This is an archive of the discontinued Mercurial Phabricator instance.

Differential D12490

test: override default cipher selection when connecting to TLS 1.0/1.1 servers
ClosedPublic

Authored by jcristau on Apr 9 2022, 8:44 AM.

Details

Reviewers
Alphare
Group Reviewers
hg-reviewers
Commits
rHG7ea2bd2043d1: test: override default cipher selection when connecting to TLS 1.0/1.1 servers
rHGf0da53eeed29: test: override default cipher selection when connecting to TLS 1.0/1.1 servers
Summary

The default set of ciphers on python 3.10 is incompatible with old TLS
versions.

Diff Detail

Repository
rHG Mercurial
Branch
default
Lint
No Linters Available
Unit
No Unit Test Coverage

Revision Contents
Changeset List

PathPackages
Mtests/test-https.t (5 lines)

Diff 32996

tests/test-https.t

$ cat ../hg1.pid >> $DAEMON_PIDS $ cat ../hg1.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.2 > --config devel.serverexactprotocol=tls1.2
$ cat ../hg2.pid >> $DAEMON_PIDS $ cat ../hg2.pid >> $DAEMON_PIDS
$ cd .. $ cd ..
Clients talking same TLS versions work Clients talking same TLS versions work
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
5fed3813f7f5 5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
5fed3813f7f5 5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
5fed3813f7f5 5fed3813f7f5
Clients requiring newer TLS version than what server supports fail Clients requiring newer TLS version than what server supports fail
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
5fed3813f7f5 5fed3813f7f5
The per-host config option overrides the default The per-host config option overrides the default
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.ciphers=DEFAULT \
> --config hostsecurity.minimumprotocol=tls1.2 \ > --config hostsecurity.minimumprotocol=tls1.2 \
> --config hostsecurity.localhost:minimumprotocol=tls1.0 > --config hostsecurity.localhost:minimumprotocol=tls1.0
5fed3813f7f5 5fed3813f7f5
The per-host config option by itself works The per-host config option by itself works
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:minimumprotocol=tls1.2 > --config hostsecurity.localhost:minimumprotocol=tls1.2