Mercurial > hg

comparison tests/test-https.t @ 29619:53e80179bd6a stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: improve messaging around unsupported protocols (issue5303) There are various causes for the inability to negotiate common SSL/TLS protocol between client and server. Previously, we had a single, not very actionable warning message for all of them. As people encountered TLS 1.0 servers in real life, it was quickly obvious that the existing messaging was inadequate to help users rectify the situation. This patch makes the warning messages much more verbose in hopes of making them more actionable while simultaneously encouraging users and servers to adopt better security practices. This messaging flirts with the anti-pattern of "never blame the user" by signaling out poorly-configured servers. But if we're going to disallow TLS 1.0 by default, I think we need to say *something* or people are just going to blame Mercurial for not being able to connect. The messaging tries to exonerate Mercurial from being the at fault party by pointing out the server is the entity that doesn't support proper security (when appropriate, of course).
author Gregory Szorc <gregory.szorc@gmail.com>
date Tue, 19 Jul 2016 21:09:58 -0700
parents 2960ceee1948
children dee24c87dbf0
comparison
equal deleted inserted replaced
29618:fbf4adc0d8f2 29619:53e80179bd6a
467 5fed3813f7f5 467 5fed3813f7f5
468 468
469 Clients requiring newer TLS version than what server supports fail 469 Clients requiring newer TLS version than what server supports fail
470 470
471 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ 471 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
472 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) 472 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
473 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
474 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
473 abort: error: *unsupported protocol* (glob) 475 abort: error: *unsupported protocol* (glob)
474 [255] 476 [255]
475 477
476 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ 478 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
477 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) 479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
478 abort: error: *unsupported protocol* (glob) 482 abort: error: *unsupported protocol* (glob)
479 [255] 483 [255]
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ 484 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
481 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) 485 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
486 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
487 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
482 abort: error: *unsupported protocol* (glob) 488 abort: error: *unsupported protocol* (glob)
483 [255] 489 [255]
484 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ 490 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
485 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) 491 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
492 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
493 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
486 abort: error: *unsupported protocol* (glob) 494 abort: error: *unsupported protocol* (glob)
487 [255] 495 [255]
488 496
489 --insecure will allow TLS 1.0 connections and override configs 497 --insecure will allow TLS 1.0 connections and override configs
490 498
501 509
502 The per-host config option by itself works 510 The per-host config option by itself works
503 511
504 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ 512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
505 > --config hostsecurity.localhost:minimumprotocol=tls1.2 513 > --config hostsecurity.localhost:minimumprotocol=tls1.2
506 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) 514 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
515 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
516 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
507 abort: error: *unsupported protocol* (glob) 517 abort: error: *unsupported protocol* (glob)
508 [255] 518 [255]
509 519
510 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) 520 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
511 521
512 $ cat >> copy-pull/.hg/hgrc << EOF 522 $ cat >> copy-pull/.hg/hgrc << EOF
513 > [hostsecurity] 523 > [hostsecurity]
514 > localhost:minimumprotocol=tls1.2 524 > localhost:minimumprotocol=tls1.2
515 > EOF 525 > EOF
516 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ 526 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
517 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) 527 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
528 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
529 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
518 abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590) 530 abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590)
519 [255] 531 [255]
520 532
521 $ killdaemons.py hg0.pid 533 $ killdaemons.py hg0.pid
522 $ killdaemons.py hg1.pid 534 $ killdaemons.py hg1.pid