equal
deleted
inserted
replaced
75 b'cafile': None, |
75 b'cafile': None, |
76 # Whether certificate verification should be disabled. |
76 # Whether certificate verification should be disabled. |
77 b'disablecertverification': False, |
77 b'disablecertverification': False, |
78 # Whether the legacy [hostfingerprints] section has data for this host. |
78 # Whether the legacy [hostfingerprints] section has data for this host. |
79 b'legacyfingerprint': False, |
79 b'legacyfingerprint': False, |
80 # PROTOCOL_* constant to use for SSLContext.__init__. |
|
81 b'protocol': None, |
|
82 # String representation of minimum protocol to be used for UI |
80 # String representation of minimum protocol to be used for UI |
83 # presentation. |
81 # presentation. |
84 b'minimumprotocol': None, |
82 b'minimumprotocol': None, |
85 # ssl.CERT_* constant used by SSLContext.verify_mode. |
83 # ssl.CERT_* constant used by SSLContext.verify_mode. |
86 b'verifymode': None, |
84 b'verifymode': None, |
87 # Defines extra ssl.OP* bitwise options to set. |
|
88 b'ctxoptions': None, |
|
89 # OpenSSL Cipher List to use (instead of default). |
85 # OpenSSL Cipher List to use (instead of default). |
90 b'ciphers': None, |
86 b'ciphers': None, |
91 } |
87 } |
92 |
88 |
93 # Allow minimum TLS protocol to be specified in the config. |
89 # Allow minimum TLS protocol to be specified in the config. |
122 # --insecure is used. So no need to print anything more here. |
118 # --insecure is used. So no need to print anything more here. |
123 if ui.insecureconnections: |
119 if ui.insecureconnections: |
124 minimumprotocol = b'tls1.0' |
120 minimumprotocol = b'tls1.0' |
125 |
121 |
126 s[b'minimumprotocol'] = minimumprotocol |
122 s[b'minimumprotocol'] = minimumprotocol |
127 s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) |
|
128 |
123 |
129 ciphers = ui.config(b'hostsecurity', b'ciphers') |
124 ciphers = ui.config(b'hostsecurity', b'ciphers') |
130 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
125 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
131 s[b'ciphers'] = ciphers |
126 s[b'ciphers'] = ciphers |
132 |
127 |
224 # is insecure. We allow the connection and abort during |
219 # is insecure. We allow the connection and abort during |
225 # validation (once we have the fingerprint to print to the |
220 # validation (once we have the fingerprint to print to the |
226 # user). |
221 # user). |
227 s[b'verifymode'] = ssl.CERT_NONE |
222 s[b'verifymode'] = ssl.CERT_NONE |
228 |
223 |
229 assert s[b'protocol'] is not None |
|
230 assert s[b'ctxoptions'] is not None |
|
231 assert s[b'verifymode'] is not None |
224 assert s[b'verifymode'] is not None |
232 |
225 |
233 return s |
226 return s |
234 |
227 |
235 |
228 |
319 # have explicit control over CA loading because implicitly loading |
312 # have explicit control over CA loading because implicitly loading |
320 # CAs may undermine the user's intent. For example, a user may define a CA |
313 # CAs may undermine the user's intent. For example, a user may define a CA |
321 # bundle with a specific CA cert removed. If the system/default CA bundle |
314 # bundle with a specific CA cert removed. If the system/default CA bundle |
322 # is loaded and contains that removed CA, you've just undone the user's |
315 # is loaded and contains that removed CA, you've just undone the user's |
323 # choice. |
316 # choice. |
324 sslcontext = ssl.SSLContext(settings[b'protocol']) |
317 protocol, options = protocolsettings(settings[b'minimumprotocol']) |
325 sslcontext.options |= settings[b'ctxoptions'] |
318 sslcontext = ssl.SSLContext(protocol) |
|
319 sslcontext.options |= options |
326 sslcontext.verify_mode = settings[b'verifymode'] |
320 sslcontext.verify_mode = settings[b'verifymode'] |
327 |
321 |
328 if settings[b'ciphers']: |
322 if settings[b'ciphers']: |
329 try: |
323 try: |
330 sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) |
324 sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) |