[PATCH 1 of 6 V2] tests: regenerate x509 test certificates

Gregory Szorc gregory.szorc at gmail.com
Wed Jul 13 03:19:25 EDT 2016


If it isn't obvious, this series replaces the 2 patchbombs I sent in the
past ~12 hours. Please discard the previous patches.

On Wed, Jul 13, 2016 at 12:18 AM, Gregory Szorc <gregory.szorc at gmail.com>
wrote:

> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1468387564 25200
> #      Tue Jul 12 22:26:04 2016 -0700
> # Node ID 2f6559dcc8b8036aaafe6c679913efff8f25455a
> # Parent  e5b4d79a9140c3d90e9b6aa22070351b73ef2d4c
> tests: regenerate x509 test certificates
>
> The old x509 test certificates were using cryptographic settings
> that are ancient by today's standards, namely 512 bit RSA keys.
> To put things in perspective, browsers have been dropping support
> for 1024 bit RSA keys.
>
> I think it is important that tests match the realities of the times.
> And 2048 bit RSA keys with SHA-2 hashing are what the world is
> moving to.
>
> This patch replaces all the x509 certificates with new versions using
> modern best practices. In addition, the docs for generating the
> keys have been updated, as the existing docs left out a few steps,
> namely how to generate certs that were not active yet or expired.
>
> diff --git a/tests/sslcerts/README b/tests/sslcerts/README
> --- a/tests/sslcerts/README
> +++ b/tests/sslcerts/README
> @@ -1,26 +1,50 @@
> -Certificates created with:
> - printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
> - openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000
> -out pub.pem
> -Can be dumped with:
> - openssl x509 -in pub.pem -text
> -
> - - priv.pem
> - - pub.pem
> - - pub-other.pem
> -
> -pub.pem patched with other notBefore / notAfter:
> +Generate a private key (priv.pem):
>
> - - pub-not-yet.pem
> - - pub-expired.pem
> +  $ openssl genrsa -out priv.pem 2048
>
> -Client certificates created with:
> - openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
> - openssl rsa -in client-key.pem -passin pass:1234 -out
> client-key-decrypted.pem
> - printf '.\n.\n.\n.\n.\n.\nhg-client at localhost\n.\n.\n' | \
> - openssl req -new -key client-key.pem -passin pass:1234 -out
> client-csr.pem
> - openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey
> priv.pem \
> - -set_serial 01 -out client-cert.pem
> +Generate 2 self-signed certificates from this key (pub.pem,
> pub-other.pem):
>
> - - client-key.pem
> - - client-key-decrypted.pem
> - - client-cert.pem
> +  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
> +    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out
> pub.pem
> +
> +  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
> +    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out
> pub-other.pem
> +
> +Now generate an expired certificate by turning back the system time:
> +
> +  $ date --set='2016-01-01T00:00:00Z'
> +  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
> +    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out
> pub-expired.pem
> +
> +Generate a certificate not yet active by advancing the system time:
> +
> +  $ date --set='2030-01-01T00:00:00Z'
> +  $ printf '.\n.\n.\n.\n.\nlocalhost\nhg at localhost\n' | \
> +    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out
> pub-not-yet.pem
> +
> +Note: When adjusting system time, verify the time change sticks. If
> running
> +systemd, you may want to use `timedatectl set-ntp false` and e.g.
> +`timedatectl set-time '2016-01-01 00:00:00'` to set system time.
> +
> +Generate a passphrase protected client certificate private key:
> +
> +  $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048
> +
> +Create a copy of the private key without a passphrase:
> +
> +  $ openssl rsa -in client-key.pem -passin pass:1234 -out
> client-key-decrypted.pem
> +
> +Create a CSR and sign the key using the server keypair:
> +
> +  $ printf '.\n.\n.\n.\n.\n.\nhg-client at localhost\n.\n.\n' | \
> +    openssl req -new -key client-key.pem -passin pass:1234 -out
> client-csr.pem
> +  $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey
> priv.pem \
> +    -set_serial 01 -out client-cert.pem
> +
> +When replacing the certificates, references to certificate fingerprints
> will
> +need to be updated in test files.
> +
> +Fingerprints for certs can be obtained by running:
> +
> +  $ openssl x509 -in pub.pem -noout -sha1 -fingerprint
> +  $ openssl x509 -in pub.pem -noout -sha256 -fingerprint
> diff --git a/tests/sslcerts/client-cert.pem
> b/tests/sslcerts/client-cert.pem
> --- a/tests/sslcerts/client-cert.pem
> +++ b/tests/sslcerts/client-cert.pem
> @@ -1,9 +1,17 @@
>  -----BEGIN CERTIFICATE-----
> -MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
> -GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z
> -OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv
> -c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH
> -R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB
> -MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/
> -NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==
> +MIICyTCCAbECAQEwDQYJKoZIhvcNAQELBQAwMTESMBAGA1UEAwwJbG9jYWxob3N0
> +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwHhcNMTYwNzEzMDQ0NzIxWhcN
> +NDEwMzA0MDQ0NzIxWjAkMSIwIAYJKoZIhvcNAQkBFhNoZy1jbGllbnRAbG9jYWxo
> +b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6upuVmEs1dTpBWRe
> +4LLM1ARhnMQpI6jaQ8JKzQghMU/3T3n6Qkimt2HmxuiczvsawAbUPpBAxZbBnKmX
> +bKMiXjtQaO4o4gnyNZVuBgkq2Grc2BREOf0vtUvnPumlnjyAcMNRm6iVbbOerPzV
> +Dn1nH7Ljf9UKyGl/Qj6eOAgez/TDui2fo5FUfaqUzF8B7FoaRmsErZZU9pJ+etKX
> +M2DlLGofYNbOi+K0RbPypKNzeInNUnvh9JXKntmLQHRwXDSvcGveKepfVlmz/qme
> +DqhQSonIXTektdyZ5g9dOvxEjQSYHp+7exIKvrpXLfou3s9nCUTs6ekQLi1Tb4Pn
> +gbhauwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDVgUHJlu4quQCfeHPoemj+6Jp+
> +M140lY7DGFyiGfHP7KcxXiJHagbUC5D1IPYARwhh7Rdssy0FsmWQKYl8LXKvstz4
> +zCgz9gxb7vydkZLF49lP1I13Pekoz99381RrXUYomHbx6jKPiOha7ikfAUefop0n
> +uwfeQ5f6mfr0AcXmu6W7PHYMcPTK0ZyzoZwobRktKZ+OiwjW/nyolbdXxwU+kRQs
> +r0224+GBuwPWmXAobHgPhtClHXYa2ltL1qFFQJETJt0HjhH89jl5HWJl8g3rqccn
> +AkyiRIGDAWJsiQTOK7iOy0JSbmT1ePrhAyUoZO8GPbBsOdSdBMM32Y3HAKQz
>  -----END CERTIFICATE-----
> diff --git a/tests/sslcerts/client-key-decrypted.pem
> b/tests/sslcerts/client-key-decrypted.pem
> --- a/tests/sslcerts/client-key-decrypted.pem
> +++ b/tests/sslcerts/client-key-decrypted.pem
> @@ -1,9 +1,27 @@
>  -----BEGIN RSA PRIVATE KEY-----
> -MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb
> -FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6
> -AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT
> -AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop
> -4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5
> -+MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01
> -mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY
> +MIIEpQIBAAKCAQEA6upuVmEs1dTpBWRe4LLM1ARhnMQpI6jaQ8JKzQghMU/3T3n6
> +Qkimt2HmxuiczvsawAbUPpBAxZbBnKmXbKMiXjtQaO4o4gnyNZVuBgkq2Grc2BRE
> +Of0vtUvnPumlnjyAcMNRm6iVbbOerPzVDn1nH7Ljf9UKyGl/Qj6eOAgez/TDui2f
> +o5FUfaqUzF8B7FoaRmsErZZU9pJ+etKXM2DlLGofYNbOi+K0RbPypKNzeInNUnvh
> +9JXKntmLQHRwXDSvcGveKepfVlmz/qmeDqhQSonIXTektdyZ5g9dOvxEjQSYHp+7
> +exIKvrpXLfou3s9nCUTs6ekQLi1Tb4PngbhauwIDAQABAoIBABATjQuCSPQ1RuEk
> +lk2gTt4vkpKM5hfXpWA/uqi/Zq4eP9mDinngyPAB1i5Emv6bNqBvlzTU4GnlQEi9
> +XmyD2YVDX+RecBPQBHBgUpA9Ll5zKbvr3yNszUgF8sRebwQeNdgBteMGLXu9cB18
> +jAQa1uTXdDQ6WyuN9LSO3nsNKzal8uucnZxdfFDIHx0MahPlrPfAkqzeKxxfyyRE
> +jzia24oE+ewE8GHX/TvYnPybCPmBtRwbldA32vx8HbDCvlJanw3dyL98isBa5prr
> +DsFaDltWzTKdJOIntdTJXRUDwYp7526bUEdGo/1FddbjW6Th8sXiJu91nL3BD/Qk
> +mW102bECgYEA/zEtKgXjPeV9e3/vvAYU2Bsq8TkmhU6ZiZOQCdPWUNOsyfxibJBk
> +XXsldtZ111vX/+fdGVPFJRoL1Qf4Xjf3MILVhAAcmfTpnWkdbveOrdCjbACE/ReQ
> +xkExZdXhBd9YTS8IelL/Hv45FUo7UWWitgtvTG6caN3LaBTx1o2DiTkCgYEA66jS
> +RQrsjRNT+cf7HBmKrKd7EknAH2v83ZyPd49BSBiNnmWaqPG2NxCLWpKks20xvRo2
> +j8nftCsu9vSXv+KLnSb2CfOefvNoui7wQyiiWxrMBEPn8DS5E7ctqAiIhQsWEK+e
> +n9E0PW/wyKI1Gk5U1nHwEJt196kYPzD8QgnwB5MCgYEAloVrHl5aqyex3CaaQU1U
> +/iMIMUCEeBzkc0GWtDU/NG2mfX1gkKiaiokYj//vgheqUEdzIn1Gy5uRXxZUaT6Z
> +jwOc7T8jn6vWIALgWZOrlNp7ijjEOISt4EKT4H1HPS9/5gbX+U77LEzHXsdqNZi9
> +YKNeArc7ip9IWxv/iY3vCAECgYEAgMjOuGqC4Ynpf3x5T17p+PbB/DmPo9xY4ScZ
> +BEamb2bzpddy0NbfNHJ3JXU0StXms6gqnyO8e/KJhO4gK/37PFO5a7DWMhyFZBIY
> +vSrspwsa6U3O5+d4KT0W11hqewKW+WFwN3iVqumM1ahHiuu500OK5RiAPGsNVCNK
> +CDD0Gr8CgYEAzwTt62ke3zCFOZ2E6EIR6eM+0Q9+B5zceU8DAZaTTxP4532HnT6/
> +iHMQvUh0KBE4Rxw3MeSgpe7gKIcMKXubrcDIsEz8vhhOM1xsYIzVEWLtoCLPTaSF
> +OWQsk98VDt3SgEjb25nOjJ24zZzUVk45OiGUoxfn1Bp6BbJH7IDihCk=
>  -----END RSA PRIVATE KEY-----
> diff --git a/tests/sslcerts/client-key.pem b/tests/sslcerts/client-key.pem
> --- a/tests/sslcerts/client-key.pem
> +++ b/tests/sslcerts/client-key.pem
> @@ -1,12 +1,30 @@
>  -----BEGIN RSA PRIVATE KEY-----
>  Proc-Type: 4,ENCRYPTED
> -DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8
> +DEK-Info: AES-256-CBC,ADE9D82AA8D8023CD4E9B67FECD9FE08
>
> -JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF
> -BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS
> -jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7
> -Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2
> -u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/
> -CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl
> -bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=
> +tjMPfTx/dFicleUbh4pH4f5RUtgZwamcU/uy246wk+f2EBG7pVKEEmoXm8rWW2tW
> +xlp9BjL6yCBxoB/GGPjFAoqjQmnUQMxy/P0OWqur3t0+GrB4Fw9hB82fxgnAaydF
> +10fw+bRMCfxJMRfa2nEkLzL9za6TF0IOvAYYza/rCxgOQiLg/py9V29wjVnIW9Dt
> +B/GxfblTv9K2JBEVdKNWIGT1ZGxem8qiXctbufIXDr+dEEoFUKh+wvkmwVhBaSXi
> +gw6fAoATz0Lpd+9d0bqEC1wC3NFdxABYUjZMQ7+xtNzaSCdXiWgv4ix1kzoY8rIi
> +mnaSH1VdO27fzA0aOgi6/FAYCT0H3bEQIPgcA47kpty8a27OCylHZGa+vnmBnEtv
> +qZeO9kX3Dmoi7vzXL8vjf41ZY7eTU6kYWktdBw/gM65goGINPFx85gli3k5I7+TR
> +DQ1shyAmmMU9rH+YamZ9Hs4SLfAe7xPI/7i/upMsz56c57/HlvUwHr0as+L7WDZP
> +iX/oW2DQmwN/C5owMPttM7dg2PvSw/Blte5lvloLbmhQTzzw0MDkPHkGt+5Hhjcl
> +NwoaVCzT4Kg3E7fcXrKr80vYP9fOQIbCT5qtZ2/cTNLk8XYmLJm8Q7e1XqvuY9sQ
> +K7xQ5iLz0PjWDtgbculcb3tQIIUcf/Ss9nCakWr6r4pPIQjDVJh07L7ou76n2PVs
> +zJh6cJBgTEUaRWTQgGVH9euyQU3pXHLR0nk5zN4uAOVWdR7eiiskYwT3pM6HiER8
> +ZYTs+fJtQD9gJPhBAa3LX5L7kWADxGFdAH5qoTn1SSJY4RIVFVfRfxXmQuTGlRQB
> +UEh5Q3bdYKeauw3E9kBaYMYu19223XsAyuvs7/nB02DV6dFjTCGLsrv3JEgf+Wx6
> +biCfoOrR1Kt2ez8QR9/6TIbz36kc2Jo3m2jKqUrNx1/gLj+coklSET09IwRZ0voi
> +7ype+4mHFEzwiSxmugLfdnU8d9PkzFzUiu3qSYeD2DR9hBgnZtgu0fFnSCmqFDXG
> +H1yWy6X6Wiqx6abPVq1ODZgeTmsjJsMLDB6PUbQyESp9ICRJyPPCrMi6UpLrWMto
> +A764n5w8B2g/GPJfz1sPePZYi6sumd9UqTQ8UhM644oOlxPWufiBeTiPm1W73PSZ
> +6DmLyVEh+kcfID6xq3tWVAuiPO1jMpQGoLKXO7oxGvmTNY/Va++j22DpzNoj1hTJ
> +cnFOQZARKrSooAnngwUP68tGVo/+fxzWG95t7IZy8BvszP09VT1jcHOfFIZqHa/V
> +rI/JrWSK+tu75Ot63QQpm1x7xSctMZg71w7riVipA+8F1FBdmp+lhOQkEMytngIA
> +jKovkuwo8AiQvYCDspEcGSroQmOh1d5TraRyhTuRdiefLVSh05kVGCd6/UsVqdZs
> +j+HEyepn4/A9xpHRBTWfCwBFFktAgSdCUOLh5xsT2MbbT/0wDoneD/uay0NakWXB
> +zuVsaasx0Yl2cqvXKVUMphmbqMa859BNVqEK3l3tYZdvHiwT8J1LnEEK4KiBa2zZ
> ++8FcFvD8x1NZBcCBArYP59MbCQOC2QBPJe/oCiUVhN8kRIwlwOhytbW+QIuLZHi4
>  -----END RSA PRIVATE KEY-----
> diff --git a/tests/sslcerts/priv.pem b/tests/sslcerts/priv.pem
> --- a/tests/sslcerts/priv.pem
> +++ b/tests/sslcerts/priv.pem
> @@ -1,10 +1,27 @@
> ------BEGIN PRIVATE KEY-----
> -MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
> -aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
> -j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
> -EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
> -MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
> -+wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
> -aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
> -HY8gUVkVRVs=
> ------END PRIVATE KEY-----
> +-----BEGIN RSA PRIVATE KEY-----
> +MIIEpQIBAAKCAQEA2Ugt7jQrD+u+JtIfXZpVepzOAufcX4CMoHV95qZXZml2juGp
> +x3T7wjQPB/IPoOpRG9CoCaekKK+bIqQX1qNuiUa2CsqchNQcua2js5DTttmRYC+f
> +wHaQc0UY1QKe/0r8NFX1XoeIWfuL+0UAERoI1zmhu9px5326C7PoyBPIubT0ejLV
> +LfciFgyHDmqvYGu6cUBpNFrAi8csPNGcyie1Axh0wZ/9jvHdN+iGmaV9GZObGv0G
> +ZpbWlJm8fG+mH1qMFYA6mnknJbEBBTnV0IWdGJalGnz+5GfCvhxzYcEWmLDeO/7F
> +NrWMVT9L8Ky65cygCeJ4lEW1XB1w/6rQYjaSnwIDAQABAoIBAAwDAH8FpUfJCYcN
> +4KwFByqzFnR0qusgqSWJuT8R/QztUZ+OfBtJrU1MIXSX/iMwMPGvtEpsWRfitVnR
> +5nt4J3kxTokEMGjrbPca0Uzw+bNHDdFacKNsKookzL2h2nZUh+LAycLDDVekH1Xx
> +t5I6dTiot/cxmVBp0+ontPuylEsnyrQio6eljBfPzxBdRp2lkiymKf3jvbGXRnZ4
> +jSFTRuUlbnVbZ3CKnFPU+d5tvn2nEwU/DVbGpJNZAPl99Q0XUcNF3AtGlwGMvi0X
> +azcIIOn+swLjn+U2S6i3K234ItYS5I+c9Xi+9DO4fuVko+CQ8PWXP2HdAze7DENc
> +zADmd0kCgYEA7nN+qUFAmMOcRE8nSNLt7mcwq6fYQ1MVGikCIXn/PI/wfEqY0lws
> +ZhwykBXog0S7PzYkR3LcDOqN0wDcdJ3K4c/a6Z6IqbXMgxaosYfHCCMtdhy0g0F2
> +ek0SaY3WQhpFRIG19hvB+ZJSc7JQt+TaXeb8HM1452kmOLpfQGiqqTsCgYEA6UXZ
> +bI7c2jO1X+rWF2tZfZdtdeVrIVcm8BunF7ETC4iK/iH2phRQQAh4TFZm6wkX57Tv
> +LKDGxmohFlEK7FOtSCeSSVfkvZYRBuHOYcwBgBr1XzXXjHcMoyr0+LflZysht151
> +9F0hJwdGQZrivZnv9clJ632RlgE4XlPGskQhRe0CgYEAxVGdhsIQilmUfpJhl8m0
> +SovpoqKKO2wNElDNCpbBt4QFJVU1kR3lP7olvUXj2nyN1okfDGDn52hRZEJaK8ZH
> +lQVDyf7+aDGgwvmFLyOEeB9kB1FJrzQErsAIdICCxMCogUA1KytdIQEMaeEtGn+u
> +k/YIumztl9FTZ64SFGKIlvECgYEA25Kb7csrp1g0yWxKyRCK0+TNa8Pe6ysVw7zD
> +s1FCFAEak8t0Vy+Xui4+zdwmU+XjUn7FAsTzVaBgNJlkJr88xEY7ND4/WRUAQfIa
> +SYO1hdfaTxxnIBiPFKdCnzq5/DplKi0H6lQe+JWoU+hutPlJHZmysq8ncoMDhAZn
> +aTUn/KECgYEAvxGaWt4Fn2tRrHeaG0qT+nMBxd8cTiFInOcYDeS/FlQo3DTDK2Ai
> +qLBa4DinnGN2hSKwnN3R5R2VRxk4I6+ljG0yuNBhJBcAgAFpnHfkuY1maQJB+1xY
> +A07WcM4J3yuPfjcDkipNFQa4Y8oJCaS2yiOPvlUfNQrCLAV+YqHZiiQ=
> +-----END RSA PRIVATE KEY-----
> diff --git a/tests/sslcerts/pub-expired.pem
> b/tests/sslcerts/pub-expired.pem
> --- a/tests/sslcerts/pub-expired.pem
> +++ b/tests/sslcerts/pub-expired.pem
> @@ -1,10 +1,20 @@
>  -----BEGIN CERTIFICATE-----
>
> -MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
>
> -aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
>
> -NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
>
> -c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
>
> -EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
>
> -+ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
>
> -BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
> -2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
> +MIIDNTCCAh2gAwIBAgIJANRJCnkBtkkOMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV
> +BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2
> +MDEwMTA4MDAzMFoXDTE2MDEwMjA4MDAzMFowMTESMBAGA1UEAwwJbG9jYWxob3N0
> +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA
> +A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO
> +4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg
> +L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6
> +MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa
> +/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47
> +/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW
> +BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p
> +575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBnY2r60iGg
> +0BqR5vOj//XjS1FZKNG6+n3MKgxBY3pqFbqsCJfX5GfWD3GHJRXzv3p1MXIP3BWj
> +zFutg+FE2QChQFwZjJu3E1VnIZN5ytYBltGHwaCEUdGq9sAZ9R2Jdf8xhQa5h+1U
> +NZJvYbhCyecnUh2/Dkj2pFoF7wv7BtWFJV20WzHesN/Dik51cr6yFSn4nJb6YAMw
> +t4/Vnf24v36WwnBoO5VqO+ntISTD6CS3EE5Gqv2ZMQtFaMoRfKIBaDIKHvbYeXdX
> +2gDTKWnS5KJYWmsl6N2CPjrHJJphaFGSKFAivmT24Q+JSKcC9hww7gvnGcVmsFan
> +H5xwzFQW2cna
>  -----END CERTIFICATE-----
> diff --git a/tests/sslcerts/pub-not-yet.pem
> b/tests/sslcerts/pub-not-yet.pem
> --- a/tests/sslcerts/pub-not-yet.pem
> +++ b/tests/sslcerts/pub-not-yet.pem
> @@ -1,10 +1,20 @@
>  -----BEGIN CERTIFICATE-----
>
> -MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
>
> -aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
>
> -NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
>
> -c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
>
> -EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
>
> -+ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
>
> -BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
> -/12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
> +MIIDNTCCAh2gAwIBAgIJAJvD5nejIHr2MA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV
> +BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTMw
> +MDEwMTA4MDAwOFoXDTMwMDEwMjA4MDAwOFowMTESMBAGA1UEAwwJbG9jYWxob3N0
> +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA
> +A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO
> +4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg
> +L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6
> +MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa
> +/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47
> +/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW
> +BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p
> +575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC0VDzAqPiL
> +6U8yqaQqXdS6iK49yDQe9qzxzNnAZnj4YCsa5+qYSf+jl49Rak+pGw3AmN9gl6xq
> +aaP5xAlS8F0lnfZ5NcXmmp4Lt25qdu9J9qIPEAL4/ucirDr/cphCbDtzaWsrfi9j
> +YjVzSqoSEdnV1x9GkkLVwQRmA+D/2+95pgx6UNchqMbXuEQkAv9kVOzSG62OOAzO
> +z2Wct6b+DFbfFI0xcvKeJRGogjkd5QrF1XxU7e5u17DAN7/nhahv43ol3eC/fUiH
> +ITZpEc+/WdVtUwZQtoEQuBLB1Mc8QvYUUksUv9+KVjZ4o2oqApup7k7oMSPYNPTf
> +2O99CXjOCl9k
>  -----END CERTIFICATE-----
> diff --git a/tests/sslcerts/pub-other.pem b/tests/sslcerts/pub-other.pem
> --- a/tests/sslcerts/pub-other.pem
> +++ b/tests/sslcerts/pub-other.pem
> @@ -1,11 +1,20 @@
>  -----BEGIN CERTIFICATE-----
> -MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
> -BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
> -MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
> -MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
> -ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
> -K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
> -y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
> -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
> -bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
> +MIIDNTCCAh2gAwIBAgIJAMXBgtbkFDfwMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV
> +BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2
> +MDcxMzA0MTcyOFoXDTQxMDMwNDA0MTcyOFowMTESMBAGA1UEAwwJbG9jYWxob3N0
> +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA
> +A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO
> +4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg
> +L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6
> +MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa
> +/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47
> +/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW
> +BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p
> +575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDLxD+Q90Ue
> +zrkmq964pzl+9zd0Y1ODSBnwaZfJxaoyFwRpYva1GYyz2CnJZEDjh8nUbo/jmEU1
> +9D91YT8e3plgcpsuxp0YhCUJbTz56k2OOq/MyrX+KgrC2VAdGbhr/C3hNkGKBzdu
> ++8p+z3jBUkiQFRb8xc485v1zkOX1lPN3tSAEOcja/lslmHV1UQhEYI/Ne2z/i/rQ
> +uVtC28dTHoPnJykIhXBwgxuAL3G3eFpCRemHOyTlzNDQQxkgMNAYenutWpYXjM2Z
> +paplLANjV+X91wyAXZ1XZ+5m7yLA7463MwOPU3Ko+HcyKKjPO+wJwVJbEpXr3rPR
> +getT2CfPFLMe
>  -----END CERTIFICATE-----
> diff --git a/tests/sslcerts/pub.pem b/tests/sslcerts/pub.pem
> --- a/tests/sslcerts/pub.pem
> +++ b/tests/sslcerts/pub.pem
> @@ -1,11 +1,20 @@
>  -----BEGIN CERTIFICATE-----
> -MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
> -BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
> -MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
> -MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
> -ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
> -6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
> -r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
> -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
> -t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
> +MIIDNTCCAh2gAwIBAgIJAJ12yUL2zGhzMA0GCSqGSIb3DQEBCwUAMDExEjAQBgNV
> +BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTE2
> +MDcxMzA0MTcxMloXDTQxMDMwNDA0MTcxMlowMTESMBAGA1UEAwwJbG9jYWxob3N0
> +MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA
> +A4IBDwAwggEKAoIBAQDZSC3uNCsP674m0h9dmlV6nM4C59xfgIygdX3mpldmaXaO
> +4anHdPvCNA8H8g+g6lEb0KgJp6Qor5sipBfWo26JRrYKypyE1By5raOzkNO22ZFg
> +L5/AdpBzRRjVAp7/Svw0VfVeh4hZ+4v7RQARGgjXOaG72nHnfboLs+jIE8i5tPR6
> +MtUt9yIWDIcOaq9ga7pxQGk0WsCLxyw80ZzKJ7UDGHTBn/2O8d036IaZpX0Zk5sa
> +/QZmltaUmbx8b6YfWowVgDqaeSclsQEFOdXQhZ0YlqUafP7kZ8K+HHNhwRaYsN47
> +/sU2tYxVP0vwrLrlzKAJ4niURbVcHXD/qtBiNpKfAgMBAAGjUDBOMB0GA1UdDgQW
> +BBT6fA08JcG+SWBN9Y+p575xcFfIVjAfBgNVHSMEGDAWgBT6fA08JcG+SWBN9Y+p
> +575xcFfIVjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCzJhM/OBoS
> +JXnjfLhZqi6hTmx1XC7MR05z4fWdyBhZx8PwSDEjxAj/omAm2RMEx/Fv1a7FO6hd
> +ClYsxxSfWJO7NQ3V4YLn9AvNr5gcxuXV/4bTtEFNebuzhV06u5nH7pGbHbkxCI+u
> +QekmRTvKIojr8F44cyszEk+MZQ5bFBElByjVzgXNvAaDP0ryUL5eQhLrkuwbNFLQ
> +mFf7EaerMuM28x1knhiH/39s7t92CJgm9+D60TmJ4XXwue1gZ0v9MVS18iOuWyio
> +BklppJsdtDLxHTHGNlBeHdam5VejbXRo7s0y5OfuATwlgcaCMYC/68hVJYwl/GZ7
> +3YpdNpMshSaE
>  -----END CERTIFICATE-----
> diff --git a/tests/test-https.t b/tests/test-https.t
> --- a/tests/test-https.t
> +++ b/tests/test-https.t
> @@ -67,32 +67,32 @@ we are able to load CA certs.
>    abort: error: *certificate verify failed* (glob)
>    [255]
>  #endif
>
>  #if no-sslcontext osx
>    $ hg clone https://localhost:$HGPORT/ copy-pull
>    (unable to load CA certificates; see
> https://mercurial-scm.org/wiki/SecureConnections for how to configure
> Mercurial to avoid this message)
>    abort: localhost certificate error: no certificate received
> -  (set
> hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
> config setting or use --insecure to connect insecurely)
> +  (set
> hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
> config setting or use --insecure to connect insecurely)
>    [255]
>  #endif
>
>  #if defaultcacertsloaded
>    $ hg clone https://localhost:$HGPORT/ copy-pull
>    (using CA certificates from *; if you see this message, your Mercurial
> install is not properly configured; see
> https://mercurial-scm.org/wiki/SecureConnections for how to configure
> Mercurial to avoid this message) (glob) (?)
>    abort: error: *certificate verify failed* (glob)
>    [255]
>  #endif
>
>  #if no-defaultcacerts
>    $ hg clone https://localhost:$HGPORT/ copy-pull
>    (unable to load * certificates; see
> https://mercurial-scm.org/wiki/SecureConnections for how to configure
> Mercurial to avoid this message) (glob) (?)
>    abort: localhost certificate error: no certificate received
> -  (set
> hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
> config setting or use --insecure to connect insecurely)
> +  (set
> hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
> config setting or use --insecure to connect insecurely)
>    [255]
>  #endif
>
>  Specifying a per-host certificate file that doesn't exist will abort
>
>    $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist
> clone https://localhost:$HGPORT/
>    abort: path specified by hostsecurity.localhost:verifycertsfile does
> not exist: /does/not/exist
>    [255]
> @@ -141,31 +141,31 @@ A per-host certificate with multiple cer
>    requesting all changes
>    adding changesets
>    adding manifests
>    adding file changes
>    added 1 changesets with 4 changes to 4 files
>
>  Defining both per-host certificate and a fingerprint will print a warning
>
> -  $ hg --config
> hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config
> hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
> clone -U https://localhost:$HGPORT/ caandfingerwarning
> +  $ hg --config
> hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config
> hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
> clone -U https://localhost:$HGPORT/ caandfingerwarning
>    (hostsecurity.localhost:verifycertsfile ignored when host fingerprints
> defined; using host fingerprints for verification)
>    requesting all changes
>    adding changesets
>    adding manifests
>    adding file changes
>    added 1 changesets with 4 changes to 4 files
>
>    $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
>
>  Inability to verify peer certificate will result in abort
>
>    $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
>    abort: unable to verify security of localhost (no loaded CA
> certificates); refusing to connect
> -  (see https://mercurial-scm.org/wiki/SecureConnections for how to
> configure Mercurial to avoid this error or set
> hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
> to trust this server)
> +  (see https://mercurial-scm.org/wiki/SecureConnections for how to
> configure Mercurial to avoid this error or set
> hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
> to trust this server)
>    [255]
>
>    $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
>    warning: connection security to localhost is disabled per current
> settings; communication is susceptible to eavesdropping and tampering
>    requesting all changes
>    adding changesets
>    adding manifests
>    adding file changes
> @@ -187,17 +187,17 @@ Inability to verify peer certificate wil
>  pull without cacert
>
>    $ cd copy-pull
>    $ echo '[hooks]' >> .hg/hgrc
>    $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
>    $ hg pull $DISABLECACERTS
>    pulling from https://localhost:$HGPORT/
>    abort: unable to verify security of localhost (no loaded CA
> certificates); refusing to connect
> -  (see https://mercurial-scm.org/wiki/SecureConnections for how to
> configure Mercurial to avoid this error or set
> hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
> to trust this server)
> +  (see https://mercurial-scm.org/wiki/SecureConnections for how to
> configure Mercurial to avoid this error or set
> hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
> to trust this server)
>    [255]
>
>    $ hg pull --insecure
>    pulling from https://localhost:$HGPORT/
>    warning: connection security to localhost is disabled per current
> settings; communication is susceptible to eavesdropping and tampering
>    searching for changes
>    adding changesets
>    adding manifests
> @@ -251,17 +251,17 @@ empty cacert file
>  #endif
>
>  cacert mismatch
>
>    $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
>    > https://127.0.0.1:$HGPORT/
>    pulling from https://127.0.0.1:$HGPORT/
>    abort: 127.0.0.1 certificate error: certificate is for localhost
> -  (set
> hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
> config setting or use --insecure to connect insecurely)
> +  (set
> hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
> config setting or use --insecure to connect insecurely)
>    [255]
>    $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
>    > https://127.0.0.1:$HGPORT/ --insecure
>    pulling from https://127.0.0.1:$HGPORT/
>    warning: connection security to 127.0.0.1 is disabled per current
> settings; communication is susceptible to eavesdropping and tampering
>    searching for changes
>    no changes found
>    $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
> @@ -293,61 +293,61 @@ Test server cert which no longer is vali
>    > https://localhost:$HGPORT2/
>    pulling from https://localhost:$HGPORT2/
>    abort: error: *certificate verify failed* (glob)
>    [255]
>
>  Fingerprints
>
>  - works without cacerts (hostkeyfingerprints)
> -  $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config
> hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
> +  $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config
> hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
>    5fed3813f7f5
>
>  - works without cacerts (hostsecurity)
> -  $ hg -R copy-pull id https://localhost:$HGPORT/ --config
> hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
> +  $ hg -R copy-pull id https://localhost:$HGPORT/ --config
> hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
>    5fed3813f7f5
>
> -  $ hg -R copy-pull id https://localhost:$HGPORT/ --config
> hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
> +  $ hg -R copy-pull id https://localhost:$HGPORT/ --config
> hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
>    5fed3813f7f5
>
>  - multiple fingerprints specified and first matches
> -  $ hg --config
> 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca,
> deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
> --insecure
> +  $ hg --config
> 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03,
> deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
> --insecure
>    5fed3813f7f5
>
> -  $ hg --config
> 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca,
> sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id
> https://localhost:$HGPORT/
> +  $ hg --config
> 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03,
> sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id
> https://localhost:$HGPORT/
>    5fed3813f7f5
>
>  - multiple fingerprints specified and last matches
> -  $ hg --config
> 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
> 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
> --insecure
> +  $ hg --config
> 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
> ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
> --insecure
>    5fed3813f7f5
>
> -  $ hg --config
> 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
> sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id
> https://localhost:$HGPORT/
> +  $ hg --config
> 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
> sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id
> https://localhost:$HGPORT/
>    5fed3813f7f5
>
>  - multiple fingerprints specified and none match
>
>    $ hg --config
> 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
> aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
> --insecure
> -  abort: certificate for localhost has unexpected fingerprint
> 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
> +  abort: certificate for localhost has unexpected fingerprint
> ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
>    (check hostfingerprint configuration)
>    [255]
>
>    $ hg --config
> 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
> sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id
> https://localhost:$HGPORT/
> -  abort: certificate for localhost has unexpected fingerprint
> sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
> +  abort: certificate for localhost has unexpected fingerprint
> sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
>    (check hostsecurity configuration)
>    [255]
>
>  - fails when cert doesn't match hostname (port is ignored)
> -  $ hg -R copy-pull id https://localhost:$HGPORT1/ --config
> hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
> -  abort: certificate for localhost has unexpected fingerprint
> 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
> +  $ hg -R copy-pull id https://localhost:$HGPORT1/ --config
> hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
> +  abort: certificate for localhost has unexpected fingerprint
> f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
>    (check hostfingerprint configuration)
>    [255]
>
>
>  - ignores that certificate doesn't match hostname
> -  $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config
> hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
> +  $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config
> hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
>    5fed3813f7f5
>
>  HGPORT1 is reused below for tinyproxy tests. Kill that server.
>    $ killdaemons.py hg1.pid
>
>  Prepare for connecting through proxy
>
>    $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
> @@ -369,17 +369,17 @@ Test unvalidated https through proxy
>
>  Test https with cacert and fingerprint through proxy
>
>    $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
>    > --config web.cacerts="$CERTSDIR/pub.pem"
>    pulling from https://localhost:$HGPORT/
>    searching for changes
>    no changes found
> -  $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull
> https://127.0.0.1:$HGPORT/ --config
> hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
> +  $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull
> https://127.0.0.1:$HGPORT/ --config
> hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
>    pulling from https://127.0.0.1:$HGPORT/
>    searching for changes
>    no changes found
>
>  Test https with cert problems through proxy
>
>    $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
>    > --config web.cacerts="$CERTSDIR/pub-other.pem"
> diff --git a/tests/test-patchbomb-tls.t b/tests/test-patchbomb-tls.t
> --- a/tests/test-patchbomb-tls.t
> +++ b/tests/test-patchbomb-tls.t
> @@ -92,17 +92,17 @@ Without certificates:
>    $ try --debug
>    this patch series consists of 1 patches.
>
>
>    (using smtps)
>    sending mail: smtp host localhost, port * (glob)
>    (verifying remote certificate)
>    abort: unable to verify security of localhost (no loaded CA
> certificates); refusing to connect
> -  (see https://mercurial-scm.org/wiki/SecureConnections for how to
> configure Mercurial to avoid this error or set
> hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
> to trust this server)
> +  (see https://mercurial-scm.org/wiki/SecureConnections for how to
> configure Mercurial to avoid this error or set
> hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
> to trust this server)
>    [255]
>
>  With global certificates:
>
>    $ try --debug --config web.cacerts="$CERTSDIR/pub.pem"
>    this patch series consists of 1 patches.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20160713/067cd572/attachment.html>


More information about the Mercurial-devel mailing list