[Bug 6061] New: tests fail with tls 1.0 and 1.1 disabled

mercurial-bugs at mercurial-scm.org mercurial-bugs at mercurial-scm.org
Thu Jan 24 19:26:41 UTC 2019 

https://bz.mercurial-scm.org/show_bug.cgi?id=6061

            Bug ID: 6061
           Summary: tests fail with tls 1.0 and 1.1 disabled
           Product: Mercurial
           Version: stable branch
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: bug
          Priority: wish
         Component: Mercurial
          Assignee: bugzilla at mercurial-scm.org
          Reporter: durin42 at gmail.com
                CC: mercurial-devel at mercurial-scm.org

Specifically test-https.t:

@@ -355,15 +355,11 @@
 Setting ciphers to an invalid value aborts
   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id
https://localhost:$HGPORT/
   warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  abort: could not set ciphers: No cipher can be selected.
-  (change cipher string (invalid) in config)
-  [255]
+  5fed3813f7f5

   $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R
copy-pull id https://localhost:$HGPORT/
   warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  abort: could not set ciphers: No cipher can be selected.
-  (change cipher string (invalid) in config)
-  [255]
+  5fed3813f7f5

 Changing the cipher string works

@@ -461,9 +457,15 @@
 Clients talking same TLS versions work

   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id
https://localhost:$HGPORT/
-  5fed3813f7f5
+  (could not communicate with localhost using security protocols tls1.0,
tls1.1, tls1.2; if you are using a modern Mercurial version, consider
contacting the operator of this server; see
https://mercurial-scm.org/wiki/SecureConnections for more info)
+  abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
+  [255]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id
https://localhost:$HGPORT1/
-  5fed3813f7f5
+  (could not negotiate a common security protocol (tls1.1+) with localhost;
the likely cause is Mercurial is configured to be more secure than the server
can support)
+  (consider contacting the operator of this server and ask them to support
modern TLS protocol versions; or, set
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less
secure protocols when communicating with this server)
+  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
+  abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
+  [255]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id
https://localhost:$HGPORT2/
   5fed3813f7f5

@@ -498,15 +500,18 @@
 --insecure will allow TLS 1.0 connections and override configs

   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure
https://localhost:$HGPORT1/
-  warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
-  5fed3813f7f5
+  (could not communicate with localhost using security protocols tls1.0,
tls1.1, tls1.2; if you are using a modern Mercurial version, consider
contacting the operator of this server; see
https://mercurial-scm.org/wiki/SecureConnections for more info)
+  abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
+  [255]

 The per-host config option overrides the default

   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
   > --config hostsecurity.minimumprotocol=tls1.2 \
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
-  5fed3813f7f5
+  (could not communicate with localhost using security protocols tls1.0,
tls1.1, tls1.2; if you are using a modern Mercurial version, consider
contacting the operator of this server; see
https://mercurial-scm.org/wiki/SecureConnections for more info)
+  abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
+  [255]

 The per-host config option by itself works

@@ -624,7 +629,7 @@

   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
   warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
-  abort: error: *handshake failure* (glob)
+  abort: error: [SSL] tlsv13 alert certificate required (_ssl.c:1942)
   [255]

 with client certificate:


fails that way on both Debian testing and FreeBSD 12.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the Mercurial-devel mailing list