Mercurial > hg
diff tests/test-patchbomb-tls.t @ 29561:1a782fabf80d
sslutil: print a warning when using TLS 1.0 on legacy Python
Mercurial now requires TLS 1.1+ when TLS 1.1+ is supported by the
client. Since we made the decision to require TLS 1.1+ when running
with modern Python versions, it makes sense to do something for
legacy Python versions that only support TLS 1.0.
Feature parity would be to prevent TLS 1.0 connections out of the
box and require a config option to enable them. However, this is
extremely user hostile since Mercurial wouldn't talk to https://
by default in these installations! I can easily see how someone
would do something foolish like use "--insecure" instead - and
that would be worse than allowing TLS 1.0!
This patch takes the compromise position of printing a warning when
performing TLS 1.0 connections when running on old Python
versions. While this warning is no more annoying than the
CA certificate / fingerprint warnings in Mercurial 3.8, we provide
a config option to disable the warning because to many people
upgrading Python to make the warning go away is not an available
recourse (unlike pinning fingerprints is for the CA warning).
The warning appears as optional output in a lot of tests.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Wed, 13 Jul 2016 21:49:17 -0700 |
parents | 9d02bed8477b |
children | 6cff2ac0ccb9 |
line wrap: on
line diff
--- a/tests/test-patchbomb-tls.t Wed Jul 13 21:35:54 2016 -0700 +++ b/tests/test-patchbomb-tls.t Wed Jul 13 21:49:17 2016 -0700 @@ -58,6 +58,7 @@ this patch series consists of 1 patches. + warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) (?i)abort: .*?certificate.verify.failed.* (re) [255] @@ -95,6 +96,7 @@ (using smtps) sending mail: smtp host localhost, port * (glob) + warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) (verifying remote certificate) abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) @@ -108,6 +110,7 @@ (using smtps) sending mail: smtp host localhost, port * (glob) + warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) (verifying remote certificate) sending [PATCH] a ... @@ -117,6 +120,7 @@ this patch series consists of 1 patches. + warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) (?i)abort: .*?certificate.verify.failed.* (re) [255]