152 _('unsupported protocol from hostsecurity.%s: %s') % |
152 _('unsupported protocol from hostsecurity.%s: %s') % |
153 (key, protocol), |
153 (key, protocol), |
154 hint=_('valid protocols: %s') % |
154 hint=_('valid protocols: %s') % |
155 ' '.join(sorted(configprotocols))) |
155 ' '.join(sorted(configprotocols))) |
156 |
156 |
|
157 # Legacy Python can only do TLS 1.0. We default to TLS 1.1+ where we |
|
158 # can because TLS 1.0 has known vulnerabilities (like BEAST and POODLE). |
|
159 # We allow users to downgrade to TLS 1.0+ via config options in case a |
|
160 # legacy server is encountered. |
|
161 if modernssl: |
|
162 defaultprotocol = 'tls1.1' |
|
163 else: |
|
164 defaultprotocol = 'tls1.0' |
|
165 |
157 key = 'minimumprotocol' |
166 key = 'minimumprotocol' |
158 # Default to TLS 1.0+ as that is what browsers are currently doing. |
167 protocol = ui.config('hostsecurity', key, defaultprotocol) |
159 protocol = ui.config('hostsecurity', key, 'tls1.0') |
|
160 validateprotocol(protocol, key) |
168 validateprotocol(protocol, key) |
161 |
169 |
162 key = '%s:minimumprotocol' % hostname |
170 key = '%s:minimumprotocol' % hostname |
163 protocol = ui.config('hostsecurity', key, protocol) |
171 protocol = ui.config('hostsecurity', key, protocol) |
164 validateprotocol(protocol, key) |
172 validateprotocol(protocol, key) |