97 % (key, protocol), |
97 % (key, protocol), |
98 hint=_(b'valid protocols: %s') |
98 hint=_(b'valid protocols: %s') |
99 % b' '.join(sorted(configprotocols)), |
99 % b' '.join(sorted(configprotocols)), |
100 ) |
100 ) |
101 |
101 |
102 # We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like |
102 # We default to TLS 1.2+ because TLS 1.0 has known vulnerabilities (like |
103 # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config |
103 # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config |
104 # options in case a legacy server is encountered. |
104 # options in case a legacy server is encountered. |
105 |
105 |
106 # setup.py checks that TLS 1.1 or TLS 1.2 is present, so the following |
106 # setup.py checks that TLS 1.1 or TLS 1.2 is present, so the following |
107 # assert should not fail. |
107 # assert should not fail. |
108 assert supportedprotocols - {b'tls1.0'} |
108 assert supportedprotocols - {b'tls1.0', b'tls1.1'} |
109 defaultminimumprotocol = b'tls1.1' |
109 defaultminimumprotocol = b'tls1.2' |
110 |
110 |
111 key = b'minimumprotocol' |
111 key = b'minimumprotocol' |
112 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) |
112 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) |
113 validateprotocol(minimumprotocol, key) |
113 validateprotocol(minimumprotocol, key) |
114 |
114 |