<div dir="ltr">If it isn't obvious, this series replaces the 2 patchbombs I sent in the past ~12 hours. Please discard the previous patches.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 13, 2016 at 12:18 AM, Gregory Szorc <span dir="ltr"><<a href="mailto:gregory.szorc@gmail.com" target="_blank">gregory.szorc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"># HG changeset patch<br>
# User Gregory Szorc <<a href="mailto:gregory.szorc@gmail.com">gregory.szorc@gmail.com</a>><br>
# Date 1468387564 25200<br>
# Tue Jul 12 22:26:04 2016 -0700<br>
# Node ID 2f6559dcc8b8036aaafe6c679913efff8f25455a<br>
# Parent e5b4d79a9140c3d90e9b6aa22070351b73ef2d4c<br>
tests: regenerate x509 test certificates<br>
<br>
The old x509 test certificates were using cryptographic settings<br>
that are ancient by today's standards, namely 512 bit RSA keys.<br>
To put things in perspective, browsers have been dropping support<br>
for 1024 bit RSA keys.<br>
<br>
I think it is important that tests match the realities of the times.<br>
And 2048 bit RSA keys with SHA-2 hashing are what the world is<br>
moving to.<br>
<br>
This patch replaces all the x509 certificates with new versions using<br>
modern best practices. In addition, the docs for generating the<br>
keys have been updated, as the existing docs left out a few steps,<br>
namely how to generate certs that were not active yet or expired.<br>
<br>
diff --git a/tests/sslcerts/README b/tests/sslcerts/README<br>
--- a/tests/sslcerts/README<br>
+++ b/tests/sslcerts/README<br>
@@ -1,26 +1,50 @@<br>
-Certificates created with:<br>
- printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \<br>
- openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem<br>
-Can be dumped with:<br>
- openssl x509 -in pub.pem -text<br>
-<br>
- - priv.pem<br>
- - pub.pem<br>
- - pub-other.pem<br>
-<br>
-pub.pem patched with other notBefore / notAfter:<br>
+Generate a private key (priv.pem):<br>
<br>
- - pub-not-yet.pem<br>
- - pub-expired.pem<br>
+ $ openssl genrsa -out priv.pem 2048<br>
<br>
-Client certificates created with:<br>
- openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512<br>
- openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem<br>
- printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \<br>
- openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem<br>
- openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \<br>
- -set_serial 01 -out client-cert.pem<br>
+Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):<br>
<br>
- - client-key.pem<br>
- - client-key-decrypted.pem<br>
- - client-cert.pem<br>
+ $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \<br>
+ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem<br>
+<br>
+ $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \<br>
+ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem<br>
+<br>
+Now generate an expired certificate by turning back the system time:<br>
+<br>
+ $ date --set='2016-01-01T00:00:00Z'<br>
+ $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \<br>
+ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem<br>
+<br>
+Generate a certificate not yet active by advancing the system time:<br>
+<br>
+ $ date --set='2030-01-01T00:00:00Z'<br>
+ $ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \<br>
+ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem<br>
+<br>
+Note: When adjusting system time, verify the time change sticks. If running<br>
+systemd, you may want to use `timedatectl set-ntp false` and e.g.<br>
+`timedatectl set-time '2016-01-01 00:00:00'` to set system time.<br>
+<br>
+Generate a passphrase protected client certificate private key:<br>
+<br>
+ $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048<br>
+<br>
+Create a copy of the private key without a passphrase:<br>
+<br>
+ $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem<br>
+<br>
+Create a CSR and sign the key using the server keypair:<br>
+<br>
+ $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \<br>
+ openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem<br>
+ $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \<br>
+ -set_serial 01 -out client-cert.pem<br>
+<br>
+When replacing the certificates, references to certificate fingerprints will<br>
+need to be updated in test files.<br>
+<br>
+Fingerprints for certs can be obtained by running:<br>
+<br>
+ $ openssl x509 -in pub.pem -noout -sha1 -fingerprint<br>
+ $ openssl x509 -in pub.pem -noout -sha256 -fingerprint<br>
diff --git a/tests/sslcerts/client-cert.pem b/tests/sslcerts/client-cert.pem<br>
--- a/tests/sslcerts/client-cert.pem<br>
+++ b/tests/sslcerts/client-cert.pem<br>
@@ -1,9 +1,17 @@<br>
-----BEGIN CERTIFICATE-----<br>
-MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx<br>
-GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z<br>
-OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv<br>
-c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH<br>
-R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB<br>
-MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/<br>
-NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==<br>
+MIICyTCCAbECAQEwDQYJKoZIhvcNAQELBQAwMTESMBAGA1UEAwwJbG9jYWxob3N0<br>
+MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwHhcNMTYwNzEzMDQ0NzIxWhcN<br>
+NDEwMzA0MDQ0NzIxWjAkMSIwIAYJKoZIhvcNAQkBFhNoZy1jbGllbnRAbG9jYWxo<br>
+b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6upuVmEs1dTpBWRe<br>
+4LLM1ARhnMQpI6jaQ8JKzQghMU/3T3n6Qkimt2HmxuiczvsawAbUPpBAxZbBnKmX<br>
+bKMiXjtQaO4o4gnyNZVuBgkq2Grc2BREOf0vtUvnPumlnjyAcMNRm6iVbbOerPzV<br>
+Dn1nH7Ljf9UKyGl/Qj6eOAgez/TDui2fo5FUfaqUzF8B7FoaRmsErZZU9pJ+etKX<br>
+M2DlLGofYNbOi+K0RbPypKNzeInNUnvh9JXKntmLQHRwXDSvcGveKepfVlmz/qme<br>
+DqhQSonIXTektdyZ5g9dOvxEjQSYHp+7exIKvrpXLfou3s9nCUTs6ekQLi1Tb4Pn<br>
+gbhauwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDVgUHJlu4quQCfeHPoemj+6Jp+<br>
+M140lY7DGFyiGfHP7KcxXiJHagbUC5D1IPYARwhh7Rdssy0FsmWQKYl8LXKvstz4<br>
+zCgz9gxb7vydkZLF49lP1I13Pekoz99381RrXUYomHbx6jKPiOha7ikfAUefop0n<br>
+uwfeQ5f6mfr0AcXmu6W7PHYMcPTK0ZyzoZwobRktKZ+OiwjW/nyolbdXxwU+kRQs<br>
+r0224+GBuwPWmXAobHgPhtClHXYa2ltL1qFFQJETJt0HjhH89jl5HWJl8g3rqccn<br>
+AkyiRIGDAWJsiQTOK7iOy0JSbmT1ePrhAyUoZO8GPbBsOdSdBMM32Y3HAKQz<br>
-----END CERTIFICATE-----<br>
diff --git a/tests/sslcerts/client-key-decrypted.pem b/tests/sslcerts/client-key-decrypted.pem<br>
--- a/tests/sslcerts/client-key-decrypted.pem<br>
+++ b/tests/sslcerts/client-key-decrypted.pem<br>
@@ -1,9 +1,27 @@<br>
-----BEGIN RSA PRIVATE KEY-----<br>
-MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb<br>
-FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6<br>
-AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT<br>
-AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop<br>
-4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5<br>
-+MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01<br>
-mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY<br>
+MIIEpQIBAAKCAQEA6upuVmEs1dTpBWRe4LLM1ARhnMQpI6jaQ8JKzQghMU/3T3n6<br>
+Qkimt2HmxuiczvsawAbUPpBAxZbBnKmXbKMiXjtQaO4o4gnyNZVuBgkq2Grc2BRE<br>
+Of0vtUvnPumlnjyAcMNRm6iVbbOerPzVDn1nH7Ljf9UKyGl/Qj6eOAgez/TDui2f<br>
+o5FUfaqUzF8B7FoaRmsErZZU9pJ+etKXM2DlLGofYNbOi+K0RbPypKNzeInNUnvh<br>
+9JXKntmLQHRwXDSvcGveKepfVlmz/qmeDqhQSonIXTektdyZ5g9dOvxEjQSYHp+7<br>
+exIKvrpXLfou3s9nCUTs6ekQLi1Tb4PngbhauwIDAQABAoIBABATjQuCSPQ1RuEk<br>
+lk2gTt4vkpKM5hfXpWA/uqi/Zq4eP9mDinngyPAB1i5Emv6bNqBvlzTU4GnlQEi9<br>
+XmyD2YVDX+RecBPQBHBgUpA9Ll5zKbvr3yNszUgF8sRebwQeNdgBteMGLXu9cB18<br>
+jAQa1uTXdDQ6WyuN9LSO3nsNKzal8uucnZxdfFDIHx0MahPlrPfAkqzeKxxfyyRE<br>
+jzia24oE+ewE8GHX/TvYnPybCPmBtRwbldA32vx8HbDCvlJanw3dyL98isBa5prr<br>
+DsFaDltWzTKdJOIntdTJXRUDwYp7526bUEdGo/1FddbjW6Th8sXiJu91nL3BD/Qk<br>
+mW102bECgYEA/zEtKgXjPeV9e3/vvAYU2Bsq8TkmhU6ZiZOQCdPWUNOsyfxibJBk<br>
+XXsldtZ111vX/+fdGVPFJRoL1Qf4Xjf3MILVhAAcmfTpnWkdbveOrdCjbACE/ReQ<br>
+xkExZdXhBd9YTS8IelL/Hv45FUo7UWWitgtvTG6caN3LaBTx1o2DiTkCgYEA66jS<br>
+RQrsjRNT+cf7HBmKrKd7EknAH2v83ZyPd49BSBiNnmWaqPG2NxCLWpKks20xvRo2<br>
+j8nftCsu9vSXv+KLnSb2CfOefvNoui7wQyiiWxrMBEPn8DS5E7ctqAiIhQsWEK+e<br>
+n9E0PW/wyKI1Gk5U1nHwEJt196kYPzD8QgnwB5MCgYEAloVrHl5aqyex3CaaQU1U<br>
+/iMIMUCEeBzkc0GWtDU/NG2mfX1gkKiaiokYj//vgheqUEdzIn1Gy5uRXxZUaT6Z<br>
+jwOc7T8jn6vWIALgWZOrlNp7ijjEOISt4EKT4H1HPS9/5gbX+U77LEzHXsdqNZi9<br>
+YKNeArc7ip9IWxv/iY3vCAECgYEAgMjOuGqC4Ynpf3x5T17p+PbB/DmPo9xY4ScZ<br>
+BEamb2bzpddy0NbfNHJ3JXU0StXms6gqnyO8e/KJhO4gK/37PFO5a7DWMhyFZBIY<br>
+vSrspwsa6U3O5+d4KT0W11hqewKW+WFwN3iVqumM1ahHiuu500OK5RiAPGsNVCNK<br>
+CDD0Gr8CgYEAzwTt62ke3zCFOZ2E6EIR6eM+0Q9+B5zceU8DAZaTTxP4532HnT6/<br>
+iHMQvUh0KBE4Rxw3MeSgpe7gKIcMKXubrcDIsEz8vhhOM1xsYIzVEWLtoCLPTaSF<br>
+OWQsk98VDt3SgEjb25nOjJ24zZzUVk45OiGUoxfn1Bp6BbJH7IDihCk=<br>
-----END RSA PRIVATE KEY-----<br>
diff --git a/tests/sslcerts/client-key.pem b/tests/sslcerts/client-key.pem<br>
--- a/tests/sslcerts/client-key.pem<br>
+++ b/tests/sslcerts/client-key.pem<br>
@@ -1,12 +1,30 @@<br>
-----BEGIN RSA PRIVATE KEY-----<br>
Proc-Type: 4,ENCRYPTED<br>
-DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8<br>
+DEK-Info: AES-256-CBC,ADE9D82AA8D8023CD4E9B67FECD9FE08<br>
<br>
-JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF<br>
-BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS<br>
-jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7<br>
-Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2<br>
-u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/<br>
-CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl<br>
-bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=<br>
+tjMPfTx/dFicleUbh4pH4f5RUtgZwamcU/uy246wk+f2EBG7pVKEEmoXm8rWW2tW<br>
+xlp9BjL6yCBxoB/GGPjFAoqjQmnUQMxy/P0OWqur3t0+GrB4Fw9hB82fxgnAaydF<br>
+10fw+bRMCfxJMRfa2nEkLzL9za6TF0IOvAYYza/rCxgOQiLg/py9V29wjVnIW9Dt<br>
+B/GxfblTv9K2JBEVdKNWIGT1ZGxem8qiXctbufIXDr+dEEoFUKh+wvkmwVhBaSXi<br>
+gw6fAoATz0Lpd+9d0bqEC1wC3NFdxABYUjZMQ7+xtNzaSCdXiWgv4ix1kzoY8rIi<br>
+mnaSH1VdO27fzA0aOgi6/FAYCT0H3bEQIPgcA47kpty8a27OCylHZGa+vnmBnEtv<br>
+qZeO9kX3Dmoi7vzXL8vjf41ZY7eTU6kYWktdBw/gM65goGINPFx85gli3k5I7+TR<br>
+DQ1shyAmmMU9rH+YamZ9Hs4SLfAe7xPI/7i/upMsz56c57/HlvUwHr0as+L7WDZP<br>
+iX/oW2DQmwN/C5owMPttM7dg2PvSw/Blte5lvloLbmhQTzzw0MDkPHkGt+5Hhjcl<br>
+NwoaVCzT4Kg3E7fcXrKr80vYP9fOQIbCT5qtZ2/cTNLk8XYmLJm8Q7e1XqvuY9sQ<br>
+K7xQ5iLz0PjWDtgbculcb3tQIIUcf/Ss9nCakWr6r4pPIQjDVJh07L7ou76n2PVs<br>
+zJh6cJBgTEUaRWTQgGVH9euyQU3pXHLR0nk5zN4uAOVWdR7eiiskYwT3pM6HiER8<br>
+ZYTs+fJtQD9gJPhBAa3LX5L7kWADxGFdAH5qoTn1SSJY4RIVFVfRfxXmQuTGlRQB<br>
+UEh5Q3bdYKeauw3E9kBaYMYu19223XsAyuvs7/nB02DV6dFjTCGLsrv3JEgf+Wx6<br>
+biCfoOrR1Kt2ez8QR9/6TIbz36kc2Jo3m2jKqUrNx1/gLj+coklSET09IwRZ0voi<br>
+7ype+4mHFEzwiSxmugLfdnU8d9PkzFzUiu3qSYeD2DR9hBgnZtgu0fFnSCmqFDXG<br>
+H1yWy6X6Wiqx6abPVq1ODZgeTmsjJsMLDB6PUbQyESp9ICRJyPPCrMi6UpLrWMto<br>
+A764n5w8B2g/GPJfz1sPePZYi6sumd9UqTQ8UhM644oOlxPWufiBeTiPm1W73PSZ<br>
+6DmLyVEh+kcfID6xq3tWVAuiPO1jMpQGoLKXO7oxGvmTNY/Va++j22DpzNoj1hTJ<br>
+cnFOQZARKrSooAnngwUP68tGVo/+fxzWG95t7IZy8BvszP09VT1jcHOfFIZqHa/V<br>
+rI/JrWSK+tu75Ot63QQpm1x7xSctMZg71w7riVipA+8F1FBdmp+lhOQkEMytngIA<br>
+jKovkuwo8AiQvYCDspEcGSroQmOh1d5TraRyhTuRdiefLVSh05kVGCd6/UsVqdZs<br>
+j+HEyepn4/A9xpHRBTWfCwBFFktAgSdCUOLh5xsT2MbbT/0wDoneD/uay0NakWXB<br>
+zuVsaasx0Yl2cqvXKVUMphmbqMa859BNVqEK3l3tYZdvHiwT8J1LnEEK4KiBa2zZ<br>
++8FcFvD8x1NZBcCBArYP59MbCQOC2QBPJe/oCiUVhN8kRIwlwOhytbW+QIuLZHi4<br>
-----END RSA PRIVATE KEY-----<br>
diff --git a/tests/sslcerts/priv.pem b/tests/sslcerts/priv.pem<br>
--- a/tests/sslcerts/priv.pem<br>
+++ b/tests/sslcerts/priv.pem<br>
@@ -1,10 +1,27 @@<br>
------BEGIN PRIVATE KEY-----<br>
-MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH<br>
-aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8<br>
-j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc<br>
-EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG<br>
-MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR<br>
-+wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy<br>
-aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh<br>
-HY8gUVkVRVs=<br>
------END PRIVATE KEY-----<br>
+-----BEGIN RSA PRIVATE KEY-----<br>
+MIIEpQIBAAKCAQEA2Ugt7jQrD+u+JtIfXZpVepzOAufcX4CMoHV95qZXZml2juGp<br>
+x3T7wjQPB/IPoOpRG9CoCaekKK+bIqQX1qNuiUa2CsqchNQcua2js5DTttmRYC+f<br>
+wHaQc0UY1QKe/0r8NFX1XoeIWfuL+0UAERoI1zmhu9px5326C7PoyBPIubT0ejLV<br>
+LfciFgyHDmqvYGu6cUBpNFrAi8csPNGcyie1Axh0wZ/9jvHdN+iGmaV9GZObGv0G<br>
+ZpbWlJm8fG+mH1qMFYA6mnknJbEBBTnV0IWdGJalGnz+5GfCvhxzYcEWmLDeO/7F<br>
+NrWMVT9L8Ky65cygCeJ4lEW1XB1w/6rQYjaSnwIDAQABAoIBAAwDAH8FpUfJCYcN<br>
+4KwFByqzFnR0qusgqSWJuT8R/QztUZ+OfBtJrU1MIXSX/iMwMPGvtEpsWRfitVnR<br>
+5nt4J3kxTokEMGjrbPca0Uzw+bNHDdFacKNsKookzL2h2nZUh+LAycLDDVekH1Xx<br>
+t5I6dTiot/cxmVBp0+ontPuylEsnyrQio6eljBfPzxBdRp2lkiymKf3jvbGXRnZ4<br>
+jSFTRuUlbnVbZ3CKnFPU+d5tvn2nEwU/DVbGpJNZAPl99Q0XUcNF3AtGlwGMvi0X<br>
+azcIIOn+swLjn+U2S6i3K234ItYS5I+c9Xi+9DO4fuVko+CQ8PWXP2HdAze7DENc<br>
+zADmd0kCgYEA7nN+qUFAmMOcRE8nSNLt7mcwq6fYQ1MVGikCIXn/PI/wfEqY0lws<br>
+ZhwykBXog0S7PzYkR3LcDOqN0wDcdJ3K4c/a6Z6IqbXMgxaosYfHCCMtdhy0g0F2<br>
+ek0SaY3WQhpFRIG19hvB+ZJSc7JQt+TaXeb8HM1452kmOLpfQGiqqTsCgYEA6UXZ<br>
+bI7c2jO1X+rWF2tZfZdtdeVrIVcm8BunF7ETC4iK/iH2phRQQAh4TFZm6wkX57Tv<br>
+LKDGxmohFlEK7FOtSCeSSVfkvZYRBuHOYcwBgBr1XzXXjHcMoyr0+LflZysht151<br>
+9F0hJwdGQZrivZnv9clJ632RlgE4XlPGskQhRe0CgYEAxVGdhsIQilmUfpJhl8m0<br>
+SovpoqKKO2wNElDNCpbBt4QFJVU1kR3lP7olvUXj2nyN1okfDGDn52hRZEJaK8ZH<br>
+lQVDyf7+aDGgwvmFLyOEeB9kB1FJrzQErsAIdICCxMCogUA1KytdIQEMaeEtGn+u<br>
+k/YIumztl9FTZ64SFGKIlvECgYEA25Kb7csrp1g0yWxKyRCK0+TNa8Pe6ysVw7zD<br>
+s1FCFAEak8t0Vy+Xui4+zdwmU+XjUn7FAsTzVaBgNJlkJr88xEY7ND4/WRUAQfIa<br>
+SYO1hdfaTxxnIBiPFKdCnzq5/DplKi0H6lQe+JWoU+hutPlJHZmysq8ncoMDhAZn<br>
+aTUn/KECgYEAvxGaWt4Fn2tRrHeaG0qT+nMBxd8cTiFInOcYDeS/FlQo3DTDK2Ai<br>
+qLBa4DinnGN2hSKwnN3R5R2VRxk4I6+ljG0yuNBhJBcAgAFpnHfkuY1maQJB+1xY<br>
+A07WcM4J3yuPfjcDkipNFQa4Y8oJCaS2yiOPvlUfNQrCLAV+YqHZiiQ=<br>
+-----END RSA PRIVATE KEY-----<br>
diff --git a/tests/sslcerts/pub-expired.pem b/tests/sslcerts/pub-expired.pem<br>
--- a/tests/sslcerts/pub-expired.pem<br>
+++ b/tests/sslcerts/pub-expired.pem<br>
@@ -1,10 +1,20 @@<br>
-----BEGIN CERTIFICATE-----<br>
-MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs<br>
-aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx<br>
-NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv<br>
-c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK<br>
-EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA<br>
-+ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T<br>
-BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt<br>
-2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=<br>
+MIIDNTCCAh2gAwIBAgIJANRJCnkBtkkOMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV<br>
+BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2<br>
+MDEwMTA4MDAzMFoXDTE2MDEwMjA4MDAzMFowMTESMBAGA1UEAwwJbG9jYWxob3N0<br>
+MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA<br>
+A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO<br>
+4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg<br>
+L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6<br>
+MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa<br>
+/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47<br>
+/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW<br>
+BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p<br>
+575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBnY2r60iGg<br>
+0BqR5vOj//XjS1FZKNG6+n3MKgxBY3pqFbqsCJfX5GfWD3GHJRXzv3p1MXIP3BWj<br>
+zFutg+FE2QChQFwZjJu3E1VnIZN5ytYBltGHwaCEUdGq9sAZ9R2Jdf8xhQa5h+1U<br>
+NZJvYbhCyecnUh2/Dkj2pFoF7wv7BtWFJV20WzHesN/Dik51cr6yFSn4nJb6YAMw<br>
+t4/Vnf24v36WwnBoO5VqO+ntISTD6CS3EE5Gqv2ZMQtFaMoRfKIBaDIKHvbYeXdX<br>
+2gDTKWnS5KJYWmsl6N2CPjrHJJphaFGSKFAivmT24Q+JSKcC9hww7gvnGcVmsFan<br>
+H5xwzFQW2cna<br>
-----END CERTIFICATE-----<br>
diff --git a/tests/sslcerts/pub-not-yet.pem b/tests/sslcerts/pub-not-yet.pem<br>
--- a/tests/sslcerts/pub-not-yet.pem<br>
+++ b/tests/sslcerts/pub-not-yet.pem<br>
@@ -1,10 +1,20 @@<br>
-----BEGIN CERTIFICATE-----<br>
-MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs<br>
-aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw<br>
-NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv<br>
-c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK<br>
-EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA<br>
-+ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T<br>
-BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb<br>
-/12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=<br>
+MIIDNTCCAh2gAwIBAgIJAJvD5nejIHr2MA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV<br>
+BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTMw<br>
+MDEwMTA4MDAwOFoXDTMwMDEwMjA4MDAwOFowMTESMBAGA1UEAwwJbG9jYWxob3N0<br>
+MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA<br>
+A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO<br>
+4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg<br>
+L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6<br>
+MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa<br>
+/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47<br>
+/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW<br>
+BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p<br>
+575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC0VDzAqPiL<br>
+6U8yqaQqXdS6iK49yDQe9qzxzNnAZnj4YCsa5+qYSf+jl49Rak+pGw3AmN9gl6xq<br>
+aaP5xAlS8F0lnfZ5NcXmmp4Lt25qdu9J9qIPEAL4/ucirDr/cphCbDtzaWsrfi9j<br>
+YjVzSqoSEdnV1x9GkkLVwQRmA+D/2+95pgx6UNchqMbXuEQkAv9kVOzSG62OOAzO<br>
+z2Wct6b+DFbfFI0xcvKeJRGogjkd5QrF1XxU7e5u17DAN7/nhahv43ol3eC/fUiH<br>
+ITZpEc+/WdVtUwZQtoEQuBLB1Mc8QvYUUksUv9+KVjZ4o2oqApup7k7oMSPYNPTf<br>
+2O99CXjOCl9k<br>
-----END CERTIFICATE-----<br>
diff --git a/tests/sslcerts/pub-other.pem b/tests/sslcerts/pub-other.pem<br>
--- a/tests/sslcerts/pub-other.pem<br>
+++ b/tests/sslcerts/pub-other.pem<br>
@@ -1,11 +1,20 @@<br>
-----BEGIN CERTIFICATE-----<br>
-MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV<br>
-BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw<br>
-MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0<br>
-MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL<br>
-ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo<br>
-K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN<br>
-y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw<br>
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6<br>
-bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=<br>
+MIIDNTCCAh2gAwIBAgIJAMXBgtbkFDfwMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV<br>
+BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2<br>
+MDcxMzA0MTcyOFoXDTQxMDMwNDA0MTcyOFowMTESMBAGA1UEAwwJbG9jYWxob3N0<br>
+MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA<br>
+A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO<br>
+4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg<br>
+L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6<br>
+MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa<br>
+/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47<br>
+/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW<br>
+BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p<br>
+575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDLxD+Q90Ue<br>
+zrkmq964pzl+9zd0Y1ODSBnwaZfJxaoyFwRpYva1GYyz2CnJZEDjh8nUbo/jmEU1<br>
+9D91YT8e3plgcpsuxp0YhCUJbTz56k2OOq/MyrX+KgrC2VAdGbhr/C3hNkGKBzdu<br>
++8p+z3jBUkiQFRb8xc485v1zkOX1lPN3tSAEOcja/lslmHV1UQhEYI/Ne2z/i/rQ<br>
+uVtC28dTHoPnJykIhXBwgxuAL3G3eFpCRemHOyTlzNDQQxkgMNAYenutWpYXjM2Z<br>
+paplLANjV+X91wyAXZ1XZ+5m7yLA7463MwOPU3Ko+HcyKKjPO+wJwVJbEpXr3rPR<br>
+getT2CfPFLMe<br>
-----END CERTIFICATE-----<br>
diff --git a/tests/sslcerts/pub.pem b/tests/sslcerts/pub.pem<br>
--- a/tests/sslcerts/pub.pem<br>
+++ b/tests/sslcerts/pub.pem<br>
@@ -1,11 +1,20 @@<br>
-----BEGIN CERTIFICATE-----<br>
-MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV<br>
-BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw<br>
-MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0<br>
-MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL<br>
-ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX<br>
-6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm<br>
-r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw<br>
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl<br>
-t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=<br>
+MIIDNTCCAh2gAwIBAgIJAJ12yUL2zGhzMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV<br>
+BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2<br>
+MDcxMzA0MTcxMloXDTQxMDMwNDA0MTcxMlowMTESMBAGA1UEAwwJbG9jYWxob3N0<br>
+MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA<br>
+A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO<br>
+4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg<br>
+L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6<br>
+MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa<br>
+/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47<br>
+/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW<br>
+BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p<br>
+575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCzJhM/OBoS<br>
+JXnjfLhZqi6hTmx1XC7MR05z4fWdyBhZx8PwSDEjxAj/omAm2RMEx/Fv1a7FO6hd<br>
+ClYsxxSfWJO7NQ3V4YLn9AvNr5gcxuXV/4bTtEFNebuzhV06u5nH7pGbHbkxCI+u<br>
+QekmRTvKIojr8F44cyszEk+MZQ5bFBElByjVzgXNvAaDP0ryUL5eQhLrkuwbNFLQ<br>
+mFf7EaerMuM28x1knhiH/39s7t92CJgm9+D60TmJ4XXwue1gZ0v9MVS18iOuWyio<br>
+BklppJsdtDLxHTHGNlBeHdam5VejbXRo7s0y5OfuATwlgcaCMYC/68hVJYwl/GZ7<br>
+3YpdNpMshSaE<br>
-----END CERTIFICATE-----<br>
diff --git a/tests/test-https.t b/tests/test-https.t<br>
--- a/tests/test-https.t<br>
+++ b/tests/test-https.t<br>
@@ -67,32 +67,32 @@ we are able to load CA certs.<br>
abort: error: *certificate verify failed* (glob)<br>
[255]<br>
#endif<br>
<br>
#if no-sslcontext osx<br>
$ hg clone https://localhost:$HGPORT/ copy-pull<br>
(unable to load CA certificates; see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this message)<br>
abort: localhost certificate error: no certificate received<br>
- (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)<br>
+ (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)<br>
[255]<br>
#endif<br>
<br>
#if defaultcacertsloaded<br>
$ hg clone https://localhost:$HGPORT/ copy-pull<br>
(using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this message) (glob) (?)<br>
abort: error: *certificate verify failed* (glob)<br>
[255]<br>
#endif<br>
<br>
#if no-defaultcacerts<br>
$ hg clone https://localhost:$HGPORT/ copy-pull<br>
(unable to load * certificates; see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this message) (glob) (?)<br>
abort: localhost certificate error: no certificate received<br>
- (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)<br>
+ (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)<br>
[255]<br>
#endif<br>
<br>
Specifying a per-host certificate file that doesn't exist will abort<br>
<br>
$ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/<br>
abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist<br>
[255]<br>
@@ -141,31 +141,31 @@ A per-host certificate with multiple cer<br>
requesting all changes<br>
adding changesets<br>
adding manifests<br>
adding file changes<br>
added 1 changesets with 4 changes to 4 files<br>
<br>
Defining both per-host certificate and a fingerprint will print a warning<br>
<br>
- $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning<br>
+ $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning<br>
(hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)<br>
requesting all changes<br>
adding changesets<br>
adding manifests<br>
adding file changes<br>
added 1 changesets with 4 changes to 4 files<br>
<br>
$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"<br>
<br>
Inability to verify peer certificate will result in abort<br>
<br>
$ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS<br>
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect<br>
- (see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)<br>
+ (see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)<br>
[255]<br>
<br>
$ hg clone --insecure https://localhost:$HGPORT/ copy-pull<br>
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering<br>
requesting all changes<br>
adding changesets<br>
adding manifests<br>
adding file changes<br>
@@ -187,17 +187,17 @@ Inability to verify peer certificate wil<br>
pull without cacert<br>
<br>
$ cd copy-pull<br>
$ echo '[hooks]' >> .hg/hgrc<br>
$ echo "changegroup = printenv.py changegroup" >> .hg/hgrc<br>
$ hg pull $DISABLECACERTS<br>
pulling from https://localhost:$HGPORT/<br>
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect<br>
- (see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)<br>
+ (see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)<br>
[255]<br>
<br>
$ hg pull --insecure<br>
pulling from https://localhost:$HGPORT/<br>
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering<br>
searching for changes<br>
adding changesets<br>
adding manifests<br>
@@ -251,17 +251,17 @@ empty cacert file<br>
#endif<br>
<br>
cacert mismatch<br>
<br>
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \<br>
> https://127.0.0.1:$HGPORT/<br>
pulling from https://127.0.0.1:$HGPORT/<br>
abort: 127.0.0.1 certificate error: certificate is for localhost<br>
- (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)<br>
+ (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)<br>
[255]<br>
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \<br>
> https://127.0.0.1:$HGPORT/ --insecure<br>
pulling from https://127.0.0.1:$HGPORT/<br>
warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering<br>
searching for changes<br>
no changes found<br>
$ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"<br>
@@ -293,61 +293,61 @@ Test server cert which no longer is vali<br>
> https://localhost:$HGPORT2/<br>
pulling from https://localhost:$HGPORT2/<br>
abort: error: *certificate verify failed* (glob)<br>
[255]<br>
<br>
Fingerprints<br>
<br>
- works without cacerts (hostkeyfingerprints)<br>
- $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca<br>
+ $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03<br>
5fed3813f7f5<br>
<br>
- works without cacerts (hostsecurity)<br>
- $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca<br>
+ $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03<br>
5fed3813f7f5<br>
<br>
- $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30<br>
+ $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e<br>
5fed3813f7f5<br>
<br>
- multiple fingerprints specified and first matches<br>
- $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure<br>
+ $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure<br>
5fed3813f7f5<br>
<br>
- $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/<br>
+ $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/<br>
5fed3813f7f5<br>
<br>
- multiple fingerprints specified and last matches<br>
- $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure<br>
+ $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure<br>
5fed3813f7f5<br>
<br>
- $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/<br>
+ $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/<br>
5fed3813f7f5<br>
<br>
- multiple fingerprints specified and none match<br>
<br>
$ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure<br>
- abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca<br>
+ abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03<br>
(check hostfingerprint configuration)<br>
[255]<br>
<br>
$ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/<br>
- abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca<br>
+ abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03<br>
(check hostsecurity configuration)<br>
[255]<br>
<br>
- fails when cert doesn't match hostname (port is ignored)<br>
- $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca<br>
- abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b<br>
+ $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03<br>
+ abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84<br>
(check hostfingerprint configuration)<br>
[255]<br>
<br>
<br>
- ignores that certificate doesn't match hostname<br>
- $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca<br>
+ $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03<br>
5fed3813f7f5<br>
<br>
HGPORT1 is reused below for tinyproxy tests. Kill that server.<br>
$ killdaemons.py hg1.pid<br>
<br>
Prepare for connecting through proxy<br>
<br>
$ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &<br>
@@ -369,17 +369,17 @@ Test unvalidated https through proxy<br>
<br>
Test https with cacert and fingerprint through proxy<br>
<br>
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \<br>
> --config web.cacerts="$CERTSDIR/pub.pem"<br>
pulling from https://localhost:$HGPORT/<br>
searching for changes<br>
no changes found<br>
- $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca<br>
+ $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03<br>
pulling from https://127.0.0.1:$HGPORT/<br>
searching for changes<br>
no changes found<br>
<br>
Test https with cert problems through proxy<br>
<br>
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \<br>
> --config web.cacerts="$CERTSDIR/pub-other.pem"<br>
diff --git a/tests/test-patchbomb-tls.t b/tests/test-patchbomb-tls.t<br>
--- a/tests/test-patchbomb-tls.t<br>
+++ b/tests/test-patchbomb-tls.t<br>
@@ -92,17 +92,17 @@ Without certificates:<br>
$ try --debug<br>
this patch series consists of 1 patches.<br>
<br>
<br>
(using smtps)<br>
sending mail: smtp host localhost, port * (glob)<br>
(verifying remote certificate)<br>
abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect<br>
- (see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 to trust this server)<br>
+ (see <a href="https://mercurial-scm.org/wiki/SecureConnections" rel="noreferrer" target="_blank">https://mercurial-scm.org/wiki/SecureConnections</a> for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)<br>
[255]<br>
<br>
With global certificates:<br>
<br>
$ try --debug --config web.cacerts="$CERTSDIR/pub.pem"<br>
this patch series consists of 1 patches.<br>
<br>
<br>
</blockquote></div><br></div>