_sslutil__treat_TLSV1_ALERT_PROTOCOL_VERSION_error_the_same_as_UNSUPPORTED_PROTOCOL

# HG changeset patch
# User Julien Cristau <jcristau@debian.org>
# Date 1649508115 -7200
#      Sat Apr 09 14:41:55 2022 +0200
# Node ID 416d9bf1c5eaeba34bbc25baee37ae32e81d50f1
# Parent  41f738aed141d3a29c5ed5d33a9e79cad15b0669
sslutil: treat TLSV1_ALERT_PROTOCOL_VERSION error the same as UNSUPPORTED_PROTOCOL

It looks like python 3.10 returns a different reason code on protocol
version mismatch.

Differential Revision: https://phab.mercurial-scm.org/D12491

Gbp-Pq: Topic py310
Gbp-Pq: Name 6_sslutil__treat_TLSV1_ALERT_PROTOCOL_VERSION_error_the_same_as_UNSUPPORTED_PROTOCOL.patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
index 26a8ec28717729fe7e8391b19e029cce079c61d9..714d0950e9aa71d94d9ca8b7d0de00c3777a2ff8 100644 (file)
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -419,7 +419,7 @@ def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
             # outright. Hopefully the reason for this error is that we require
             # TLS 1.1+ and the server only supports TLS 1.0. Whatever the
             # reason, try to emit an actionable warning.
-            if e.reason == 'UNSUPPORTED_PROTOCOL':
+            if e.reason in ('UNSUPPORTED_PROTOCOL', 'TLSV1_ALERT_PROTOCOL_VERSION'):
                 # We attempted TLS 1.0+.
                 if settings[b'minimumprotocol'] == b'tls1.0':
                     # We support more than just TLS 1.0+. If this happens,

diff --git a/tests/test-https.t b/tests/test-https.t
index 9cd28de1cd032ed574ac6e978985752daef6e3e7..dac3d38bf9a6437f0e7c39b994723dd6c4ddbf32 100644 (file)
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -374,26 +374,26 @@ Clients requiring newer TLS version than what server supports fail
   (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
   (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
   [100]
 
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
   (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
   (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
   [100]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
   (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
   [100]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
   (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
   [100]
 
 --insecure will allow TLS 1.0 connections and override configs
@@ -417,7 +417,7 @@ The per-host config option by itself works
   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
   (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
   [100]
 
 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305)
@@ -430,7 +430,7 @@ The per-host config option by itself works
   (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
   (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
   (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
   [100]
 
   $ killdaemons.py hg0.pid