equal
deleted
inserted
replaced
38 |
38 |
39 configprotocols = { |
39 configprotocols = { |
40 b'tls1.0', |
40 b'tls1.0', |
41 b'tls1.1', |
41 b'tls1.1', |
42 b'tls1.2', |
42 b'tls1.2', |
|
43 b'tls1.3', |
43 } |
44 } |
44 |
45 |
45 hassni = getattr(ssl, 'HAS_SNI', False) |
46 hassni = getattr(ssl, 'HAS_SNI', False) |
46 |
47 |
47 # ssl.HAS_TLSv1* are preferred to check support but they were added in Python |
48 # ssl.HAS_TLSv1* are preferred to check support but they were added in Python |
54 supportedprotocols.add(b'tls1.0') |
55 supportedprotocols.add(b'tls1.0') |
55 if getattr(ssl, 'HAS_TLSv1_1', hasattr(ssl, 'PROTOCOL_TLSv1_1')): |
56 if getattr(ssl, 'HAS_TLSv1_1', hasattr(ssl, 'PROTOCOL_TLSv1_1')): |
56 supportedprotocols.add(b'tls1.1') |
57 supportedprotocols.add(b'tls1.1') |
57 if getattr(ssl, 'HAS_TLSv1_2', hasattr(ssl, 'PROTOCOL_TLSv1_2')): |
58 if getattr(ssl, 'HAS_TLSv1_2', hasattr(ssl, 'PROTOCOL_TLSv1_2')): |
58 supportedprotocols.add(b'tls1.2') |
59 supportedprotocols.add(b'tls1.2') |
|
60 if getattr(ssl, 'HAS_TLSv1_3', False): |
|
61 supportedprotocols.add(b'tls1.3') |
59 |
62 |
60 |
63 |
61 def _hostsettings(ui, hostname): |
64 def _hostsettings(ui, hostname): |
62 """Obtain security settings for a hostname. |
65 """Obtain security settings for a hostname. |
63 |
66 |
305 DeprecationWarning, |
308 DeprecationWarning, |
306 ) |
309 ) |
307 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 |
310 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 |
308 elif minimumprotocol == b'tls1.2': |
311 elif minimumprotocol == b'tls1.2': |
309 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 |
312 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 |
|
313 elif minimumprotocol == b'tls1.3': |
|
314 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_3 |
310 else: |
315 else: |
311 raise error.Abort(_(b'this should not happen')) |
316 raise error.Abort(_(b'this should not happen')) |
312 # Prevent CRIME. |
317 # Prevent CRIME. |
313 # There is no guarantee this attribute is defined on the module. |
318 # There is no guarantee this attribute is defined on the module. |
314 sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
319 sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
543 elif exactprotocol == b'tls1.2': |
548 elif exactprotocol == b'tls1.2': |
544 if b'tls1.2' not in supportedprotocols: |
549 if b'tls1.2' not in supportedprotocols: |
545 raise error.Abort(_(b'TLS 1.2 not supported by this Python')) |
550 raise error.Abort(_(b'TLS 1.2 not supported by this Python')) |
546 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 |
551 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 |
547 sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2 |
552 sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2 |
|
553 elif exactprotocol == b'tls1.3': |
|
554 if b'tls1.3' not in supportedprotocols: |
|
555 raise error.Abort(_(b'TLS 1.3 not supported by this Python')) |
|
556 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_3 |
|
557 sslcontext.maximum_version = ssl.TLSVersion.TLSv1_3 |
548 elif exactprotocol: |
558 elif exactprotocol: |
549 raise error.Abort( |
559 raise error.Abort( |
550 _(b'invalid value for server-insecure-exact-protocol: %s') |
560 _(b'invalid value for server-insecure-exact-protocol: %s') |
551 % exactprotocol |
561 % exactprotocol |
552 ) |
562 ) |