# HG changeset patch # User Gregory Szorc # Date 1476914831 25200 # Node ID 7b428b00a1d4e208557d46d207751fb135083097 # Parent f2c5b9d48b296fd8e9a25e533c770fd46d7c804f commands: print security protocol support in debuginstall Over the past week I've had to instruct multiple people to run Python code to query the ssl module to see what TLS protocol support is present. I think it would be useful for `hg debuginstall` to print this info to make it easier to access and debug why Mercurial is complaining about using an insecure TLS 1.0 protocol. Ideally we'd also print the path to the CA cert bundle. But the APIs for querying that in sslutil can emit warnings, making it slightly more difficult to integrate into `hg debuginstall`. That work will have to wait for another day. diff -r f2c5b9d48b29 -r 7b428b00a1d4 mercurial/commands.py --- a/mercurial/commands.py Tue Oct 18 17:44:42 2016 -0700 +++ b/mercurial/commands.py Wed Oct 19 15:07:11 2016 -0700 @@ -68,6 +68,7 @@ setdiscovery, simplemerge, sshserver, + sslutil, streamclone, templatekw, templater, @@ -2703,6 +2704,25 @@ fm.write('pythonlib', _("checking Python lib (%s)...\n"), os.path.dirname(os.__file__)) + security = set(sslutil.supportedprotocols) + if sslutil.hassni: + security.add('sni') + + fm.write('pythonsecurity', _("checking Python security support (%s)\n"), + fm.formatlist(sorted(security), name='protocol', + fmt='%s', sep=',')) + + # These are warnings, not errors. So don't increment problem count. This + # may change in the future. + if 'tls1.2' not in security: + fm.plain(_(' TLS 1.2 not supported by Python install; ' + 'network connections lack modern security\n')) + if 'sni' not in security: + fm.plain(_(' SNI not supported by Python install; may have ' + 'connectivity issues with some servers\n')) + + # TODO print CA cert info + # hg version hgver = util.version() fm.write('hgver', _("checking Mercurial version (%s)\n"), diff -r f2c5b9d48b29 -r 7b428b00a1d4 tests/test-install.t --- a/tests/test-install.t Tue Oct 18 17:44:42 2016 -0700 +++ b/tests/test-install.t Wed Oct 19 15:07:11 2016 -0700 @@ -4,6 +4,9 @@ checking Python executable (*) (glob) checking Python version (2.*) (glob) checking Python lib (*lib*)... (glob) + checking Python security support (*) (glob) + TLS 1.2 not supported by Python install; network connections lack modern security (?) + SNI not supported by Python install; may have connectivity issues with some servers (?) checking Mercurial version (*) (glob) checking Mercurial custom build (*) (glob) checking module policy (*) (glob) @@ -33,6 +36,7 @@ "problems": 0, "pythonexe": "*", (glob) "pythonlib": "*", (glob) + "pythonsecurity": [*], (glob) "pythonver": "*.*.*", (glob) "templatedirs": "*mercurial?templates", (glob) "username": "test", @@ -47,6 +51,9 @@ checking Python executable (*) (glob) checking Python version (2.*) (glob) checking Python lib (*lib*)... (glob) + checking Python security support (*) (glob) + TLS 1.2 not supported by Python install; network connections lack modern security (?) + SNI not supported by Python install; may have connectivity issues with some servers (?) checking Mercurial version (*) (glob) checking Mercurial custom build (*) (glob) checking module policy (*) (glob) @@ -71,6 +78,9 @@ checking Python executable (*) (glob) checking Python version (*) (glob) checking Python lib (*lib*)... (glob) + checking Python security support (*) (glob) + TLS 1.2 not supported by Python install; network connections lack modern security (?) + SNI not supported by Python install; may have connectivity issues with some servers (?) checking Mercurial version (*) (glob) checking Mercurial custom build (*) (glob) checking module policy (*) (glob)