Mercurial > public > mercurial-scm > hg-stable

comparison mercurial/sslutil.py @ 44957:d61c05450b37

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: properly detect which TLS versions are supported by the ssl module For the record, I contacted the CPython developers to remark that unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is problematic: https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316
author Manuel Jacob <me@manueljacob.de>
date Mon, 01 Jun 2020 03:51:54 +0200
parents 941fef7523c7
children 4ca1110991c4
comparison
equal deleted inserted replaced
44956:941fef7523c7 44957:d61c05450b37
42 b'tls1.2', 42 b'tls1.2',
43 } 43 }
44 44
45 hassni = getattr(ssl, 'HAS_SNI', False) 45 hassni = getattr(ssl, 'HAS_SNI', False)
46 46
47 # TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled 47 # ssl.HAS_TLSv1* are preferred to check support but they were added in Python
48 # against doesn't support them. 48 # 3.7. Prior to CPython commit 6e8cda91d92da72800d891b2fc2073ecbc134d98
49 # FIXME: Since CPython commit 6e8cda91d92da72800d891b2fc2073ecbc134d98 49 # (backported to the 3.7 branch), ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2
50 # individual TLS versions can be turned on and off, and the 50 # were defined only if compiled against a OpenSSL version with TLS 1.1 / 1.2
51 # ssl.PROTOCOL_TLSv1_* constants are always defined. 51 # support. At the mentioned commit, they were unconditionally defined.
52 # This means that, on unusual configurations, the following dict may contain 52 supportedprotocols = set()
53 # too many entries. A proper fix would be to check ssl.HAS_TLSv* where 53 if getattr(ssl, 'HAS_TLSv1', util.safehasattr(ssl, 'PROTOCOL_TLSv1')):
54 # available (Python 3.7+). Before that, this module should be proofed against 54 supportedprotocols.add(b'tls1.0')
55 # all possible combinations. 55 if getattr(ssl, 'HAS_TLSv1_1', util.safehasattr(ssl, 'PROTOCOL_TLSv1_1')):
56 supportedprotocols = {b'tls1.0'}
57 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
58 supportedprotocols.add(b'tls1.1') 56 supportedprotocols.add(b'tls1.1')
59 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): 57 if getattr(ssl, 'HAS_TLSv1_2', util.safehasattr(ssl, 'PROTOCOL_TLSv1_2')):
60 supportedprotocols.add(b'tls1.2') 58 supportedprotocols.add(b'tls1.2')
61 59
62 60
63 def _hostsettings(ui, hostname): 61 def _hostsettings(ui, hostname):
64 """Obtain security settings for a hostname. 62 """Obtain security settings for a hostname.