##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: require TLS 1.1+ when supported...
sslutil: require TLS 1.1+ when supported Currently, Mercurial will use TLS 1.0 or newer when connecting to remote servers, selecting the highest TLS version supported by both peers. On older Pythons, only TLS 1.0 is available. On newer Pythons, TLS 1.1 and 1.2 should be available. Security professionals recommend avoiding TLS 1.0 if possible. PCI DSS 3.1 "strongly encourages" the use of TLS 1.2. Known attacks like BEAST and POODLE exist against TLS 1.0 (although mitigations are available and properly configured servers aren't vulnerable). I asked Eric Rescorla - Mozilla's resident crypto expert - whether Mercurial should drop support for TLS 1.0. His response was "if you can get away with it." Essentially, a number of servers on the Internet don't support TLS 1.1+. This is why web browsers continue to support TLS 1.0 despite desires from security experts. This patch changes Mercurial's default behavior on modern Python versions to require TLS 1.1+, thus avoiding known security issues with TLS 1.0 and making Mercurial more secure by default. Rather than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be used if configured. This is a compromise solution - ideally we'd disallow TLS 1.0. However, since we're not sure how many Mercurial servers don't support TLS 1.1+ and we're not sure how much user inconvenience this change will bring, I think it is prudent to ship an escape hatch that still allows usage of TLS 1.0. In the default case our users get better security. In the worst case, they are no worse off than before this patch. This patch has no effect when running on Python versions that don't support TLS 1.1+. As the added test shows, connecting to a server that doesn't support TLS 1.1+ will display a warning message with a link to our wiki, where we can guide people to configure their client to allow less secure connections.
Pierre-Yves David - - Load All Authors

File last commit:

r26921:b11495c2 default
r29560:303e9300 default
Show More
test-init.t
260 lines | 6.2 KiB | text/troff | Tads3Lexer
/ tests / test-init.t
History | Annotation | Raw |Copy content |Copy permalink
This test tries to exercise the ssh functionality with a dummy script
(enable general delta early)
$ cat << EOF >> $HGRCPATH
> [format]
> usegeneraldelta=yes
> EOF
$ checknewrepo()
> {
> name=$1
> if [ -d "$name"/.hg/store ]; then
> echo store created
> fi
> if [ -f "$name"/.hg/00changelog.i ]; then
> echo 00changelog.i created
> fi
> cat "$name"/.hg/requires
> }
creating 'local'
$ hg init local
$ checknewrepo local
store created
00changelog.i created
dotencode
fncache
generaldelta
revlogv1
store
$ echo this > local/foo
$ hg ci --cwd local -A -m "init"
adding foo
test custom revlog chunk cache sizes
$ hg --config format.chunkcachesize=0 log -R local -pv
abort: revlog chunk cache size 0 is not greater than 0!
[255]
$ hg --config format.chunkcachesize=1023 log -R local -pv
abort: revlog chunk cache size 1023 is not a power of 2!
[255]
$ hg --config format.chunkcachesize=1024 log -R local -pv
changeset: 0:08b9e9f63b32
tag: tip
user: test
date: Thu Jan 01 00:00:00 1970 +0000
files: foo
description:
init
diff -r 000000000000 -r 08b9e9f63b32 foo
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/foo Thu Jan 01 00:00:00 1970 +0000
@@ -0,0 +1,1 @@
+this
creating repo with format.usestore=false
$ hg --config format.usestore=false init old
$ checknewrepo old
generaldelta
revlogv1
creating repo with format.usefncache=false
$ hg --config format.usefncache=false init old2
$ checknewrepo old2
store created
00changelog.i created
generaldelta
revlogv1
store
creating repo with format.dotencode=false
$ hg --config format.dotencode=false init old3
$ checknewrepo old3
store created
00changelog.i created
fncache
generaldelta
revlogv1
store
creating repo with format.dotencode=false
$ hg --config format.generaldelta=false --config format.usegeneraldelta=false init old4
$ checknewrepo old4
store created
00changelog.i created
dotencode
fncache
revlogv1
store
test failure
$ hg init local
abort: repository local already exists!
[255]
init+push to remote2
$ hg init -e "python \"$TESTDIR/dummyssh\"" ssh://user@dummy/remote2
$ hg incoming -R remote2 local
comparing with local
changeset: 0:08b9e9f63b32
tag: tip
user: test
date: Thu Jan 01 00:00:00 1970 +0000
summary: init
$ hg push -R local -e "python \"$TESTDIR/dummyssh\"" ssh://user@dummy/remote2
pushing to ssh://user@dummy/remote2
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
clone to remote1
$ hg clone -e "python \"$TESTDIR/dummyssh\"" local ssh://user@dummy/remote1
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
The largefiles extension doesn't crash
$ hg clone -e "python \"$TESTDIR/dummyssh\"" local ssh://user@dummy/remotelf --config extensions.largefiles=
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
init to existing repo
$ hg init -e "python \"$TESTDIR/dummyssh\"" ssh://user@dummy/remote1
abort: repository remote1 already exists!
abort: could not create remote repo!
[255]
clone to existing repo
$ hg clone -e "python \"$TESTDIR/dummyssh\"" local ssh://user@dummy/remote1
abort: repository remote1 already exists!
abort: could not create remote repo!
[255]
output of dummyssh
$ cat dummylog
Got arguments 1:user@dummy 2:hg init remote2
Got arguments 1:user@dummy 2:hg -R remote2 serve --stdio
Got arguments 1:user@dummy 2:hg -R remote2 serve --stdio
Got arguments 1:user@dummy 2:hg init remote1
Got arguments 1:user@dummy 2:hg -R remote1 serve --stdio
Got arguments 1:user@dummy 2:hg init remotelf
Got arguments 1:user@dummy 2:hg -R remotelf serve --stdio
Got arguments 1:user@dummy 2:hg init remote1
Got arguments 1:user@dummy 2:hg init remote1
comparing repositories
$ hg tip -q -R local
0:08b9e9f63b32
$ hg tip -q -R remote1
0:08b9e9f63b32
$ hg tip -q -R remote2
0:08b9e9f63b32
check names for repositories (clashes with URL schemes, special chars)
$ for i in bundle file hg http https old-http ssh static-http "with space"; do
> printf "hg init \"$i\"... "
> hg init "$i"
> test -d "$i" -a -d "$i/.hg" && echo "ok" || echo "failed"
> done
hg init "bundle"... ok
hg init "file"... ok
hg init "hg"... ok
hg init "http"... ok
hg init "https"... ok
hg init "old-http"... ok
hg init "ssh"... ok
hg init "static-http"... ok
hg init "with space"... ok
#if eol-in-paths
/* " " is not a valid name for a directory on Windows */
$ hg init " "
$ test -d " "
$ test -d " /.hg"
#endif
creating 'local/sub/repo'
$ hg init local/sub/repo
$ checknewrepo local/sub/repo
store created
00changelog.i created
dotencode
fncache
generaldelta
revlogv1
store
prepare test of init of url configured from paths
$ echo '[paths]' >> $HGRCPATH
$ echo "somewhere = `pwd`/url from paths" >> $HGRCPATH
$ echo "elsewhere = `pwd`/another paths url" >> $HGRCPATH
init should (for consistency with clone) expand the url
$ hg init somewhere
$ checknewrepo "url from paths"
store created
00changelog.i created
dotencode
fncache
generaldelta
revlogv1
store
verify that clone also expand urls
$ hg clone somewhere elsewhere
updating to branch default
0 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ checknewrepo "another paths url"
store created
00changelog.i created
dotencode
fncache
generaldelta
revlogv1
store
clone bookmarks
$ hg -R local bookmark test
$ hg -R local bookmarks
* test 0:08b9e9f63b32
$ hg clone -e "python \"$TESTDIR/dummyssh\"" local ssh://user@dummy/remote-bookmarks
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
exporting bookmark test
$ hg -R remote-bookmarks bookmarks
test 0:08b9e9f63b32