Mercurial > public > mercurial-scm > hg

comparison mercurial/sslutil.py @ 23069:22db405536be stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: only support TLS (BC) In light of the POODLE[0] attack on SSLv3, let's just drop the ability to use anything older than TLSv1 entirely. This only fixes the client side. Another commit will fix the server side. There are still a few SSLv[23] constants hiding in httpclient, but I'll fix those separately upstream and import them when we're not in a code freeze. 0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
author Augie Fackler <raf@durin42.com>
date Tue, 21 Oct 2014 17:01:23 -0400
parents 2cd3fa4412dc
children bf07c19b4c82
comparison
equal deleted inserted replaced
23068:fb3e63c603e8 23069:22db405536be
12 from mercurial.i18n import _ 12 from mercurial.i18n import _
13 try: 13 try:
14 # avoid using deprecated/broken FakeSocket in python 2.6 14 # avoid using deprecated/broken FakeSocket in python 2.6
15 import ssl 15 import ssl
16 CERT_REQUIRED = ssl.CERT_REQUIRED 16 CERT_REQUIRED = ssl.CERT_REQUIRED
17 PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23
18 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1 17 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1
19 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, 18 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
20 cert_reqs=ssl.CERT_NONE, ca_certs=None): 19 cert_reqs=ssl.CERT_NONE, ca_certs=None):
21 sslsocket = ssl.wrap_socket(sock, keyfile, certfile, 20 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
22 cert_reqs=cert_reqs, ca_certs=ca_certs, 21 cert_reqs=cert_reqs, ca_certs=ca_certs,
27 raise util.Abort(_('ssl connection failed')) 26 raise util.Abort(_('ssl connection failed'))
28 return sslsocket 27 return sslsocket
29 except ImportError: 28 except ImportError:
30 CERT_REQUIRED = 2 29 CERT_REQUIRED = 2
31 30
32 PROTOCOL_SSLv23 = 2
33 PROTOCOL_TLSv1 = 3 31 PROTOCOL_TLSv1 = 3
34 32
35 import socket, httplib 33 import socket, httplib
36 34
37 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, 35 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
101 exe = (sys.executable or '').lower() 99 exe = (sys.executable or '').lower()
102 return (exe.startswith('/usr/bin/python') or 100 return (exe.startswith('/usr/bin/python') or
103 exe.startswith('/system/library/frameworks/python.framework/')) 101 exe.startswith('/system/library/frameworks/python.framework/'))
104 102
105 def sslkwargs(ui, host): 103 def sslkwargs(ui, host):
106 forcetls = ui.configbool('ui', 'tls', default=True) 104 kws = {'ssl_version': PROTOCOL_TLSv1,
107 if forcetls:
108 ssl_version = PROTOCOL_TLSv1
109 else:
110 ssl_version = PROTOCOL_SSLv23
111 kws = {'ssl_version': ssl_version,
112 } 105 }
113 hostfingerprint = ui.config('hostfingerprints', host) 106 hostfingerprint = ui.config('hostfingerprints', host)
114 if hostfingerprint: 107 if hostfingerprint:
115 return kws 108 return kws
116 cacerts = ui.config('web', 'cacerts') 109 cacerts = ui.config('web', 'cacerts')