Show More
@@ -417,11 +417,57 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
417 | 'how to configure Mercurial to avoid this error)\n')) |
|
417 | 'how to configure Mercurial to avoid this error)\n')) | |
418 | # Try to print more helpful error messages for known failures. |
|
418 | # Try to print more helpful error messages for known failures. | |
419 | if util.safehasattr(e, 'reason'): |
|
419 | if util.safehasattr(e, 'reason'): | |
|
420 | # This error occurs when the client and server don't share a | |||
|
421 | # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 | |||
|
422 | # outright. Hopefully the reason for this error is that we require | |||
|
423 | # TLS 1.1+ and the server only supports TLS 1.0. Whatever the | |||
|
424 | # reason, try to emit an actionable warning. | |||
420 | if e.reason == 'UNSUPPORTED_PROTOCOL': |
|
425 | if e.reason == 'UNSUPPORTED_PROTOCOL': | |
421 | ui.warn(_('(could not negotiate a common protocol; see ' |
|
426 | # We attempted TLS 1.0+. | |
422 | 'https://mercurial-scm.org/wiki/SecureConnections ' |
|
427 | if settings['protocolui'] == 'tls1.0': | |
423 | 'for how to configure Mercurial to avoid this ' |
|
428 | # We support more than just TLS 1.0+. If this happens, | |
424 | 'error)\n')) |
|
429 | # the likely scenario is either the client or the server | |
|
430 | # is really old. (e.g. server doesn't support TLS 1.0+ or | |||
|
431 | # client doesn't support modern TLS versions introduced | |||
|
432 | # several years from when this comment was written). | |||
|
433 | if supportedprotocols != set(['tls1.0']): | |||
|
434 | ui.warn(_( | |||
|
435 | '(could not communicate with %s using security ' | |||
|
436 | 'protocols %s; if you are using a modern Mercurial ' | |||
|
437 | 'version, consider contacting the operator of this ' | |||
|
438 | 'server; see ' | |||
|
439 | 'https://mercurial-scm.org/wiki/SecureConnections ' | |||
|
440 | 'for more info)\n') % ( | |||
|
441 | serverhostname, | |||
|
442 | ', '.join(sorted(supportedprotocols)))) | |||
|
443 | else: | |||
|
444 | ui.warn(_( | |||
|
445 | '(could not communicate with %s using TLS 1.0; the ' | |||
|
446 | 'likely cause of this is the server no longer ' | |||
|
447 | 'supports TLS 1.0 because it has known security ' | |||
|
448 | 'vulnerabilities; see ' | |||
|
449 | 'https://mercurial-scm.org/wiki/SecureConnections ' | |||
|
450 | 'for more info)\n') % serverhostname) | |||
|
451 | else: | |||
|
452 | # We attempted TLS 1.1+. We can only get here if the client | |||
|
453 | # supports the configured protocol. So the likely reason is | |||
|
454 | # the client wants better security than the server can | |||
|
455 | # offer. | |||
|
456 | ui.warn(_( | |||
|
457 | '(could not negotiate a common security protocol (%s+) ' | |||
|
458 | 'with %s; the likely cause is Mercurial is configured ' | |||
|
459 | 'to be more secure than the server can support)\n') % ( | |||
|
460 | settings['protocolui'], serverhostname)) | |||
|
461 | ui.warn(_('(consider contacting the operator of this ' | |||
|
462 | 'server and ask them to support modern TLS ' | |||
|
463 | 'protocol versions; or, set ' | |||
|
464 | 'hostsecurity.%s:minimumprotocol=tls1.0 to allow ' | |||
|
465 | 'use of legacy, less secure protocols when ' | |||
|
466 | 'communicating with this server)\n') % | |||
|
467 | serverhostname) | |||
|
468 | ui.warn(_( | |||
|
469 | '(see https://mercurial-scm.org/wiki/SecureConnections ' | |||
|
470 | 'for more info)\n')) | |||
425 | raise |
|
471 | raise | |
426 |
|
472 | |||
427 | # check if wrap_socket failed silently because socket had been |
|
473 | # check if wrap_socket failed silently because socket had been |
@@ -469,20 +469,28 b' Clients talking same TLS versions work' | |||||
469 | Clients requiring newer TLS version than what server supports fail |
|
469 | Clients requiring newer TLS version than what server supports fail | |
470 |
|
470 | |||
471 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
|
471 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ | |
472 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
472 | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
473 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |||
|
474 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |||
473 | abort: error: *unsupported protocol* (glob) |
|
475 | abort: error: *unsupported protocol* (glob) | |
474 | [255] |
|
476 | [255] | |
475 |
|
477 | |||
476 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
|
478 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ | |
477 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
479 | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
480 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |||
|
481 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |||
478 | abort: error: *unsupported protocol* (glob) |
|
482 | abort: error: *unsupported protocol* (glob) | |
479 | [255] |
|
483 | [255] | |
480 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
|
484 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ | |
481 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
485 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
486 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |||
|
487 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |||
482 | abort: error: *unsupported protocol* (glob) |
|
488 | abort: error: *unsupported protocol* (glob) | |
483 | [255] |
|
489 | [255] | |
484 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
|
490 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ | |
485 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
491 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
492 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |||
|
493 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |||
486 | abort: error: *unsupported protocol* (glob) |
|
494 | abort: error: *unsupported protocol* (glob) | |
487 | [255] |
|
495 | [255] | |
488 |
|
496 | |||
@@ -503,7 +511,9 b' The per-host config option by itself wor' | |||||
503 |
|
511 | |||
504 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
512 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ | |
505 | > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
|
513 | > --config hostsecurity.localhost:minimumprotocol=tls1.2 | |
506 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
514 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
515 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |||
|
516 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |||
507 | abort: error: *unsupported protocol* (glob) |
|
517 | abort: error: *unsupported protocol* (glob) | |
508 | [255] |
|
518 | [255] | |
509 |
|
519 | |||
@@ -514,7 +524,9 b' The per-host config option by itself wor' | |||||
514 | > localhost:minimumprotocol=tls1.2 |
|
524 | > localhost:minimumprotocol=tls1.2 | |
515 | > EOF |
|
525 | > EOF | |
516 | $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
|
526 | $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ | |
517 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
527 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
528 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |||
|
529 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |||
518 | abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590) |
|
530 | abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590) | |
519 | [255] |
|
531 | [255] | |
520 |
|
532 |
General Comments 0
You need to be logged in to leave comments.
Login now