Mercurial > public > mercurial-scm > hg-stable
diff mercurial/sslutil.py @ 29577:9654ef41f7cc
sslutil: support defining cipher list
Python 2.7 supports specifying a custom cipher list to TLS sockets.
Advanced users may wish to specify a custom cipher list to increase
security. Or in some cases they may wish to prefer weaker ciphers
in order to increase performance (e.g. when doing stream clones
of very large repositories).
This patch introduces a [hostsecurity] config option for defining
the cipher list. The help documentation states that it is for
advanced users only.
Honestly, I'm a bit on the fence about providing this because
it is a footgun and can be used to decrease security. However,
there are legitimate use cases for it, so I think support should
be provided.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Sun, 17 Jul 2016 10:59:32 -0700 |
parents | 1a782fabf80d |
children | 4a4b8d3b4e43 |
line wrap: on
line diff
--- a/mercurial/sslutil.py Sun Jul 17 10:50:51 2016 -0700 +++ b/mercurial/sslutil.py Sun Jul 17 10:59:32 2016 -0700 @@ -84,7 +84,11 @@ def set_ciphers(self, ciphers): if not self._supportsciphers: - raise error.Abort(_('setting ciphers not supported')) + raise error.Abort(_('setting ciphers in [hostsecurity] is not ' + 'supported by this version of Python'), + hint=_('remove the config option or run ' + 'Mercurial with a modern Python ' + 'version (preferred)')) self._ciphers = ciphers @@ -131,6 +135,8 @@ 'verifymode': None, # Defines extra ssl.OP* bitwise options to set. 'ctxoptions': None, + # OpenSSL Cipher List to use (instead of default). + 'ciphers': None, } # Despite its name, PROTOCOL_SSLv23 selects the highest protocol @@ -183,6 +189,10 @@ s['protocol'], s['ctxoptions'] = protocolsettings(protocol) + ciphers = ui.config('hostsecurity', 'ciphers') + ciphers = ui.config('hostsecurity', '%s:ciphers' % hostname, ciphers) + s['ciphers'] = ciphers + # Look for fingerprints in [hostsecurity] section. Value is a list # of <alg>:<fingerprint> strings. fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, @@ -347,6 +357,14 @@ # This still works on our fake SSLContext. sslcontext.verify_mode = settings['verifymode'] + if settings['ciphers']: + try: + sslcontext.set_ciphers(settings['ciphers']) + except ssl.SSLError as e: + raise error.Abort(_('could not set ciphers: %s') % e.args[0], + hint=_('change cipher string (%s) in config') % + settings['ciphers']) + if certfile is not None: def password(): f = keyfile or certfile