[PATCH] sslutil: per-host config option to define certificates
Yuya Nishihara
yuya at tcha.org
Fri Jun 10 10:14:05 EDT 2016
On Thu, 9 Jun 2016 23:32:38 -0400, Augie Fackler wrote:
> On Tue, Jun 07, 2016 at 09:03:44PM -0700, Gregory Szorc wrote:
> > # HG changeset patch
> > # User Gregory Szorc <gregory.szorc at gmail.com>
> > # Date 1465356594 25200
> > # Tue Jun 07 20:29:54 2016 -0700
> > # Node ID 323f0c9c91e02be86bde60620cec5f38020f4c86
> > # Parent 1b3a0b0c414faa3d6d4dbcf4c5abbbe18aa9efd4
> > sslutil: per-host config option to define certificates
> > +A per-host certificate mismatching the server will fail verification
> > +
> > + $ hg --config hostsecurity.localhost:verifycertsfile=client-cert.pem clone https://localhost:$HGPORT/
> > + abort: error: *certificate verify failed* (glob)
> > + [255]
> > +
> > +A per-host certificate matching the server's cert will be accepted
> > +
> > + $ hg --config hostsecurity.localhost:verifycertsfile=pub.pem clone -U https://localhost:$HGPORT/ perhostgood1
> > + requesting all changes
> > + adding changesets
> > + adding manifests
> > + adding file changes
> > + added 1 changesets with 4 changes to 4 files
> > +
> > +A per-host certificate with multiple certs and one matching will be accepted
> > +
> > + $ cat client-cert.pem pub.pem > perhost.pem
> > + $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
> > + requesting all changes
> > + adding changesets
> > + adding manifests
> > + adding file changes
> > + added 1 changesets with 4 changes to 4 files
> > +
> > +Defining both per-host certificate and a fingerprint will print a warning
> > +
> > + $ hg --config hostsecurity.localhost:verifycertsfile=pub.pem --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca clone -U https://localhost:$HGPORT/ caandfingerwarning
> > + (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
> > + requesting all changes
> > + adding changesets
> > + adding manifests
> > + adding file changes
> > + added 1 changesets with 4 changes to 4 files
Updated $CERTSDIR per my change.
More information about the Mercurial-devel
mailing list