
|
$ hg --config web.cacerts=emptycafile -R copy-pull pull
|
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-30 05:37:38 +03:00
|
|
|
abort: error loading CA file emptycafile: * (glob)
|
|
|
|
(file is empty or malformed?)
|
|
|
|
[255]
|
|
|
|
#else
|
2016-06-30 04:15:28 +03:00
|
|
|
$ hg --config web.cacerts=emptycafile -R copy-pull pull
|
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-06-30 04:15:28 +03:00
|
|
|
abort: error: * (glob)
|
|
|
|
[255]
|
2016-06-30 05:37:38 +03:00
|
|
|
#endif
|
2016-06-30 04:15:28 +03:00
|
|
|
|
2010-12-27 19:49:58 +03:00
|
|
|
cacert mismatch
|
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
|
2017-02-16 20:38:52 +03:00
|
|
|
> https://$LOCALIP:$HGPORT/
|
|
|
|
pulling from https://*:$HGPORT/ (glob)
|
|
|
|
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-04-04 01:56:08 +03:00
|
|
|
abort: $LOCALIP certificate error: certificate is for localhost (glob)
|
2017-02-16 20:38:52 +03:00
|
|
|
(set hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
|
2010-10-17 06:13:50 +04:00
|
|
|
[255]
|
2016-05-27 16:40:09 +03:00
|
|
|
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
|
2017-02-16 20:38:52 +03:00
|
|
|
> https://$LOCALIP:$HGPORT/ --insecure
|
|
|
|
pulling from https://*:$HGPORT/ (glob)
|
|
|
|
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-04-04 01:56:08 +03:00
|
|
|
warning: connection security to $LOCALIP is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
|
2011-01-29 17:23:24 +03:00
|
|
|
searching for changes
|
|
|
|
no changes found
|
2016-05-27 16:40:09 +03:00
|
|
|
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
|
2015-02-24 12:55:24 +03:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-07-13 01:37:13 +03:00
|
|
|
(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
|
2015-01-13 23:15:37 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
2010-10-17 06:13:50 +04:00
|
|
|
[255]
|
2016-05-27 16:40:09 +03:00
|
|
|
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
|
|
|
|
> --insecure
|
2011-01-29 17:23:24 +03:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-05-30 23:15:53 +03:00
|
|
|
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
|
2011-01-29 17:23:24 +03:00
|
|
|
searching for changes
|
|
|
|
no changes found
|
2010-10-17 06:13:50 +04:00
|
|
|
|
|
|
|
Test server cert which isn't valid yet
|
|
|
|
|
2016-03-15 12:51:54 +03:00
|
|
|
$ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
|
2010-10-17 06:13:50 +04:00
|
|
|
$ cat hg1.pid >> $DAEMON_PIDS
|
2016-05-27 16:40:09 +03:00
|
|
|
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
|
|
|
|
> https://localhost:$HGPORT1/
|
2015-02-24 12:55:24 +03:00
|
|
|
pulling from https://localhost:$HGPORT1/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-07-13 01:37:13 +03:00
|
|
|
(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
|
2015-01-13 23:15:37 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
2010-10-17 06:13:50 +04:00
|
|
|
[255]
|
|
|
|
|
|
|
|
Test server cert which no longer is valid
|
|
|
|
|
2016-03-15 12:51:54 +03:00
|
|
|
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
|
2010-10-17 06:13:50 +04:00
|
|
|
$ cat hg2.pid >> $DAEMON_PIDS
|
2016-05-27 16:40:09 +03:00
|
|
|
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
|
|
|
|
> https://localhost:$HGPORT2/
|
2015-02-24 12:55:24 +03:00
|
|
|
pulling from https://localhost:$HGPORT2/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-07-13 01:37:13 +03:00
|
|
|
(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
|
2015-01-13 23:15:37 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
2010-10-17 06:13:50 +04:00
|
|
|
[255]
|
2011-01-28 04:57:59 +03:00
|
|
|
|
2016-07-14 07:49:17 +03:00
|
|
|
Disabling the TLS 1.0 warning works
|
|
|
|
$ hg -R copy-pull id https://localhost:$HGPORT/ \
|
|
|
|
> --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \
|
|
|
|
> --config hostsecurity.disabletls10warning=true
|
|
|
|
5fed3813f7f5
|
|
|
|
|
2017-05-09 01:30:15 +03:00
|
|
|
Error message for setting ciphers is different depending on SSLContext support
|
2016-07-17 20:59:32 +03:00
|
|
|
|
2017-05-09 01:30:15 +03:00
|
|
|
#if no-sslcontext
|
2016-07-17 20:59:32 +03:00
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
|
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
|
|
|
|
abort: *No cipher can be selected. (glob)
|
|
|
|
[255]
|
|
|
|
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
|
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
|
|
|
|
5fed3813f7f5
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if sslcontext
|
|
|
|
Setting ciphers to an invalid value aborts
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-17 20:59:32 +03:00
|
|
|
abort: could not set ciphers: No cipher can be selected.
|
|
|
|
(change cipher string (invalid) in config)
|
|
|
|
[255]
|
|
|
|
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-17 20:59:32 +03:00
|
|
|
abort: could not set ciphers: No cipher can be selected.
|
|
|
|
(change cipher string (invalid) in config)
|
|
|
|
[255]
|
|
|
|
|
|
|
|
Changing the cipher string works
|
|
|
|
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id https://localhost:$HGPORT/
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-17 20:59:32 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
#endif
|
|
|
|
|
2011-01-28 04:57:59 +03:00
|
|
|
Fingerprints
|
|
|
|
|
2016-10-18 00:16:55 +03:00
|
|
|
- works without cacerts (hostfingerprints)
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-05-11 09:49:37 +03:00
|
|
|
(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
|
2011-01-28 04:57:59 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
|
2016-05-28 22:37:36 +03:00
|
|
|
- works without cacerts (hostsecurity)
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-05-28 22:37:36 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-05-28 22:37:36 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
|
2016-03-14 00:03:58 +03:00
|
|
|
- multiple fingerprints specified and first matches
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-05-11 09:49:37 +03:00
|
|
|
(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
|
2016-03-14 00:03:58 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-05-28 22:37:36 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
|
2016-03-14 00:03:58 +03:00
|
|
|
- multiple fingerprints specified and last matches
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-05-11 09:49:37 +03:00
|
|
|
(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
|
2016-03-14 00:03:58 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-05-28 22:37:36 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
|
2016-03-14 00:03:58 +03:00
|
|
|
- multiple fingerprints specified and none match
|
|
|
|
|
2016-04-10 20:54:53 +03:00
|
|
|
$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-13 08:26:04 +03:00
|
|
|
abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
|
2016-05-28 22:37:36 +03:00
|
|
|
(check hostfingerprint configuration)
|
|
|
|
[255]
|
|
|
|
|
|
|
|
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-13 08:26:04 +03:00
|
|
|
abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
|
2016-05-28 22:58:46 +03:00
|
|
|
(check hostsecurity configuration)
|
2016-03-14 00:03:58 +03:00
|
|
|
[255]
|
|
|
|
|
2011-01-28 04:57:59 +03:00
|
|
|
- fails when cert doesn't match hostname (port is ignored)
|
2016-07-13 08:26:04 +03:00
|
|
|
$ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-07-13 08:26:04 +03:00
|
|
|
abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
|
2012-01-26 21:23:15 +04:00
|
|
|
(check hostfingerprint configuration)
|
2011-01-28 04:57:59 +03:00
|
|
|
[255]
|
|
|
|
|
2013-02-09 15:26:16 +04:00
|
|
|
|
2011-01-28 04:57:59 +03:00
|
|
|
- ignores that certificate doesn't match hostname
|
2017-02-16 20:38:52 +03:00
|
|
|
$ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
|
|
|
|
warning: connecting to $LOCALIP using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-05-11 09:49:37 +03:00
|
|
|
(SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: $LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
|
2011-01-28 04:57:59 +03:00
|
|
|
5fed3813f7f5
|
2011-02-16 06:28:11 +03:00
|
|
|
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
Ports used by next test. Kill servers.
|
|
|
|
|
|
|
|
$ killdaemons.py hg0.pid
|
|
|
|
$ killdaemons.py hg1.pid
|
|
|
|
$ killdaemons.py hg2.pid
|
|
|
|
|
2016-07-18 21:27:27 +03:00
|
|
|
#if sslcontext tls1.2
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
Start servers running supported TLS versions
|
|
|
|
|
|
|
|
$ cd test
|
|
|
|
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
|
|
|
|
> --config devel.serverexactprotocol=tls1.0
|
|
|
|
$ cat ../hg0.pid >> $DAEMON_PIDS
|
|
|
|
$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
|
|
|
|
> --config devel.serverexactprotocol=tls1.1
|
|
|
|
$ cat ../hg1.pid >> $DAEMON_PIDS
|
|
|
|
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
|
|
|
|
> --config devel.serverexactprotocol=tls1.2
|
|
|
|
$ cat ../hg2.pid >> $DAEMON_PIDS
|
|
|
|
$ cd ..
|
|
|
|
|
|
|
|
Clients talking same TLS versions work
|
|
|
|
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/
|
|
|
|
5fed3813f7f5
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/
|
|
|
|
5fed3813f7f5
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
|
|
|
|
5fed3813f7f5
|
|
|
|
|
|
|
|
Clients requiring newer TLS version than what server supports fail
|
|
|
|
|
sslutil: require TLS 1.1+ when supported
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security professionals recommend avoiding TLS 1.0 if possible.
PCI DSS 3.1 "strongly encourages" the use of TLS 1.2.
Known attacks like BEAST and POODLE exist against TLS 1.0 (although
mitigations are available and properly configured servers aren't
vulnerable).
I asked Eric Rescorla - Mozilla's resident crypto expert - whether
Mercurial should drop support for TLS 1.0. His response was
"if you can get away with it." Essentially, a number of servers on
the Internet don't support TLS 1.1+. This is why web browsers
continue to support TLS 1.0 despite desires from security experts.
This patch changes Mercurial's default behavior on modern Python
versions to require TLS 1.1+, thus avoiding known security issues
with TLS 1.0 and making Mercurial more secure by default. Rather
than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be
used if configured. This is a compromise solution - ideally we'd
disallow TLS 1.0. However, since we're not sure how many Mercurial
servers don't support TLS 1.1+ and we're not sure how much user
inconvenience this change will bring, I think it is prudent to ship
an escape hatch that still allows usage of TLS 1.0. In the default
case our users get better security. In the worst case, they are no
worse off than before this patch.
This patch has no effect when running on Python versions that don't
support TLS 1.1+.
As the added test shows, connecting to a server that doesn't
support TLS 1.1+ will display a warning message with a link to
our wiki, where we can guide people to configure their client to
allow less secure connections.
2016-07-14 07:35:54 +03:00
|
|
|
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/
|
2016-07-20 07:09:58 +03:00
|
|
|
(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
|
|
|
|
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
|
|
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
|
sslutil: require TLS 1.1+ when supported
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security professionals recommend avoiding TLS 1.0 if possible.
PCI DSS 3.1 "strongly encourages" the use of TLS 1.2.
Known attacks like BEAST and POODLE exist against TLS 1.0 (although
mitigations are available and properly configured servers aren't
vulnerable).
I asked Eric Rescorla - Mozilla's resident crypto expert - whether
Mercurial should drop support for TLS 1.0. His response was
"if you can get away with it." Essentially, a number of servers on
the Internet don't support TLS 1.1+. This is why web browsers
continue to support TLS 1.0 despite desires from security experts.
This patch changes Mercurial's default behavior on modern Python
versions to require TLS 1.1+, thus avoiding known security issues
with TLS 1.0 and making Mercurial more secure by default. Rather
than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be
used if configured. This is a compromise solution - ideally we'd
disallow TLS 1.0. However, since we're not sure how many Mercurial
servers don't support TLS 1.1+ and we're not sure how much user
inconvenience this change will bring, I think it is prudent to ship
an escape hatch that still allows usage of TLS 1.0. In the default
case our users get better security. In the worst case, they are no
worse off than before this patch.
This patch has no effect when running on Python versions that don't
support TLS 1.1+.
As the added test shows, connecting to a server that doesn't
support TLS 1.1+ will display a warning message with a link to
our wiki, where we can guide people to configure their client to
allow less secure connections.
2016-07-14 07:35:54 +03:00
|
|
|
abort: error: *unsupported protocol* (glob)
|
|
|
|
[255]
|
|
|
|
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
|
2016-07-20 07:09:58 +03:00
|
|
|
(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
|
|
|
|
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
|
|
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
abort: error: *unsupported protocol* (glob)
|
|
|
|
[255]
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
|
2016-07-20 07:09:58 +03:00
|
|
|
(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
|
|
|
|
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
|
|
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
abort: error: *unsupported protocol* (glob)
|
|
|
|
[255]
|
|
|
|
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
|
2016-07-20 07:09:58 +03:00
|
|
|
(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
|
|
|
|
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
|
|
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
abort: error: *unsupported protocol* (glob)
|
|
|
|
[255]
|
|
|
|
|
2016-07-20 06:16:51 +03:00
|
|
|
--insecure will allow TLS 1.0 connections and override configs
|
|
|
|
|
|
|
|
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
|
|
|
|
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
|
|
|
|
5fed3813f7f5
|
|
|
|
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
The per-host config option overrides the default
|
|
|
|
|
|
|
|
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
|
|
|
|
> --config hostsecurity.minimumprotocol=tls1.2 \
|
|
|
|
> --config hostsecurity.localhost:minimumprotocol=tls1.0
|
|
|
|
5fed3813f7f5
|
|
|
|
|
|
|
|
The per-host config option by itself works
|
|
|
|
|
|
|
|
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
|
|
|
|
> --config hostsecurity.localhost:minimumprotocol=tls1.2
|
2016-07-20 07:09:58 +03:00
|
|
|
(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
|
|
|
|
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
|
|
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
abort: error: *unsupported protocol* (glob)
|
|
|
|
[255]
|
|
|
|
|
2016-07-20 05:57:34 +03:00
|
|
|
.hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
|
|
|
|
|
|
|
|
$ cat >> copy-pull/.hg/hgrc << EOF
|
|
|
|
> [hostsecurity]
|
|
|
|
> localhost:minimumprotocol=tls1.2
|
|
|
|
> EOF
|
|
|
|
$ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
|
2016-07-20 07:09:58 +03:00
|
|
|
(could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
|
|
|
|
(consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
|
|
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for more info)
|
2016-07-28 18:53:36 +03:00
|
|
|
abort: error: *unsupported protocol* (glob)
|
2016-07-20 05:57:34 +03:00
|
|
|
[255]
|
|
|
|
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
$ killdaemons.py hg0.pid
|
2015-06-08 22:44:30 +03:00
|
|
|
$ killdaemons.py hg1.pid
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
$ killdaemons.py hg2.pid
|
|
|
|
#endif
|
2011-02-16 06:28:11 +03:00
|
|
|
|
2012-03-29 04:23:25 +04:00
|
|
|
Prepare for connecting through proxy
|
2011-02-16 06:28:11 +03:00
|
|
|
|
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
2016-07-15 06:47:22 +03:00
|
|
|
$ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
|
|
|
|
$ cat hg0.pid >> $DAEMON_PIDS
|
|
|
|
$ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
|
|
|
|
$ cat hg2.pid >> $DAEMON_PIDS
|
|
|
|
tinyproxy.py doesn't fully detach, so killing it may result in extra output
|
|
|
|
from the shell. So don't kill it.
|
2015-06-08 22:44:30 +03:00
|
|
|
$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
|
2012-04-23 03:56:48 +04:00
|
|
|
$ while [ ! -f proxy.pid ]; do sleep 0; done
|
2011-02-16 06:28:11 +03:00
|
|
|
$ cat proxy.pid >> $DAEMON_PIDS
|
|
|
|
|
|
|
|
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
|
|
|
|
$ echo "always=True" >> copy-pull/.hg/hgrc
|
|
|
|
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
|
|
|
|
$ echo "localhost =" >> copy-pull/.hg/hgrc
|
|
|
|
|
|
|
|
Test unvalidated https through proxy
|
|
|
|
|
2016-08-25 08:00:54 +03:00
|
|
|
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
|
2011-02-16 06:28:11 +03:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-05-30 23:15:53 +03:00
|
|
|
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
|
2011-02-16 06:28:11 +03:00
|
|
|
searching for changes
|
|
|
|
no changes found
|
|
|
|
|
|
|
|
Test https with cacert and fingerprint through proxy
|
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
|
|
|
|
> --config web.cacerts="$CERTSDIR/pub.pem"
|
2011-02-16 06:28:11 +03:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2011-02-16 06:28:11 +03:00
|
|
|
searching for changes
|
|
|
|
no changes found
|
2017-02-16 20:38:52 +03:00
|
|
|
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://localhost:$HGPORT/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
|
|
|
|
pulling from https://*:$HGPORT/ (glob)
|
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-05-11 09:49:37 +03:00
|
|
|
(SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section; if you trust this fingerprint, remove the old SHA-1 fingerprint from [hostfingerprints] and add the following entry to the new [hostsecurity] section: localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
|
2011-02-16 06:28:11 +03:00
|
|
|
searching for changes
|
|
|
|
no changes found
|
|
|
|
|
|
|
|
Test https with cert problems through proxy
|
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
|
|
|
|
> --config web.cacerts="$CERTSDIR/pub-other.pem"
|
2015-02-24 12:55:24 +03:00
|
|
|
pulling from https://localhost:$HGPORT/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-07-13 01:37:13 +03:00
|
|
|
(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
|
2015-01-13 23:15:37 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
2011-02-16 06:36:36 +03:00
|
|
|
[255]
|
2016-05-27 16:40:09 +03:00
|
|
|
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
|
|
|
|
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
|
2015-02-24 12:55:24 +03:00
|
|
|
pulling from https://localhost:$HGPORT2/
|
2016-07-14 07:49:17 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2017-07-13 01:37:13 +03:00
|
|
|
(the full certificate chain may not be available locally; see "hg help debugssl") (windows !)
|
2015-01-13 23:15:37 +03:00
|
|
|
abort: error: *certificate verify failed* (glob)
|
2011-02-16 06:36:36 +03:00
|
|
|
[255]
|
2015-05-07 11:38:22 +03:00
|
|
|
|
|
|
|
|
2015-06-08 22:44:30 +03:00
|
|
|
$ killdaemons.py hg0.pid
|
2015-05-07 11:38:22 +03:00
|
|
|
|
|
|
|
#if sslcontext
|
|
|
|
|
2017-07-11 07:09:46 +03:00
|
|
|
$ cd test
|
|
|
|
|
|
|
|
Missing certificate file(s) are detected
|
|
|
|
|
|
|
|
$ hg serve -p $HGPORT --certificate=/missing/certificate \
|
|
|
|
> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
|
2017-07-19 02:49:51 +03:00
|
|
|
abort: referenced certificate file (*/missing/certificate) does not exist (glob)
|
2017-07-11 07:09:46 +03:00
|
|
|
[255]
|
|
|
|
|
|
|
|
$ hg serve -p $HGPORT --certificate=$PRIV \
|
|
|
|
> --config devel.servercafile=/missing/cafile --config devel.serverrequirecert=true
|
2017-07-19 02:49:51 +03:00
|
|
|
abort: referenced certificate file (*/missing/cafile) does not exist (glob)
|
2017-07-11 07:09:46 +03:00
|
|
|
[255]
|
|
|
|
|
2016-07-13 09:12:03 +03:00
|
|
|
Start hgweb that requires client certificates:
|
|
|
|
|
2015-05-07 11:38:22 +03:00
|
|
|
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
|
2016-07-13 09:12:03 +03:00
|
|
|
> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
|
2015-05-07 11:38:22 +03:00
|
|
|
$ cat ../hg0.pid >> $DAEMON_PIDS
|
|
|
|
$ cd ..
|
|
|
|
|
|
|
|
without client certificate:
|
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2015-05-07 11:38:22 +03:00
|
|
|
abort: error: *handshake failure* (glob)
|
|
|
|
[255]
|
|
|
|
|
|
|
|
with client certificate:
|
|
|
|
|
|
|
|
$ cat << EOT >> $HGRCPATH
|
|
|
|
> [auth]
|
|
|
|
> l.prefix = localhost
|
2016-05-27 16:40:09 +03:00
|
|
|
> l.cert = $CERTSDIR/client-cert.pem
|
|
|
|
> l.key = $CERTSDIR/client-key.pem
|
2015-05-07 11:38:22 +03:00
|
|
|
> EOT
|
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
|
|
|
|
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2015-05-07 11:38:22 +03:00
|
|
|
5fed3813f7f5
|
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
$ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
|
2015-05-07 11:15:24 +03:00
|
|
|
> --config ui.interactive=True --config ui.nontty=True
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2016-05-27 16:40:09 +03:00
|
|
|
passphrase for */client-key.pem: 5fed3813f7f5 (glob)
|
2015-05-07 11:15:24 +03:00
|
|
|
|
2016-05-27 16:40:09 +03:00
|
|
|
$ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
|
2016-07-18 21:27:27 +03:00
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
2015-05-07 11:15:24 +03:00
|
|
|
abort: error: * (glob)
|
|
|
|
[255]
|
|
|
|
|
2017-07-11 07:09:46 +03:00
|
|
|
Missing certficate and key files result in error
|
|
|
|
|
|
|
|
$ hg id https://localhost:$HGPORT/ --config auth.l.cert=/missing/cert
|
2017-07-19 02:49:51 +03:00
|
|
|
abort: certificate file (*/missing/cert) does not exist; cannot connect to localhost (glob)
|
2017-07-11 07:09:46 +03:00
|
|
|
(restore missing file or fix references in Mercurial config)
|
|
|
|
[255]
|
|
|
|
|
|
|
|
$ hg id https://localhost:$HGPORT/ --config auth.l.key=/missing/key
|
2017-07-19 02:49:51 +03:00
|
|
|
abort: certificate file (*/missing/key) does not exist; cannot connect to localhost (glob)
|
2017-07-11 07:09:46 +03:00
|
|
|
(restore missing file or fix references in Mercurial config)
|
|
|
|
[255]
|
|
|
|
|
2015-05-07 11:38:22 +03:00
|
|
|
#endif
|