# HG changeset patch # User Manuel Jacob <m...@manueljacob.de> # Date 1590798598 -7200 # Sat May 30 02:29:58 2020 +0200 # Node ID 10a6978ae2f7de160e1468e5c434421ada5f3567 # Parent 0e08e9113869685dd452056179c05e51c467c348 # EXP-Topic require_modern_ssl sslutil: simplify code, now that `supportedprotocols` is constant
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -93,27 +93,10 @@ def _hostsettings(ui, hostname): % b' '.join(sorted(configprotocols)), ) - # We default to TLS 1.1+ where we can because TLS 1.0 has known - # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to - # TLS 1.0+ via config options in case a legacy server is encountered. - if b'tls1.1' in supportedprotocols: - defaultprotocol = b'tls1.1' - else: - # Let people know they are borderline secure. - # We don't document this config option because we want people to see - # the bold warnings on the web site. - # internal config: hostsecurity.disabletls10warning - if not ui.configbool(b'hostsecurity', b'disabletls10warning'): - ui.warn( - _( - b'warning: connecting to %s using legacy security ' - b'technology (TLS 1.0); see ' - b'https://mercurial-scm.org/wiki/SecureConnections for ' - b'more info\n' - ) - % bhostname - ) - defaultprotocol = b'tls1.0' + # We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like + # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config + # options in case a legacy server is encountered. + defaultprotocol = b'tls1.1' key = b'minimumprotocol' protocol = ui.config(b'hostsecurity', key, defaultprotocol) @@ -262,18 +245,6 @@ def protocolsettings(protocol): # only (as opposed to multiple versions). So the method for # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and # disable protocols via SSLContext.options and OP_NO_* constants. - if supportedprotocols == {b'tls1.0'}: - if protocol != b'tls1.0': - raise error.Abort( - _(b'current Python does not support protocol setting %s') - % protocol, - hint=_( - b'upgrade Python or disable setting since ' - b'only TLS 1.0 is supported' - ), - ) - - return ssl.PROTOCOL_TLSv1, 0, b'tls1.0' # SSLv2 and SSLv3 are broken. We ban them outright. options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 @@ -516,12 +487,8 @@ def wrapserversocket( if exactprotocol == b'tls1.0': protocol = ssl.PROTOCOL_TLSv1 elif exactprotocol == b'tls1.1': - if b'tls1.1' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.1 not supported by this Python')) protocol = ssl.PROTOCOL_TLSv1_1 elif exactprotocol == b'tls1.2': - if b'tls1.2' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.2 not supported by this Python')) protocol = ssl.PROTOCOL_TLSv1_2 elif exactprotocol: raise error.Abort( _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel