Mercurial > hg
diff tests/test-https.t @ 29619:53e80179bd6a stable
sslutil: improve messaging around unsupported protocols (issue5303)
There are various causes for the inability to negotiate common SSL/TLS
protocol between client and server. Previously, we had a single, not
very actionable warning message for all of them.
As people encountered TLS 1.0 servers in real life, it was quickly
obvious that the existing messaging was inadequate to help users
rectify the situation.
This patch makes the warning messages much more verbose in hopes of
making them more actionable while simultaneously encouraging users
and servers to adopt better security practices.
This messaging flirts with the anti-pattern of "never blame the
user" by signaling out poorly-configured servers. But if we're going to
disallow TLS 1.0 by default, I think we need to say *something* or
people are just going to blame Mercurial for not being able to connect.
The messaging tries to exonerate Mercurial from being the at fault
party by pointing out the server is the entity that doesn't support
proper security (when appropriate, of course).
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Tue, 19 Jul 2016 21:09:58 -0700 |
| parents | 2960ceee1948 |
| children | dee24c87dbf0 |
line wrap: on
line diff
--- a/tests/test-https.t Tue Jul 19 20:30:29 2016 -0700 +++ b/tests/test-https.t Tue Jul 19 21:09:58 2016 -0700 @@ -469,20 +469,28 @@ Clients requiring newer TLS version than what server supports fail $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ - (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) + (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) + (see https://mercurial-scm.org/wiki/SecureConnections for more info) abort: error: *unsupported protocol* (glob) [255] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ - (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) + (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) + (see https://mercurial-scm.org/wiki/SecureConnections for more info) abort: error: *unsupported protocol* (glob) [255] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ - (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) + (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) + (see https://mercurial-scm.org/wiki/SecureConnections for more info) abort: error: *unsupported protocol* (glob) [255] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ - (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) + (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) + (see https://mercurial-scm.org/wiki/SecureConnections for more info) abort: error: *unsupported protocol* (glob) [255] @@ -503,7 +511,9 @@ $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ > --config hostsecurity.localhost:minimumprotocol=tls1.2 - (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) + (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) + (see https://mercurial-scm.org/wiki/SecureConnections for more info) abort: error: *unsupported protocol* (glob) [255] @@ -514,7 +524,9 @@ > localhost:minimumprotocol=tls1.2 > EOF $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ - (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) + (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) + (see https://mercurial-scm.org/wiki/SecureConnections for more info) abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590) [255]