[PATCH 4 of 5 stable] tests: skip test-https.t TLSv1 testing when system doesn't support it

Wed, 22 Mar 2023 09:25:50 -0700 

# HG changeset patch
# User Mads Kiilerich <m...@kiilerich.com>
# Date 1679500739 -3600
#      Wed Mar 22 16:58:59 2023 +0100
# Branch stable
# Node ID 7c544bc71aaca594998649ae02d35fb4dd7606b4
# Parent  d641581ee136281971555adc05049b826e995fed
tests: skip test-https.t TLSv1 testing when system doesn't support it

The test failed on Fedora with the default security policy, unless degrading
system with:

  # update-crypto-policies --set LEGACY

diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -701,6 +701,14 @@ def has_defaultcacertsloaded():
     return len(ctx.get_ca_certs()) > 0
 
 
+@check("tls1.0", "TLS 1 protocol support")
+def has_tls1_0():
+    import ssl
+
+    ctx = ssl.create_default_context()
+    return ctx.minimum_version <= ssl.TLSVersion.TLSv1
+
+
 @check("tls1.2", "TLS 1.2 protocol support")
 def has_tls1_2():
     from mercurial import sslutil
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -356,10 +356,12 @@ Start servers running supported TLS vers
 
 Clients talking same TLS versions work
 
+#if tls1.0
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config 
hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
   5fed3813f7f5
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config 
hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
   5fed3813f7f5
+#endif
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id 
https://localhost:$HGPORT2/
   5fed3813f7f5
 
@@ -391,6 +393,8 @@ Clients requiring newer TLS version than
   abort: error: .*(unsupported protocol|wrong ssl version|alert protocol 
version).* (re)
   [100]
 
+#if tls1.0
+
 --insecure will allow TLS 1.0 connections and override configs
 
   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure 
https://localhost:$HGPORT1/
@@ -405,6 +409,8 @@ The per-host config option overrides the
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
   5fed3813f7f5
 
+#endif
+
 The per-host config option by itself works
 
   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \

_______________________________________________
Mercurial-devel mailing list
Mercurial-devel@lists.mercurial-scm.org
https://lists.mercurial-scm.org/mailman/listinfo/mercurial-devel

Reply via email to