From a16352aeba156c492d6dd137a3d834e72f5eca3c Mon Sep 17 00:00:00 2001 From: Debian Python Team Date: Thu, 21 Apr 2022 23:42:37 +0100 Subject: [PATCH] _sslutil__treat_TLSV1_ALERT_PROTOCOL_VERSION_error_the_same_as_UNSUPPORTED_PROTOCOL # HG changeset patch # User Julien Cristau # Date 1649508115 -7200 # Sat Apr 09 14:41:55 2022 +0200 # Node ID 416d9bf1c5eaeba34bbc25baee37ae32e81d50f1 # Parent 41f738aed141d3a29c5ed5d33a9e79cad15b0669 sslutil: treat TLSV1_ALERT_PROTOCOL_VERSION error the same as UNSUPPORTED_PROTOCOL It looks like python 3.10 returns a different reason code on protocol version mismatch. Differential Revision: https://phab.mercurial-scm.org/D12491 Gbp-Pq: Topic py310 Gbp-Pq: Name 6_sslutil__treat_TLSV1_ALERT_PROTOCOL_VERSION_error_the_same_as_UNSUPPORTED_PROTOCOL.patch --- mercurial/sslutil.py | 2 +- tests/test-https.t | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py index 26a8ec2..714d095 100644 --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -419,7 +419,7 @@ def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): # outright. Hopefully the reason for this error is that we require # TLS 1.1+ and the server only supports TLS 1.0. Whatever the # reason, try to emit an actionable warning. - if e.reason == 'UNSUPPORTED_PROTOCOL': + if e.reason in ('UNSUPPORTED_PROTOCOL', 'TLSV1_ALERT_PROTOCOL_VERSION'): # We attempted TLS 1.0+. if settings[b'minimumprotocol'] == b'tls1.0': # We support more than just TLS 1.0+. If this happens, diff --git a/tests/test-https.t b/tests/test-https.t index 9cd28de..dac3d38 100644 --- a/tests/test-https.t +++ b/tests/test-https.t @@ -374,26 +374,26 @@ Clients requiring newer TLS version than what server supports fail (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] --insecure will allow TLS 1.0 connections and override configs @@ -417,7 +417,7 @@ The per-host config option by itself works (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) @@ -430,7 +430,7 @@ The per-host config option by itself works (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] $ killdaemons.py hg0.pid -- 2.30.2