Patchwork [05,of,10,v2] sslutil: simplify code for printing an error message when negotiation fails

login
register
mail settings
Submitter Manuel Jacob
Date May 30, 2020, 10:37 p.m.
Message ID <bb58183ab539f542382b.1590878238@tmp>
Download mbox | patch
Permalink /patch/46424/
State New
Headers show

Comments

Manuel Jacob - May 30, 2020, 10:37 p.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590800420 -7200
#      Sat May 30 03:00:20 2020 +0200
# Node ID bb58183ab539f542382b7f175377e8bd69cc452a
# Parent  5d4b7c8aac2c8e7c5f981e9e9c30dc14f90d886f
# EXP-Topic require_modern_ssl
sslutil: simplify code for printing an error message when negotiation fails

The original motivation for doing this was that we now depend on that TLS 1.1
and TLS 1.2 are supported by the underlying Python, so that we don’t have to
handle the case where the client supports only TLS 1.0. While making the
change, I realized that there’s no good reason to print a different message
depending on which minimum protocol was configured. Actually, "could not
communicate with %s using security protocols ..." was imprecise, as the
underlying SSL implementation is free to use a higher version if available.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -427,73 +427,37 @@  def wrapsocket(sock, keyfile, certfile, 
             # TLS 1.1+ and the server only supports TLS 1.0. Whatever the
             # reason, try to emit an actionable warning.
             if e.reason == 'UNSUPPORTED_PROTOCOL':
-                # We attempted TLS 1.0+.
-                if settings[b'protocolui'] == b'tls1.0':
-                    # We support more than just TLS 1.0+. If this happens,
-                    # the likely scenario is either the client or the server
-                    # is really old. (e.g. server doesn't support TLS 1.0+ or
-                    # client doesn't support modern TLS versions introduced
-                    # several years from when this comment was written).
-                    if supportedprotocols != {b'tls1.0'}:
-                        ui.warn(
-                            _(
-                                b'(could not communicate with %s using security '
-                                b'protocols %s; if you are using a modern Mercurial '
-                                b'version, consider contacting the operator of this '
-                                b'server; see '
-                                b'https://mercurial-scm.org/wiki/SecureConnections '
-                                b'for more info)\n'
-                            )
-                            % (
-                                pycompat.bytesurl(serverhostname),
-                                b', '.join(sorted(supportedprotocols)),
-                            )
-                        )
-                    else:
-                        ui.warn(
-                            _(
-                                b'(could not communicate with %s using TLS 1.0; the '
-                                b'likely cause of this is the server no longer '
-                                b'supports TLS 1.0 because it has known security '
-                                b'vulnerabilities; see '
-                                b'https://mercurial-scm.org/wiki/SecureConnections '
-                                b'for more info)\n'
-                            )
-                            % pycompat.bytesurl(serverhostname)
-                        )
-                else:
-                    # We attempted TLS 1.1+. We can only get here if the client
-                    # supports the configured protocol. So the likely reason is
-                    # the client wants better security than the server can
-                    # offer.
-                    ui.warn(
-                        _(
-                            b'(could not negotiate a common security protocol (%s+) '
-                            b'with %s; the likely cause is Mercurial is configured '
-                            b'to be more secure than the server can support)\n'
-                        )
-                        % (
-                            settings[b'protocolui'],
-                            pycompat.bytesurl(serverhostname),
-                        )
+                # We can only get here if the client supports the configured
+                # protocol. So the likely reason is the client wants better
+                # security than the server can offer.
+                ui.warn(
+                    _(
+                        b'(could not negotiate a common security protocol (%s+) '
+                        b'with %s; the likely cause is Mercurial is configured '
+                        b'to be more secure than the server can support)\n'
+                    )
+                    % (
+                        settings[b'protocolui'],
+                        pycompat.bytesurl(serverhostname),
                     )
-                    ui.warn(
-                        _(
-                            b'(consider contacting the operator of this '
-                            b'server and ask them to support modern TLS '
-                            b'protocol versions; or, set '
-                            b'hostsecurity.%s:minimumprotocol=tls1.0 to allow '
-                            b'use of legacy, less secure protocols when '
-                            b'communicating with this server)\n'
-                        )
-                        % pycompat.bytesurl(serverhostname)
+                )
+                ui.warn(
+                    _(
+                        b'(consider contacting the operator of this '
+                        b'server and ask them to support modern TLS '
+                        b'protocol versions; or, set '
+                        b'hostsecurity.%s:minimumprotocol=tls1.0 to allow '
+                        b'use of legacy, less secure protocols when '
+                        b'communicating with this server)\n'
                     )
-                    ui.warn(
-                        _(
-                            b'(see https://mercurial-scm.org/wiki/SecureConnections '
-                            b'for more info)\n'
-                        )
+                    % pycompat.bytesurl(serverhostname)
+                )
+                ui.warn(
+                    _(
+                        b'(see https://mercurial-scm.org/wiki/SecureConnections '
+                        b'for more info)\n'
                     )
+                )
 
             elif e.reason == 'CERTIFICATE_VERIFY_FAILED' and pycompat.iswindows: