[PATCH 4 of 5 stable] tests: skip test-https.t TLSv1 testing when system doesn't support it

Mads Kiilerich mads at kiilerich.com
Wed Mar 22 16:25:00 UTC 2023


# HG changeset patch
# User Mads Kiilerich <mads at kiilerich.com>
# Date 1679500739 -3600
#      Wed Mar 22 16:58:59 2023 +0100
# Branch stable
# Node ID 7c544bc71aaca594998649ae02d35fb4dd7606b4
# Parent  d641581ee136281971555adc05049b826e995fed
tests: skip test-https.t TLSv1 testing when system doesn't support it

The test failed on Fedora with the default security policy, unless degrading
system with:

  # update-crypto-policies --set LEGACY

diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -701,6 +701,14 @@ def has_defaultcacertsloaded():
     return len(ctx.get_ca_certs()) > 0
 
 
+ at check("tls1.0", "TLS 1 protocol support")
+def has_tls1_0():
+    import ssl
+
+    ctx = ssl.create_default_context()
+    return ctx.minimum_version <= ssl.TLSVersion.TLSv1
+
+
 @check("tls1.2", "TLS 1.2 protocol support")
 def has_tls1_2():
     from mercurial import sslutil
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -356,10 +356,12 @@ Start servers running supported TLS vers
 
 Clients talking same TLS versions work
 
+#if tls1.0
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
   5fed3813f7f5
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
   5fed3813f7f5
+#endif
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
   5fed3813f7f5
 
@@ -391,6 +393,8 @@ Clients requiring newer TLS version than
   abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
   [100]
 
+#if tls1.0
+
 --insecure will allow TLS 1.0 connections and override configs
 
   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
@@ -405,6 +409,8 @@ The per-host config option overrides the
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
   5fed3813f7f5
 
+#endif
+
 The per-host config option by itself works
 
   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \



More information about the Mercurial-devel mailing list