Mercurial > hg-stable
changeset 30222:7b428b00a1d4 stable
commands: print security protocol support in debuginstall
Over the past week I've had to instruct multiple people to run
Python code to query the ssl module to see what TLS protocol support
is present. I think it would be useful for `hg debuginstall` to print
this info to make it easier to access and debug why Mercurial is
complaining about using an insecure TLS 1.0 protocol.
Ideally we'd also print the path to the CA cert bundle. But the APIs
for querying that in sslutil can emit warnings, making it slightly
more difficult to integrate into `hg debuginstall`. That work will
have to wait for another day.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Wed, 19 Oct 2016 15:07:11 -0700 |
| parents | f2c5b9d48b29 |
| children | 76c57e1fe79b |
| files | mercurial/commands.py tests/test-install.t |
| diffstat | 2 files changed, 30 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/commands.py Tue Oct 18 17:44:42 2016 -0700 +++ b/mercurial/commands.py Wed Oct 19 15:07:11 2016 -0700 @@ -68,6 +68,7 @@ setdiscovery, simplemerge, sshserver, + sslutil, streamclone, templatekw, templater, @@ -2703,6 +2704,25 @@ fm.write('pythonlib', _("checking Python lib (%s)...\n"), os.path.dirname(os.__file__)) + security = set(sslutil.supportedprotocols) + if sslutil.hassni: + security.add('sni') + + fm.write('pythonsecurity', _("checking Python security support (%s)\n"), + fm.formatlist(sorted(security), name='protocol', + fmt='%s', sep=',')) + + # These are warnings, not errors. So don't increment problem count. This + # may change in the future. + if 'tls1.2' not in security: + fm.plain(_(' TLS 1.2 not supported by Python install; ' + 'network connections lack modern security\n')) + if 'sni' not in security: + fm.plain(_(' SNI not supported by Python install; may have ' + 'connectivity issues with some servers\n')) + + # TODO print CA cert info + # hg version hgver = util.version() fm.write('hgver', _("checking Mercurial version (%s)\n"),
--- a/tests/test-install.t Tue Oct 18 17:44:42 2016 -0700 +++ b/tests/test-install.t Wed Oct 19 15:07:11 2016 -0700 @@ -4,6 +4,9 @@ checking Python executable (*) (glob) checking Python version (2.*) (glob) checking Python lib (*lib*)... (glob) + checking Python security support (*) (glob) + TLS 1.2 not supported by Python install; network connections lack modern security (?) + SNI not supported by Python install; may have connectivity issues with some servers (?) checking Mercurial version (*) (glob) checking Mercurial custom build (*) (glob) checking module policy (*) (glob) @@ -33,6 +36,7 @@ "problems": 0, "pythonexe": "*", (glob) "pythonlib": "*", (glob) + "pythonsecurity": [*], (glob) "pythonver": "*.*.*", (glob) "templatedirs": "*mercurial?templates", (glob) "username": "test", @@ -47,6 +51,9 @@ checking Python executable (*) (glob) checking Python version (2.*) (glob) checking Python lib (*lib*)... (glob) + checking Python security support (*) (glob) + TLS 1.2 not supported by Python install; network connections lack modern security (?) + SNI not supported by Python install; may have connectivity issues with some servers (?) checking Mercurial version (*) (glob) checking Mercurial custom build (*) (glob) checking module policy (*) (glob) @@ -71,6 +78,9 @@ checking Python executable (*) (glob) checking Python version (*) (glob) checking Python lib (*lib*)... (glob) + checking Python security support (*) (glob) + TLS 1.2 not supported by Python install; network connections lack modern security (?) + SNI not supported by Python install; may have connectivity issues with some servers (?) checking Mercurial version (*) (glob) checking Mercurial custom build (*) (glob) checking module policy (*) (glob)