##// END OF EJS Templates
sslutil: improve messaging around unsupported protocols (issue5303)...
Gregory Szorc -
r29619:53e80179 stable
parent child Browse files
Show More
@@ -417,11 +417,57 b' def wrapsocket(sock, keyfile, certfile, '
417 'how to configure Mercurial to avoid this error)\n'))
417 'how to configure Mercurial to avoid this error)\n'))
418 # Try to print more helpful error messages for known failures.
418 # Try to print more helpful error messages for known failures.
419 if util.safehasattr(e, 'reason'):
419 if util.safehasattr(e, 'reason'):
420 # This error occurs when the client and server don't share a
421 # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3
422 # outright. Hopefully the reason for this error is that we require
423 # TLS 1.1+ and the server only supports TLS 1.0. Whatever the
424 # reason, try to emit an actionable warning.
420 if e.reason == 'UNSUPPORTED_PROTOCOL':
425 if e.reason == 'UNSUPPORTED_PROTOCOL':
421 ui.warn(_('(could not negotiate a common protocol; see '
426 # We attempted TLS 1.0+.
422 'https://mercurial-scm.org/wiki/SecureConnections '
427 if settings['protocolui'] == 'tls1.0':
423 'for how to configure Mercurial to avoid this '
428 # We support more than just TLS 1.0+. If this happens,
424 'error)\n'))
429 # the likely scenario is either the client or the server
430 # is really old. (e.g. server doesn't support TLS 1.0+ or
431 # client doesn't support modern TLS versions introduced
432 # several years from when this comment was written).
433 if supportedprotocols != set(['tls1.0']):
434 ui.warn(_(
435 '(could not communicate with %s using security '
436 'protocols %s; if you are using a modern Mercurial '
437 'version, consider contacting the operator of this '
438 'server; see '
439 'https://mercurial-scm.org/wiki/SecureConnections '
440 'for more info)\n') % (
441 serverhostname,
442 ', '.join(sorted(supportedprotocols))))
443 else:
444 ui.warn(_(
445 '(could not communicate with %s using TLS 1.0; the '
446 'likely cause of this is the server no longer '
447 'supports TLS 1.0 because it has known security '
448 'vulnerabilities; see '
449 'https://mercurial-scm.org/wiki/SecureConnections '
450 'for more info)\n') % serverhostname)
451 else:
452 # We attempted TLS 1.1+. We can only get here if the client
453 # supports the configured protocol. So the likely reason is
454 # the client wants better security than the server can
455 # offer.
456 ui.warn(_(
457 '(could not negotiate a common security protocol (%s+) '
458 'with %s; the likely cause is Mercurial is configured '
459 'to be more secure than the server can support)\n') % (
460 settings['protocolui'], serverhostname))
461 ui.warn(_('(consider contacting the operator of this '
462 'server and ask them to support modern TLS '
463 'protocol versions; or, set '
464 'hostsecurity.%s:minimumprotocol=tls1.0 to allow '
465 'use of legacy, less secure protocols when '
466 'communicating with this server)\n') %
467 serverhostname)
468 ui.warn(_(
469 '(see https://mercurial-scm.org/wiki/SecureConnections '
470 'for more info)\n'))
425 raise
471 raise
426
472
427 # check if wrap_socket failed silently because socket had been
473 # check if wrap_socket failed silently because socket had been
@@ -469,20 +469,28 b' Clients talking same TLS versions work'
469 Clients requiring newer TLS version than what server supports fail
469 Clients requiring newer TLS version than what server supports fail
470
470
471 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
471 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
472 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
472 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
473 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
474 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
473 abort: error: *unsupported protocol* (glob)
475 abort: error: *unsupported protocol* (glob)
474 [255]
476 [255]
475
477
476 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
478 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/
477 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
479 (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
480 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
481 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
478 abort: error: *unsupported protocol* (glob)
482 abort: error: *unsupported protocol* (glob)
479 [255]
483 [255]
480 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
484 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/
481 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
485 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
486 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
487 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
482 abort: error: *unsupported protocol* (glob)
488 abort: error: *unsupported protocol* (glob)
483 [255]
489 [255]
484 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
490 $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
485 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
491 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
492 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
493 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
486 abort: error: *unsupported protocol* (glob)
494 abort: error: *unsupported protocol* (glob)
487 [255]
495 [255]
488
496
@@ -503,7 +511,9 b' The per-host config option by itself wor'
503
511
504 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
512 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
505 > --config hostsecurity.localhost:minimumprotocol=tls1.2
513 > --config hostsecurity.localhost:minimumprotocol=tls1.2
506 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
514 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
515 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
516 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
507 abort: error: *unsupported protocol* (glob)
517 abort: error: *unsupported protocol* (glob)
508 [255]
518 [255]
509
519
@@ -514,7 +524,9 b' The per-host config option by itself wor'
514 > localhost:minimumprotocol=tls1.2
524 > localhost:minimumprotocol=tls1.2
515 > EOF
525 > EOF
516 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
526 $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
517 (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
527 (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
528 (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
529 (see https://mercurial-scm.org/wiki/SecureConnections for more info)
518 abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590)
530 abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590)
519 [255]
531 [255]
520
532
General Comments 0
You need to be logged in to leave comments. Login now