mirror of
https://github.com/facebook/sapling.git
synced 2024-10-09 16:31:02 +03:00
6ba507acfc
The Python ssl module conditionally sets the TLS 1.1 and TLS 1.2 constants depending on whether HAVE_TLSv1_2 is defined. Yes, these are both tied to the same constant (I would think there would be separate constants for each version). Perhaps support for TLS 1.1 and 1.2 were added at the same time and the assumption is that OpenSSL either has neither or both. I don't know. As part of developing this patch, it was discovered that Apple's /usr/bin/python2.7 does not support TLS 1.1 and 1.2 (only TLS 1.0)! On OS X 10.11, Apple Python has the modern ssl module including SSLContext, but it doesn't appear to negotiate TLS 1.1+ nor does it expose the constants related to TLS 1.1+. Since this code is doing more robust feature detection (and not assuming modern ssl implies TLS 1.1+ support), we now get TLS 1.0 warnings when running on Apple Python. Hence the test changes. I'm not super thrilled about shipping a Mercurial that always whines about TLS 1.0 on OS X. We may want a follow-up patch to suppress this warning.
129 lines
4.2 KiB
Perl
129 lines
4.2 KiB
Perl
#require serve ssl
|
|
|
|
Set up SMTP server:
|
|
|
|
$ CERTSDIR="$TESTDIR/sslcerts"
|
|
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
|
|
|
|
$ python "$TESTDIR/dummysmtpd.py" -p $HGPORT --pid-file a.pid -d \
|
|
> --tls smtps --certificate `pwd`/server.pem
|
|
listening at localhost:$HGPORT
|
|
$ cat a.pid >> $DAEMON_PIDS
|
|
|
|
Ensure hg email output is sent to stdout:
|
|
|
|
$ unset PAGER
|
|
|
|
Set up repository:
|
|
|
|
$ hg init t
|
|
$ cd t
|
|
$ cat <<EOF >> .hg/hgrc
|
|
> [extensions]
|
|
> patchbomb =
|
|
> [email]
|
|
> method = smtp
|
|
> [smtp]
|
|
> host = localhost
|
|
> port = $HGPORT
|
|
> tls = smtps
|
|
> EOF
|
|
|
|
$ echo a > a
|
|
$ hg commit -Ama -d '1 0'
|
|
adding a
|
|
|
|
Utility functions:
|
|
|
|
$ DISABLECACERTS=
|
|
$ try () {
|
|
> hg email $DISABLECACERTS -f quux -t foo -c bar -r tip "$@"
|
|
> }
|
|
|
|
Our test cert is not signed by a trusted CA. It should fail to verify if
|
|
we are able to load CA certs:
|
|
|
|
#if sslcontext defaultcacerts no-defaultcacertsloaded
|
|
$ try
|
|
this patch series consists of 1 patches.
|
|
|
|
|
|
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
|
|
(?i)abort: .*?certificate.verify.failed.* (re)
|
|
[255]
|
|
#endif
|
|
|
|
#if no-sslcontext defaultcacerts
|
|
$ try
|
|
this patch series consists of 1 patches.
|
|
|
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
|
|
(using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
|
|
(?i)abort: .*?certificate.verify.failed.* (re)
|
|
[255]
|
|
#endif
|
|
|
|
#if defaultcacertsloaded
|
|
$ try
|
|
this patch series consists of 1 patches.
|
|
|
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
|
(using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
|
|
(?i)abort: .*?certificate.verify.failed.* (re)
|
|
[255]
|
|
|
|
#endif
|
|
|
|
#if no-defaultcacerts
|
|
$ try
|
|
this patch series consists of 1 patches.
|
|
|
|
|
|
(unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
|
|
abort: localhost certificate error: no certificate received
|
|
(set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
|
|
[255]
|
|
#endif
|
|
|
|
$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
|
|
|
|
Without certificates:
|
|
|
|
$ try --debug
|
|
this patch series consists of 1 patches.
|
|
|
|
|
|
(using smtps)
|
|
sending mail: smtp host localhost, port * (glob)
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
|
(verifying remote certificate)
|
|
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
|
|
(see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
|
|
[255]
|
|
|
|
With global certificates:
|
|
|
|
$ try --debug --config web.cacerts="$CERTSDIR/pub.pem"
|
|
this patch series consists of 1 patches.
|
|
|
|
|
|
(using smtps)
|
|
sending mail: smtp host localhost, port * (glob)
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
|
(verifying remote certificate)
|
|
sending [PATCH] a ...
|
|
|
|
With invalid certificates:
|
|
|
|
$ try --config web.cacerts="$CERTSDIR/pub-other.pem"
|
|
this patch series consists of 1 patches.
|
|
|
|
|
|
warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
|
|
(?i)abort: .*?certificate.verify.failed.* (re)
|
|
[255]
|
|
|
|
$ cd ..
|