sslutil: print a warning when using TLS 1.0 on legacy Python
Mercurial now requires TLS 1.1+ when TLS 1.1+ is supported by the
client. Since we made the decision to require TLS 1.1+ when running
with modern Python versions, it makes sense to do something for
legacy Python versions that only support TLS 1.0.
Feature parity would be to prevent TLS 1.0 connections out of the
box and require a config option to enable them. However, this is
extremely user hostile since Mercurial wouldn't talk to https://
by default in these installations! I can easily see how someone
would do something foolish like use "--insecure" instead - and
that would be worse than allowing TLS 1.0!
This patch takes the compromise position of printing a warning when
performing TLS 1.0 connections when running on old Python
versions. While this warning is no more annoying than the
CA certificate / fingerprint warnings in Mercurial 3.8, we provide
a config option to disable the warning because to many people
upgrading Python to make the warning go away is not an available
recourse (unlike pinning fingerprints is for the CA warning).
The warning appears as optional output in a lot of tests.
$ hg init
$ echo a > a
$ hg ci -Am0
adding a
$ hg -q clone . foo
$ touch .hg/store/journal
$ echo foo > a
$ hg ci -Am0
abort: abandoned transaction found!
(run 'hg recover' to clean up transaction)
[255]
$ hg recover
rolling back interrupted transaction
checking changesets
checking manifests
crosschecking files in changesets and manifests
checking files
1 files, 1 changesets, 1 total revisions
Check that zero-size journals are correctly aborted:
#if unix-permissions no-root
$ hg bundle -qa repo.hg
$ chmod -w foo/.hg/store/00changelog.i
$ hg -R foo unbundle repo.hg
adding changesets
abort: Permission denied: $TESTTMP/foo/.hg/store/.00changelog.i-* (glob)
[255]
$ if test -f foo/.hg/store/journal; then echo 'journal exists :-('; fi
#endif