# HG changeset patch
# User Manuel Jacob <m...@manueljacob.de>
# Date 1590783568 -7200
# Fri May 29 22:19:28 2020 +0200
# Node ID 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd
# Parent 13922e383d20ca51752a2c3bd16429a5b0e30397
# EXP-Topic require_modern_ssl
sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -44,13 +44,18 @@ configprotocols = {
hassni = getattr(ssl, 'HAS_SNI', False)
-# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
-# against doesn't support them.
-supportedprotocols = {b'tls1.0'}
-if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
- supportedprotocols.add(b'tls1.1')
-if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
- supportedprotocols.add(b'tls1.2')
+# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on 2012-03-14.
+# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that
+# distributions having Python 2.7.9+ or having backported modern features to
+# the ssl module (which we require) have OpenSSL 1.0.1+. To be sure, we assert
+# that support is actually present.
+assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1')
+assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2')
+supportedprotocols = {
+ b'tls1.0',
+ b'tls1.1',
+ b'tls1.2',
+}
def _hostsettings(ui, hostname):
_______________________________________________
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
