Mercurial > public > mercurial-scm > hg-stable

diff mercurial/sslutil.py @ 29617:2960ceee1948 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: allow TLS 1.0 when --insecure is used --insecure is our psuedo-supported footgun for disabling connection security. The flag already disables CA verification. I think allowing the use of TLS 1.0 when specified is appropriate.
author Gregory Szorc <gregory.szorc@gmail.com>
date Tue, 19 Jul 2016 20:16:51 -0700
parents 6cff2ac0ccb9
children fbf4adc0d8f2
line wrap: on
line diff
--- a/mercurial/sslutil.py	Tue Jul 19 19:57:34 2016 -0700
+++ b/mercurial/sslutil.py	Tue Jul 19 20:16:51 2016 -0700
@@ -181,6 +181,12 @@
     protocol = ui.config('hostsecurity', key, protocol)
     validateprotocol(protocol, key)
 
+    # If --insecure is used, we allow the use of TLS 1.0 despite config options.
+    # We always print a "connection security to %s is disabled..." message when
+    # --insecure is used. So no need to print anything more here.
+    if ui.insecureconnections:
+        protocol = 'tls1.0'
+
     s['protocol'], s['ctxoptions'] = protocolsettings(protocol)
 
     ciphers = ui.config('hostsecurity', 'ciphers')