equal
deleted
inserted
replaced
79 b'legacyfingerprint': False, |
79 b'legacyfingerprint': False, |
80 # PROTOCOL_* constant to use for SSLContext.__init__. |
80 # PROTOCOL_* constant to use for SSLContext.__init__. |
81 b'protocol': None, |
81 b'protocol': None, |
82 # String representation of minimum protocol to be used for UI |
82 # String representation of minimum protocol to be used for UI |
83 # presentation. |
83 # presentation. |
84 b'minimumprotocolui': None, |
84 b'minimumprotocol': None, |
85 # ssl.CERT_* constant used by SSLContext.verify_mode. |
85 # ssl.CERT_* constant used by SSLContext.verify_mode. |
86 b'verifymode': None, |
86 b'verifymode': None, |
87 # Defines extra ssl.OP* bitwise options to set. |
87 # Defines extra ssl.OP* bitwise options to set. |
88 b'ctxoptions': None, |
88 b'ctxoptions': None, |
89 # OpenSSL Cipher List to use (instead of default). |
89 # OpenSSL Cipher List to use (instead of default). |
121 # We always print a "connection security to %s is disabled..." message when |
121 # We always print a "connection security to %s is disabled..." message when |
122 # --insecure is used. So no need to print anything more here. |
122 # --insecure is used. So no need to print anything more here. |
123 if ui.insecureconnections: |
123 if ui.insecureconnections: |
124 minimumprotocol = b'tls1.0' |
124 minimumprotocol = b'tls1.0' |
125 |
125 |
126 s[b'minimumprotocolui'] = minimumprotocol |
126 s[b'minimumprotocol'] = minimumprotocol |
127 s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) |
127 s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) |
128 |
128 |
129 ciphers = ui.config(b'hostsecurity', b'ciphers') |
129 ciphers = ui.config(b'hostsecurity', b'ciphers') |
130 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
130 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
131 s[b'ciphers'] = ciphers |
131 s[b'ciphers'] = ciphers |
400 # outright. Hopefully the reason for this error is that we require |
400 # outright. Hopefully the reason for this error is that we require |
401 # TLS 1.1+ and the server only supports TLS 1.0. Whatever the |
401 # TLS 1.1+ and the server only supports TLS 1.0. Whatever the |
402 # reason, try to emit an actionable warning. |
402 # reason, try to emit an actionable warning. |
403 if e.reason == 'UNSUPPORTED_PROTOCOL': |
403 if e.reason == 'UNSUPPORTED_PROTOCOL': |
404 # We attempted TLS 1.0+. |
404 # We attempted TLS 1.0+. |
405 if settings[b'minimumprotocolui'] == b'tls1.0': |
405 if settings[b'minimumprotocol'] == b'tls1.0': |
406 # We support more than just TLS 1.0+. If this happens, |
406 # We support more than just TLS 1.0+. If this happens, |
407 # the likely scenario is either the client or the server |
407 # the likely scenario is either the client or the server |
408 # is really old. (e.g. server doesn't support TLS 1.0+ or |
408 # is really old. (e.g. server doesn't support TLS 1.0+ or |
409 # client doesn't support modern TLS versions introduced |
409 # client doesn't support modern TLS versions introduced |
410 # several years from when this comment was written). |
410 # several years from when this comment was written). |
445 b'(could not negotiate a common security protocol (%s+) ' |
445 b'(could not negotiate a common security protocol (%s+) ' |
446 b'with %s; the likely cause is Mercurial is configured ' |
446 b'with %s; the likely cause is Mercurial is configured ' |
447 b'to be more secure than the server can support)\n' |
447 b'to be more secure than the server can support)\n' |
448 ) |
448 ) |
449 % ( |
449 % ( |
450 settings[b'minimumprotocolui'], |
450 settings[b'minimumprotocol'], |
451 pycompat.bytesurl(serverhostname), |
451 pycompat.bytesurl(serverhostname), |
452 ) |
452 ) |
453 ) |
453 ) |
454 ui.warn( |
454 ui.warn( |
455 _( |
455 _( |