Mercurial > hg

diff tests/test-patchbomb-tls.t @ 29561:1a782fabf80d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: print a warning when using TLS 1.0 on legacy Python Mercurial now requires TLS 1.1+ when TLS 1.1+ is supported by the client. Since we made the decision to require TLS 1.1+ when running with modern Python versions, it makes sense to do something for legacy Python versions that only support TLS 1.0. Feature parity would be to prevent TLS 1.0 connections out of the box and require a config option to enable them. However, this is extremely user hostile since Mercurial wouldn't talk to https:// by default in these installations! I can easily see how someone would do something foolish like use "--insecure" instead - and that would be worse than allowing TLS 1.0! This patch takes the compromise position of printing a warning when performing TLS 1.0 connections when running on old Python versions. While this warning is no more annoying than the CA certificate / fingerprint warnings in Mercurial 3.8, we provide a config option to disable the warning because to many people upgrading Python to make the warning go away is not an available recourse (unlike pinning fingerprints is for the CA warning). The warning appears as optional output in a lot of tests.
author Gregory Szorc <gregory.szorc@gmail.com>
date Wed, 13 Jul 2016 21:49:17 -0700
parents 9d02bed8477b
children 6cff2ac0ccb9
line wrap: on
line diff
--- a/tests/test-patchbomb-tls.t	Wed Jul 13 21:35:54 2016 -0700
+++ b/tests/test-patchbomb-tls.t	Wed Jul 13 21:49:17 2016 -0700
@@ -58,6 +58,7 @@
   this patch series consists of 1 patches.
   
   
+  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info
   (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
   (?i)abort: .*?certificate.verify.failed.* (re)
   [255]
@@ -95,6 +96,7 @@
   
   (using smtps)
   sending mail: smtp host localhost, port * (glob)
+  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
   (verifying remote certificate)
   abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
   (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
@@ -108,6 +110,7 @@
   
   (using smtps)
   sending mail: smtp host localhost, port * (glob)
+  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
   (verifying remote certificate)
   sending [PATCH] a ...
 
@@ -117,6 +120,7 @@
   this patch series consists of 1 patches.
   
   
+  warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
   (?i)abort: .*?certificate.verify.failed.* (re)
   [255]