[PATCH 4 of 5 stable] tests: skip test-https.t TLSv1 testing when system doesn't support it
Mads Kiilerich
mads at kiilerich.com
Wed Mar 22 16:25:00 UTC 2023
# HG changeset patch
# User Mads Kiilerich <mads at kiilerich.com>
# Date 1679500739 -3600
# Wed Mar 22 16:58:59 2023 +0100
# Branch stable
# Node ID 7c544bc71aaca594998649ae02d35fb4dd7606b4
# Parent d641581ee136281971555adc05049b826e995fed
tests: skip test-https.t TLSv1 testing when system doesn't support it
The test failed on Fedora with the default security policy, unless degrading
system with:
# update-crypto-policies --set LEGACY
diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -701,6 +701,14 @@ def has_defaultcacertsloaded():
return len(ctx.get_ca_certs()) > 0
+ at check("tls1.0", "TLS 1 protocol support")
+def has_tls1_0():
+ import ssl
+
+ ctx = ssl.create_default_context()
+ return ctx.minimum_version <= ssl.TLSVersion.TLSv1
+
+
@check("tls1.2", "TLS 1.2 protocol support")
def has_tls1_2():
from mercurial import sslutil
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -356,10 +356,12 @@ Start servers running supported TLS vers
Clients talking same TLS versions work
+#if tls1.0
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
5fed3813f7f5
+#endif
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
5fed3813f7f5
@@ -391,6 +393,8 @@ Clients requiring newer TLS version than
abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
[100]
+#if tls1.0
+
--insecure will allow TLS 1.0 connections and override configs
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
@@ -405,6 +409,8 @@ The per-host config option overrides the
> --config hostsecurity.localhost:minimumprotocol=tls1.0
5fed3813f7f5
+#endif
+
The per-host config option by itself works
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
More information about the Mercurial-devel
mailing list