Show More
| @@ -417,11 +417,57 b' def wrapsocket(sock, keyfile, certfile, ' | |||
|
|
417 | 417 | 'how to configure Mercurial to avoid this error)\n')) |
|
|
418 | 418 | # Try to print more helpful error messages for known failures. |
|
|
419 | 419 | if util.safehasattr(e, 'reason'): |
|
|
420 | # This error occurs when the client and server don't share a | |
|
|
421 | # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 | |
|
|
422 | # outright. Hopefully the reason for this error is that we require | |
|
|
423 | # TLS 1.1+ and the server only supports TLS 1.0. Whatever the | |
|
|
424 | # reason, try to emit an actionable warning. | |
|
|
420 | 425 | if e.reason == 'UNSUPPORTED_PROTOCOL': |
|
|
421 | ui.warn(_('(could not negotiate a common protocol; see ' | |
|
|
422 | 'https://mercurial-scm.org/wiki/SecureConnections ' | |
|
|
423 | 'for how to configure Mercurial to avoid this ' | |
|
|
424 | 'error)\n')) | |
|
|
426 | # We attempted TLS 1.0+. | |
|
|
427 | if settings['protocolui'] == 'tls1.0': | |
|
|
428 | # We support more than just TLS 1.0+. If this happens, | |
|
|
429 | # the likely scenario is either the client or the server | |
|
|
430 | # is really old. (e.g. server doesn't support TLS 1.0+ or | |
|
|
431 | # client doesn't support modern TLS versions introduced | |
|
|
432 | # several years from when this comment was written). | |
|
|
433 | if supportedprotocols != set(['tls1.0']): | |
|
|
434 | ui.warn(_( | |
|
|
435 | '(could not communicate with %s using security ' | |
|
|
436 | 'protocols %s; if you are using a modern Mercurial ' | |
|
|
437 | 'version, consider contacting the operator of this ' | |
|
|
438 | 'server; see ' | |
|
|
439 | 'https://mercurial-scm.org/wiki/SecureConnections ' | |
|
|
440 | 'for more info)\n') % ( | |
|
|
441 | serverhostname, | |
|
|
442 | ', '.join(sorted(supportedprotocols)))) | |
|
|
443 | else: | |
|
|
444 | ui.warn(_( | |
|
|
445 | '(could not communicate with %s using TLS 1.0; the ' | |
|
|
446 | 'likely cause of this is the server no longer ' | |
|
|
447 | 'supports TLS 1.0 because it has known security ' | |
|
|
448 | 'vulnerabilities; see ' | |
|
|
449 | 'https://mercurial-scm.org/wiki/SecureConnections ' | |
|
|
450 | 'for more info)\n') % serverhostname) | |
|
|
451 | else: | |
|
|
452 | # We attempted TLS 1.1+. We can only get here if the client | |
|
|
453 | # supports the configured protocol. So the likely reason is | |
|
|
454 | # the client wants better security than the server can | |
|
|
455 | # offer. | |
|
|
456 | ui.warn(_( | |
|
|
457 | '(could not negotiate a common security protocol (%s+) ' | |
|
|
458 | 'with %s; the likely cause is Mercurial is configured ' | |
|
|
459 | 'to be more secure than the server can support)\n') % ( | |
|
|
460 | settings['protocolui'], serverhostname)) | |
|
|
461 | ui.warn(_('(consider contacting the operator of this ' | |
|
|
462 | 'server and ask them to support modern TLS ' | |
|
|
463 | 'protocol versions; or, set ' | |
|
|
464 | 'hostsecurity.%s:minimumprotocol=tls1.0 to allow ' | |
|
|
465 | 'use of legacy, less secure protocols when ' | |
|
|
466 | 'communicating with this server)\n') % | |
|
|
467 | serverhostname) | |
|
|
468 | ui.warn(_( | |
|
|
469 | '(see https://mercurial-scm.org/wiki/SecureConnections ' | |
|
|
470 | 'for more info)\n')) | |
|
|
425 | 471 | raise |
|
|
426 | 472 | |
|
|
427 | 473 | # check if wrap_socket failed silently because socket had been |
| @@ -469,20 +469,28 b' Clients talking same TLS versions work' | |||
|
|
469 | 469 | Clients requiring newer TLS version than what server supports fail |
|
|
470 | 470 | |
|
|
471 | 471 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ |
|
|
472 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | |
|
|
472 | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
|
473 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |
|
|
474 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |
|
|
473 | 475 | abort: error: *unsupported protocol* (glob) |
|
|
474 | 476 | [255] |
|
|
475 | 477 | |
|
|
476 | 478 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ |
|
|
477 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | |
|
|
479 | (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
|
480 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |
|
|
481 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |
|
|
478 | 482 | abort: error: *unsupported protocol* (glob) |
|
|
479 | 483 | [255] |
|
|
480 | 484 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ |
|
|
481 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | |
|
|
485 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
|
486 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |
|
|
487 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |
|
|
482 | 488 | abort: error: *unsupported protocol* (glob) |
|
|
483 | 489 | [255] |
|
|
484 | 490 | $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ |
|
|
485 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | |
|
|
491 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
|
492 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |
|
|
493 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |
|
|
486 | 494 | abort: error: *unsupported protocol* (glob) |
|
|
487 | 495 | [255] |
|
|
488 | 496 | |
| @@ -503,7 +511,9 b' The per-host config option by itself wor' | |||
|
|
503 | 511 | |
|
|
504 | 512 | $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ |
|
|
505 | 513 | > --config hostsecurity.localhost:minimumprotocol=tls1.2 |
|
|
506 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | |
|
|
514 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
|
515 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |
|
|
516 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |
|
|
507 | 517 | abort: error: *unsupported protocol* (glob) |
|
|
508 | 518 | [255] |
|
|
509 | 519 | |
| @@ -514,7 +524,9 b' The per-host config option by itself wor' | |||
|
|
514 | 524 | > localhost:minimumprotocol=tls1.2 |
|
|
515 | 525 | > EOF |
|
|
516 | 526 | $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/ |
|
|
517 | (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) | |
|
|
527 | (could not negotiate a common security protocol (tls1.2+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) | |
|
|
528 | (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server) | |
|
|
529 | (see https://mercurial-scm.org/wiki/SecureConnections for more info) | |
|
|
518 | 530 | abort: error: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:590) |
|
|
519 | 531 | [255] |
|
|
520 | 532 | |
General Comments 0
You need to be logged in to leave comments.
Login now