https://bz.mercurial-scm.org/show_bug.cgi?id=6061
Bug ID: 6061 Summary: tests fail with tls 1.0 and 1.1 disabled Product: Mercurial Version: stable branch Hardware: All OS: All Status: UNCONFIRMED Severity: bug Priority: wish Component: Mercurial Assignee: bugzi...@mercurial-scm.org Reporter: duri...@gmail.com CC: mercurial-devel@mercurial-scm.org Specifically test-https.t: @@ -355,15 +355,11 @@ Setting ciphers to an invalid value aborts $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) - abort: could not set ciphers: No cipher can be selected. - (change cipher string (invalid) in config) - [255] + 5fed3813f7f5 $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) - abort: could not set ciphers: No cipher can be selected. - (change cipher string (invalid) in config) - [255] + 5fed3813f7f5 Changing the cipher string works @@ -461,9 +457,15 @@ Clients talking same TLS versions work $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ - 5fed3813f7f5 + (could not communicate with localhost using security protocols tls1.0, tls1.1, tls1.2; if you are using a modern Mercurial version, consider contacting the operator of this server; see https://mercurial-scm.org/wiki/SecureConnections for more info) + abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727) + [255] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ - 5fed3813f7f5 + (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) + (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) + (see https://mercurial-scm.org/wiki/SecureConnections for more info) + abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727) + [255] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ 5fed3813f7f5 @@ -498,15 +500,18 @@ --insecure will allow TLS 1.0 connections and override configs $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ - warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering - 5fed3813f7f5 + (could not communicate with localhost using security protocols tls1.0, tls1.1, tls1.2; if you are using a modern Mercurial version, consider contacting the operator of this server; see https://mercurial-scm.org/wiki/SecureConnections for more info) + abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727) + [255] The per-host config option overrides the default $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ > --config hostsecurity.minimumprotocol=tls1.2 \ > --config hostsecurity.localhost:minimumprotocol=tls1.0 - 5fed3813f7f5 + (could not communicate with localhost using security protocols tls1.0, tls1.1, tls1.2; if you are using a modern Mercurial version, consider contacting the operator of this server; see https://mercurial-scm.org/wiki/SecureConnections for more info) + abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727) + [255] The per-host config option by itself works @@ -624,7 +629,7 @@ $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) - abort: error: *handshake failure* (glob) + abort: error: [SSL] tlsv13 alert certificate required (_ssl.c:1942) [255] with client certificate: fails that way on both Debian testing and FreeBSD 12. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel