# HG changeset patch # User Julien Cristau # Date 2022-04-09 12:41:55 # Node ID 27ef2aa953dddb09c505dda3f7c516fed661ffd7 # Parent 7ea2bd2043d170c51724a1848508258146c8f183 sslutil: support TLSV1_ALERT_PROTOCOL_VERSION reason code It looks like python 3.10 returns a different reason code on protocol version mismatch. Differential Revision: https://phab.mercurial-scm.org/D12491 diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -425,7 +425,10 @@ def wrapsocket(sock, keyfile, certfile, # outright. Hopefully the reason for this error is that we require # TLS 1.1+ and the server only supports TLS 1.0. Whatever the # reason, try to emit an actionable warning. - if e.reason == 'UNSUPPORTED_PROTOCOL': + if e.reason in ( + 'UNSUPPORTED_PROTOCOL', + 'TLSV1_ALERT_PROTOCOL_VERSION', + ): # We attempted TLS 1.0+. if settings[b'minimumprotocol'] == b'tls1.0': # We support more than just TLS 1.0+. If this happens, diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -374,26 +374,26 @@ Clients requiring newer TLS version than (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] --insecure will allow TLS 1.0 connections and override configs @@ -417,7 +417,7 @@ The per-host config option by itself wor (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] .hg/hgrc file [hostsecurity] settings are applied to remote ui instances (issue5305) @@ -430,7 +430,7 @@ The per-host config option by itself wor (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) (see https://mercurial-scm.org/wiki/SecureConnections for more info) - abort: error: .*(unsupported protocol|wrong ssl version).* (re) + abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re) [100] $ killdaemons.py hg0.pid