The default set of ciphers on python 3.10 is incompatible with old TLS
versions.
Details
Details
Diff Detail
Diff Detail
- Repository
- rHG Mercurial
- Branch
- default
- Lint
No Linters Available - Unit
No Unit Test Coverage
The default set of ciphers on python 3.10 is incompatible with old TLS
versions.
No Linters Available |
No Unit Test Coverage |
Path | Packages | |||
---|---|---|---|---|
M | tests/test-https.t (5 lines) |
Commit | Parents | Author | Summary | Date |
---|---|---|---|---|
1d8c66e342bf | 64e663e923f1 | Julien Cristau | test: override default cipher selection when connecting to TLS 1.0/1.1 servers (Show More…) | Apr 9 2022, 8:28 AM |
$ cat ../hg1.pid >> $DAEMON_PIDS | $ cat ../hg1.pid >> $DAEMON_PIDS | ||||
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ | $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ | ||||
> --config devel.serverexactprotocol=tls1.2 | > --config devel.serverexactprotocol=tls1.2 | ||||
$ cat ../hg2.pid >> $DAEMON_PIDS | $ cat ../hg2.pid >> $DAEMON_PIDS | ||||
$ cd .. | $ cd .. | ||||
Clients talking same TLS versions work | Clients talking same TLS versions work | ||||
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/ | ||||
5fed3813f7f5 | 5fed3813f7f5 | ||||
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/ | ||||
5fed3813f7f5 | 5fed3813f7f5 | ||||
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ | ||||
5fed3813f7f5 | 5fed3813f7f5 | ||||
Clients requiring newer TLS version than what server supports fail | Clients requiring newer TLS version than what server supports fail | ||||
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ | ||||
(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||||
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ | $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ | ||||
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | ||||
5fed3813f7f5 | 5fed3813f7f5 | ||||
The per-host config option overrides the default | The per-host config option overrides the default | ||||
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | ||||
> --config hostsecurity.ciphers=DEFAULT \ | |||||
> --config hostsecurity.minimumprotocol=tls1.2 \ | > --config hostsecurity.minimumprotocol=tls1.2 \ | ||||
> --config hostsecurity.localhost:minimumprotocol=tls1.0 | > --config hostsecurity.localhost:minimumprotocol=tls1.0 | ||||
5fed3813f7f5 | 5fed3813f7f5 | ||||
The per-host config option by itself works | The per-host config option by itself works | ||||
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | ||||
> --config hostsecurity.localhost:minimumprotocol=tls1.2 | > --config hostsecurity.localhost:minimumprotocol=tls1.2 |