It looks like python 3.10 returns a different reason code on protocol
version mismatch.
Details
Details
Diff Detail
Diff Detail
- Repository
- rHG Mercurial
- Branch
- default
- Lint
No Linters Available - Unit
No Unit Test Coverage
This is an archive of the discontinued Mercurial Phabricator instance.
Differential D12491
sslutil: treat TLSV1_ALERT_PROTOCOL_VERSION error the same as UNSUPPORTED_PROTOCOLClosedPublic
sslutil: treat TLSV1_ALERT_PROTOCOL_VERSION error the same as UNSUPPORTED_PROTOCOL
ClosedPublic
Authored by jcristau on Apr 9 2022, 8:44 AM.
Revision Contents
Revision Contents
| Path | Packages | |||
|---|---|---|---|---|
| M | mercurial/sslutil.py (2 lines) | |||
| M | tests/test-https.t (12 lines) |
| Commit | Parents | Author | Summary | Date |
|---|---|---|---|---|
| ea76edd1770b | 1d8c66e342bf | Julien Cristau | sslutil: treat TLSV1_ALERT_PROTOCOL_VERSION error the same as… (Show More…) | Apr 9 2022, 8:41 AM |
Diff 32997
Diff 32997
mercurial/sslutil.py
| # Try to print more helpful error messages for known failures. | # Try to print more helpful error messages for known failures. | ||||
| if util.safehasattr(e, b'reason'): | if util.safehasattr(e, b'reason'): | ||||
| # This error occurs when the client and server don't share a | # This error occurs when the client and server don't share a | ||||
| # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 | # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 | ||||
| # outright. Hopefully the reason for this error is that we require | # outright. Hopefully the reason for this error is that we require | ||||
| # TLS 1.1+ and the server only supports TLS 1.0. Whatever the | # TLS 1.1+ and the server only supports TLS 1.0. Whatever the | ||||
| # reason, try to emit an actionable warning. | # reason, try to emit an actionable warning. | ||||
| if e.reason == 'UNSUPPORTED_PROTOCOL': | if e.reason in ('UNSUPPORTED_PROTOCOL', 'TLSV1_ALERT_PROTOCOL_VERSION'): | ||||
| # We attempted TLS 1.0+. | # We attempted TLS 1.0+. | ||||
| if settings[b'minimumprotocol'] == b'tls1.0': | if settings[b'minimumprotocol'] == b'tls1.0': | ||||
| # We support more than just TLS 1.0+. If this happens, | # We support more than just TLS 1.0+. If this happens, | ||||
| # the likely scenario is either the client or the server | # the likely scenario is either the client or the server | ||||
| # is really old. (e.g. server doesn't support TLS 1.0+ or | # is really old. (e.g. server doesn't support TLS 1.0+ or | ||||
| # client doesn't support modern TLS versions introduced | # client doesn't support modern TLS versions introduced | ||||
| # several years from when this comment was written). | # several years from when this comment was written). | ||||
| if supportedprotocols != {b'tls1.0'}: | if supportedprotocols != {b'tls1.0'}: | ||||
tests/test-https.t
| 5fed3813f7f5 | 5fed3813f7f5 | ||||
| Clients requiring newer TLS version than what server supports fail | Clients requiring newer TLS version than what server supports fail | ||||
| $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ | ||||
| (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
| abort: error: .*(unsupported protocol|wrong ssl version).* (re) | abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) | ||||
| [100] | [100] | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ | ||||
| (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
| abort: error: .*(unsupported protocol|wrong ssl version).* (re) | abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) | ||||
| [100] | [100] | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ | ||||
| (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
| abort: error: .*(unsupported protocol|wrong ssl version).* (re) | abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) | ||||
| [100] | [100] | ||||
| $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ | ||||
| (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
| abort: error: .*(unsupported protocol|wrong ssl version).* (re) | abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) | ||||
| [100] | [100] | ||||
| --insecure will allow TLS 1.0 connections and override configs | --insecure will allow TLS 1.0 connections and override configs | ||||
| $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ | $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ | ||||
| warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering | ||||
| 5fed3813f7f5 | 5fed3813f7f5 | ||||
| The per-host config option overrides the default | The per-host config option overrides the default | ||||
| $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | ||||
| > --config hostsecurity.ciphers=DEFAULT \ | > --config hostsecurity.ciphers=DEFAULT \ | ||||
| > --config hostsecurity.minimumprotocol=tls1.2 \ | > --config hostsecurity.minimumprotocol=tls1.2 \ | ||||
| > --config hostsecurity.localhost:minimumprotocol=tls1.0 | > --config hostsecurity.localhost:minimumprotocol=tls1.0 | ||||
| 5fed3813f7f5 | 5fed3813f7f5 | ||||
| The per-host config option by itself works | The per-host config option by itself works | ||||
| $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | ||||
| > --config hostsecurity.localhost:minimumprotocol=tls1.2 | > --config hostsecurity.localhost:minimumprotocol=tls1.2 | ||||
| (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
| abort: error: .*(unsupported protocol|wrong ssl version).* (re) | abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) | ||||
| [100] | [100] | ||||
| .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) | .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) | ||||
| $ cat >> copy-pull/.hg/hgrc << EOF | $ cat >> copy-pull/.hg/hgrc << EOF | ||||
| > [hostsecurity] | > [hostsecurity] | ||||
| > localhost:minimumprotocol=tls1.2 | > localhost:minimumprotocol=tls1.2 | ||||
| > EOF | > EOF | ||||
| $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ | $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ | ||||
| (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | ||||
| (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | ||||
| (see https://mercurial-scm.org/wiki/SecureConnections for more info) | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | ||||
| abort: error: .*(unsupported protocol|wrong ssl version).* (re) | abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) | ||||
| [100] | [100] | ||||
| $ killdaemons.py hg0.pid | $ killdaemons.py hg0.pid | ||||
| $ killdaemons.py hg1.pid | $ killdaemons.py hg1.pid | ||||
| $ killdaemons.py hg2.pid | $ killdaemons.py hg2.pid | ||||
| #endif | #endif | ||||
| Prepare for connecting through proxy | Prepare for connecting through proxy | ||||