Patchwork [Bug,6645] New: test-https.t: compatibility warnings break test

login
register
mail settings
Submitter mercurial-bugs@mercurial-scm.org
Date Feb. 15, 2022, 9:54 a.m.
Message ID <bug-6645-285@https.bz.mercurial-scm.org/>
Download mbox | patch
Permalink /patch/50517/
State New
Headers show

Comments

mercurial-bugs@mercurial-scm.org - Feb. 15, 2022, 9:54 a.m.
https://bz.mercurial-scm.org/show_bug.cgi?id=6645

            Bug ID: 6645
           Summary: test-https.t: compatibility warnings break test
           Product: Mercurial
           Version: 6.0.2
          Hardware: All
                OS: NetBSD
            Status: UNCONFIRMED
          Severity: bug
          Priority: wish
         Component: Mercurial
          Assignee: bugzilla@mercurial-scm.org
          Reporter: tk@giga.or.at
                CC: mercurial-devel@mercurial-scm.org
    Python Version: ---

In 6.0.2 with python 3.10 on NetBSD, the test test-https.t fails with:

 cacert not found
@@ -50,6 +52,10 @@

 #if no-defaultcacertsloaded
   $ hg clone https://localhost:$HGPORT/ copy-pull
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   (an attempt was made to load CA certificates but none were loaded; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this error)
   abort: error: *certificate verify failed* (glob)
   [100]
@@ -73,6 +79,10 @@

   $ echo baddata > badca.pem
   $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone
https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error loading CA file badca.pem: * (glob)
   (file is empty or malformed?)
   [255]
@@ -81,14 +91,22 @@

 (modern ssl is able to discern whether the loaded cert is a CA cert)
   $ hg --config
hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone
https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+  (the full certificate chain may not be available locally; see "hg help
debugssl") (windows !)
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   (an attempt was made to load CA certificates but none were loaded; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this error)
-  (the full certificate chain may not be available locally; see "hg help
debugssl") (windows !)
   abort: error: *certificate verify failed* (glob)
   [100]

 A per-host certificate matching the server's cert will be accepted

   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem"
clone -U https://localhost:$HGPORT/ perhostgood1
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   requesting all changes
   adding changesets
   adding manifests
@@ -100,6 +118,10 @@

   $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
   $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U
https://localhost:$HGPORT/ perhostgood2
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   requesting all changes
   adding changesets
   adding manifests
@@ -111,6 +133,10 @@

   $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem"
--config
hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
clone -U https://localhost:$HGPORT/ caandfingerwarning
   (hostsecurity.localhost:verifycertsfile ignored when host fingerprints
defined; using host fingerprints for verification)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   requesting all changes
   adding changesets
   adding manifests
@@ -123,11 +149,17 @@
 Inability to verify peer certificate will result in abort

   $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: unable to verify security of localhost (no loaded CA certificates);
refusing to connect
   (see https://mercurial-scm.org/wiki/SecureConnections for how to configure
Mercurial to avoid this error or set
hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
to trust this server)
   [150]

   $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
   requesting all changes
   adding changesets
@@ -158,12 +190,18 @@
   > EOF
   $ hg pull $DISABLECACERTS
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: unable to verify security of localhost (no loaded CA certificates);
refusing to connect
   (see https://mercurial-scm.org/wiki/SecureConnections for how to configure
Mercurial to avoid this error or set
hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
to trust this server)
   [150]

   $ hg pull --insecure
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
   searching for changes
   adding changesets
@@ -191,6 +229,10 @@
   $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
   $ hg -R copy-pull pull
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   searching for changes
   no changes found
   $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
@@ -202,10 +244,16 @@
   $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
   $ P="$CERTSDIR" hg -R copy-pull pull
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   searching for changes
   no changes found
   $ P="$CERTSDIR" hg -R copy-pull pull --insecure
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
   searching for changes
   no changes found
@@ -216,6 +264,10 @@

   $ hg --config web.cacerts=emptycafile -R copy-pull pull
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error loading CA file emptycafile: * (glob)
   (file is empty or malformed?)
   [255]
@@ -225,23 +277,35 @@
   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
   > https://$LOCALIP:$HGPORT/
   pulling from https://*:$HGPORT/ (glob)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: $LOCALIP certificate error: certificate is for localhost (glob)
   (set
hostsecurity.$LOCALIP:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
config setting or use --insecure to connect insecurely)
   [150]
   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
   > https://$LOCALIP:$HGPORT/ --insecure
   pulling from https://*:$HGPORT/ (glob)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   warning: connection security to $LOCALIP is disabled per current settings;
communication is susceptible to eavesdropping and tampering (glob)
   searching for changes
   no changes found
   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
   pulling from https://localhost:$HGPORT/
   (the full certificate chain may not be available locally; see "hg help
debugssl") (windows !)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error: *certificate verify failed* (glob)
   [100]
   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
   > --insecure
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
   searching for changes
   no changes found
@@ -249,32 +313,52 @@
 Test server cert which isn't valid yet

   $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid
--certificate=server-not-yet.pem
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat hg1.pid >> $DAEMON_PIDS
   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
   > https://localhost:$HGPORT1/
   pulling from https://localhost:$HGPORT1/
   (the full certificate chain may not be available locally; see "hg help
debugssl") (windows !)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error: *certificate verify failed* (glob)
   [100]

 Test server cert which no longer is valid

   $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid
--certificate=server-expired.pem
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat hg2.pid >> $DAEMON_PIDS
   $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
   > https://localhost:$HGPORT2/
   pulling from https://localhost:$HGPORT2/
   (the full certificate chain may not be available locally; see "hg help
debugssl") (windows !)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error: *certificate verify failed* (glob)
   [100]

 Setting ciphers to an invalid value aborts
   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id
https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: could not set ciphers: No cipher can be selected.
   (change cipher string (invalid) in config)
   [255]

   $ P="$CERTSDIR" hg --config hostsecurity.localhost:ciphers=invalid -R
copy-pull id https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: could not set ciphers: No cipher can be selected.
   (change cipher string (invalid) in config)
   [255]
@@ -282,52 +366,88 @@
 Changing the cipher string works

   $ P="$CERTSDIR" hg --config hostsecurity.ciphers=HIGH -R copy-pull id
https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   5fed3813f7f5

 Fingerprints

 - works without cacerts (hostfingerprints)
   $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config
hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section;
if you trust this fingerprint, remove the old SHA-1 fingerprint from
[hostfingerprints] and add the following entry to the new [hostsecurity]
section:
localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5

 - works without cacerts (hostsecurity)
   $ hg -R copy-pull id https://localhost:$HGPORT/ --config
hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   5fed3813f7f5

   $ hg -R copy-pull id https://localhost:$HGPORT/ --config
hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   5fed3813f7f5

 - multiple fingerprints specified and first matches
   $ hg --config
'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03,
deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id
https://localhost:$HGPORT/ --insecure
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section;
if you trust this fingerprint, remove the old SHA-1 fingerprint from
[hostfingerprints] and add the following entry to the new [hostsecurity]
section:
localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5

   $ hg --config
'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03,
sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id
https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   5fed3813f7f5

 - multiple fingerprints specified and last matches
   $ hg --config
'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id
https://localhost:$HGPORT/ --insecure
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section;
if you trust this fingerprint, remove the old SHA-1 fingerprint from
[hostfingerprints] and add the following entry to the new [hostsecurity]
section:
localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5

   $ hg --config
'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id
https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   5fed3813f7f5

 - multiple fingerprints specified and none match

   $ hg --config
'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id
https://localhost:$HGPORT/ --insecure
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   abort: certificate for localhost has unexpected fingerprint
ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
   (check hostfingerprint configuration)
   [150]

   $ hg --config
'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef,
sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id
https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: certificate for localhost has unexpected fingerprint
sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
   (check hostsecurity configuration)
   [150]

 - fails when cert doesn't match hostname (port is ignored)
   $ hg -R copy-pull id https://localhost:$HGPORT1/ --config
hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: certificate for localhost has unexpected fingerprint
f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
   (check hostfingerprint configuration)
   [150]
@@ -335,6 +455,10 @@

 - ignores that certificate doesn't match hostname
   $ hg -R copy-pull id https://$LOCALIP:$HGPORT/ --config
hostfingerprints.$LOCALIP=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   (SHA-1 fingerprint for $LOCALIP found in legacy [hostfingerprints] section;
if you trust this fingerprint, remove the old SHA-1 fingerprint from
[hostfingerprints] and add the following entry to the new [hostsecurity]
section:
$LOCALIP:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   5fed3813f7f5

@@ -350,73 +474,101 @@
   $ cd test
   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
   > --config devel.serverexactprotocol=tls1.0
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLSv1 is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat ../hg0.pid >> $DAEMON_PIDS
   $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
   > --config devel.serverexactprotocol=tls1.1
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLSv1_1 is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat ../hg1.pid >> $DAEMON_PIDS
   $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
   > --config devel.serverexactprotocol=tls1.2
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLSv1_2 is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat ../hg2.pid >> $DAEMON_PIDS
   $ cd ..

 Clients talking same TLS versions work

   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id
https://localhost:$HGPORT/
-  5fed3813f7f5
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
+  [100]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id
https://localhost:$HGPORT1/
-  5fed3813f7f5
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
+  [100]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id
https://localhost:$HGPORT2/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   5fed3813f7f5

 Clients requiring newer TLS version than what server supports fail

   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
-  (could not negotiate a common security protocol (tls1.1+) with localhost;
the likely cause is Mercurial is configured to be more secure than the server
can support)
-  (consider contacting the operator of this server and ask them to support
modern TLS protocol versions; or, set
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less
secure protocols when communicating with this server)
-  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
   [100]

   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id
https://localhost:$HGPORT/
-  (could not negotiate a common security protocol (tls1.1+) with localhost;
the likely cause is Mercurial is configured to be more secure than the server
can support)
-  (consider contacting the operator of this server and ask them to support
modern TLS protocol versions; or, set
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less
secure protocols when communicating with this server)
-  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
   [100]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id
https://localhost:$HGPORT/
-  (could not negotiate a common security protocol (tls1.2+) with localhost;
the likely cause is Mercurial is configured to be more secure than the server
can support)
-  (consider contacting the operator of this server and ask them to support
modern TLS protocol versions; or, set
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less
secure protocols when communicating with this server)
-  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
   [100]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id
https://localhost:$HGPORT1/
-  (could not negotiate a common security protocol (tls1.2+) with localhost;
the likely cause is Mercurial is configured to be more secure than the server
can support)
-  (consider contacting the operator of this server and ask them to support
modern TLS protocol versions; or, set
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less
secure protocols when communicating with this server)
-  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
   [100]

 --insecure will allow TLS 1.0 connections and override configs

   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure
https://localhost:$HGPORT1/
-  warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
-  5fed3813f7f5
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
+  [100]

 The per-host config option overrides the default

   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
   > --config hostsecurity.minimumprotocol=tls1.2 \
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
-  5fed3813f7f5
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
+  [100]

 The per-host config option by itself works

   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
   > --config hostsecurity.localhost:minimumprotocol=tls1.2
-  (could not negotiate a common security protocol (tls1.2+) with localhost;
the likely cause is Mercurial is configured to be more secure than the server
can support)
-  (consider contacting the operator of this server and ask them to support
modern TLS protocol versions; or, set
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less
secure protocols when communicating with this server)
-  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
   [100]

 .hg/hgrc file [hostsecurity] settings are applied to remote ui instances
(issue5305)
@@ -426,10 +578,11 @@
   > localhost:minimumprotocol=tls1.2
   > EOF
   $ P="$CERTSDIR" hg -R copy-pull id https://localhost:$HGPORT/
-  (could not negotiate a common security protocol (tls1.2+) with localhost;
the likely cause is Mercurial is configured to be more secure than the server
can support)
-  (consider contacting the operator of this server and ask them to support
modern TLS protocol versions; or, set
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less
secure protocols when communicating with this server)
-  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
-  abort: error: .*(unsupported protocol|wrong ssl version).* (re)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
+  abort: error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:997)
   [100]

   $ killdaemons.py hg0.pid
@@ -440,8 +593,12 @@
 Prepare for connecting through proxy

   $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat hg0.pid >> $DAEMON_PIDS
   $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid
--certificate=server-expired.pem
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat hg2.pid >> $DAEMON_PIDS
 tinyproxy.py doesn't fully detach, so killing it may result in extra output
 from the shell. So don't kill it.
@@ -458,6 +615,8 @@

   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
   warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
   searching for changes
   no changes found
@@ -467,10 +626,18 @@
   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
   > --config web.cacerts="$CERTSDIR/pub.pem"
   pulling from https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   searching for changes
   no changes found
   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull
https://localhost:$HGPORT/ --config
hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 --trace
   pulling from https://*:$HGPORT/ (glob)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   (SHA-1 fingerprint for localhost found in legacy [hostfingerprints] section;
if you trust this fingerprint, remove the old SHA-1 fingerprint from
[hostfingerprints] and add the following entry to the new [hostsecurity]
section:
localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e)
   searching for changes
   no changes found
@@ -481,12 +648,20 @@
   > --config web.cacerts="$CERTSDIR/pub-other.pem"
   pulling from https://localhost:$HGPORT/
   (the full certificate chain may not be available locally; see "hg help
debugssl") (windows !)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error: *certificate verify failed* (glob)
   [100]
   $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
   > --config web.cacerts="$CERTSDIR/pub-expired.pem"
https://localhost:$HGPORT2/
   pulling from https://localhost:$HGPORT2/
   (the full certificate chain may not be available locally; see "hg help
debugssl") (windows !)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error: *certificate verify failed* (glob)
   [100]

@@ -511,12 +686,18 @@

   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
   > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat ../hg0.pid >> $DAEMON_PIDS
   $ cd ..

 without client certificate:

   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error: .*(\$ECONNRESET\$|certificate required|handshake failure).*
(re)
   [100]

@@ -531,13 +712,25 @@

   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
   > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   5fed3813f7f5

   $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
   > --config ui.interactive=True --config ui.nontty=True
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   passphrase for */client-key.pem: 5fed3813f7f5 (glob)

   $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:310:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:311:
DeprecationWarning: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
+    sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
   abort: error: * (glob)
   [100]


ERROR: test-https.t output changed

Patch

--- /scratch/devel/py-mercurial/work/mercurial-6.0.2/tests/test-https.t
+++ /scratch/devel/py-mercurial/work/mercurial-6.0.2/tests/test-https.t.err
@@ -29,6 +29,8 @@ 
   adding foo.d/baR.d.hg/bAR
   adding foo.d/foo
   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
+  /tmp/hgtests.2d_twpz0/install/lib/python/mercurial/sslutil.py:536:
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
+    sslcontext = ssl.SSLContext(protocol)
   $ cat ../hg0.pid >> $DAEMON_PIDS