[Bug 6061] New: tests fail with tls 1.0 and 1.1 disabled
mercurial-bugs at mercurial-scm.org
mercurial-bugs at mercurial-scm.org
Thu Jan 24 19:26:41 UTC 2019
https://bz.mercurial-scm.org/show_bug.cgi?id=6061
Bug ID: 6061
Summary: tests fail with tls 1.0 and 1.1 disabled
Product: Mercurial
Version: stable branch
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: bug
Priority: wish
Component: Mercurial
Assignee: bugzilla at mercurial-scm.org
Reporter: durin42 at gmail.com
CC: mercurial-devel at mercurial-scm.org
Specifically test-https.t:
@@ -355,15 +355,11 @@
Setting ciphers to an invalid value aborts
$ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id
https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
- abort: could not set ciphers: No cipher can be selected.
- (change cipher string (invalid) in config)
- [255]
+ 5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R
copy-pull id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
- abort: could not set ciphers: No cipher can be selected.
- (change cipher string (invalid) in config)
- [255]
+ 5fed3813f7f5
Changing the cipher string works
@@ -461,9 +457,15 @@
Clients talking same TLS versions work
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id
https://localhost:$HGPORT/
- 5fed3813f7f5
+ (could not communicate with localhost using security protocols tls1.0,
tls1.1, tls1.2; if you are using a modern Mercurial version, consider
contacting the operator of this server; see
https://mercurial-scm.org/wiki/SecureConnections for more info)
+ abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
+ [255]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id
https://localhost:$HGPORT1/
- 5fed3813f7f5
+ (could not negotiate a common security protocol (tls1.1+) with localhost;
the likely cause is Mercurial is configured to be more secure than the server
can support)
+ (consider contacting the operator of this server and ask them to support
modern TLS protocol versions; or, set
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less
secure protocols when communicating with this server)
+ (see https://mercurial-scm.org/wiki/SecureConnections for more info)
+ abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
+ [255]
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id
https://localhost:$HGPORT2/
5fed3813f7f5
@@ -498,15 +500,18 @@
--insecure will allow TLS 1.0 connections and override configs
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure
https://localhost:$HGPORT1/
- warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
- 5fed3813f7f5
+ (could not communicate with localhost using security protocols tls1.0,
tls1.1, tls1.2; if you are using a modern Mercurial version, consider
contacting the operator of this server; see
https://mercurial-scm.org/wiki/SecureConnections for more info)
+ abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
+ [255]
The per-host config option overrides the default
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.minimumprotocol=tls1.2 \
> --config hostsecurity.localhost:minimumprotocol=tls1.0
- 5fed3813f7f5
+ (could not communicate with localhost using security protocols tls1.0,
tls1.1, tls1.2; if you are using a modern Mercurial version, consider
contacting the operator of this server; see
https://mercurial-scm.org/wiki/SecureConnections for more info)
+ abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
+ [255]
The per-host config option by itself works
@@ -624,7 +629,7 @@
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/
warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
- abort: error: *handshake failure* (glob)
+ abort: error: [SSL] tlsv13 alert certificate required (_ssl.c:1942)
[255]
with client certificate:
fails that way on both Debian testing and FreeBSD 12.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Mercurial-devel
mailing list