Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 49055:50bd2910d162
sslutil: be less strict about which ciphers are allowed when using --insecure
Python 3.10 restricted which ciphers are enabled by default, leading to
no available ciphers for TLS < 1.2. When using the --insecure flag we
allow old TLS, so also adjust the cipher list to give connections a
chance to work.
On the server side, also loosen the cipher selection in tests (when
using the devel.serverexactprotocol option).
Differential Revision: https://phab.mercurial-scm.org/D12489
| author | Julien Cristau <jcristau@debian.org> |
|---|---|
| date | Sat, 09 Apr 2022 14:23:52 +0200 |
| parents | 5144d3579a9c |
| children | 27ef2aa953dd |
comparison
equal
deleted
inserted
replaced
| 49054:5144d3579a9c | 49055:50bd2910d162 |
|---|---|
| 111 | 111 |
| 112 key = b'%s:minimumprotocol' % bhostname | 112 key = b'%s:minimumprotocol' % bhostname |
| 113 minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) | 113 minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) |
| 114 validateprotocol(minimumprotocol, key) | 114 validateprotocol(minimumprotocol, key) |
| 115 | 115 |
| 116 ciphers = ui.config(b'hostsecurity', b'ciphers') | |
| 117 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) | |
| 118 | |
| 116 # If --insecure is used, we allow the use of TLS 1.0 despite config options. | 119 # If --insecure is used, we allow the use of TLS 1.0 despite config options. |
| 117 # We always print a "connection security to %s is disabled..." message when | 120 # We always print a "connection security to %s is disabled..." message when |
| 118 # --insecure is used. So no need to print anything more here. | 121 # --insecure is used. So no need to print anything more here. |
| 119 if ui.insecureconnections: | 122 if ui.insecureconnections: |
| 120 minimumprotocol = b'tls1.0' | 123 minimumprotocol = b'tls1.0' |
| 124 if not ciphers: | |
| 125 ciphers = b'DEFAULT' | |
| 121 | 126 |
| 122 s[b'minimumprotocol'] = minimumprotocol | 127 s[b'minimumprotocol'] = minimumprotocol |
| 123 | |
| 124 ciphers = ui.config(b'hostsecurity', b'ciphers') | |
| 125 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) | |
| 126 s[b'ciphers'] = ciphers | 128 s[b'ciphers'] = ciphers |
| 127 | 129 |
| 128 # Look for fingerprints in [hostsecurity] section. Value is a list | 130 # Look for fingerprints in [hostsecurity] section. Value is a list |
| 129 # of <alg>:<fingerprint> strings. | 131 # of <alg>:<fingerprint> strings. |
| 130 fingerprints = ui.configlist( | 132 fingerprints = ui.configlist( |
| 615 | 617 |
| 616 # Improve forward secrecy. | 618 # Improve forward secrecy. |
| 617 sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) | 619 sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) |
| 618 sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) | 620 sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) |
| 619 | 621 |
| 620 # Use the list of more secure ciphers if found in the ssl module. | 622 # In tests, allow insecure ciphers |
| 621 if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): | 623 # Otherwise, use the list of more secure ciphers if found in the ssl module. |
| 624 if exactprotocol: | |
| 625 sslcontext.set_ciphers('DEFAULT') | |
| 626 elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): | |
| 622 sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) | 627 sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) |
| 623 # pytype: disable=module-attr | 628 # pytype: disable=module-attr |
| 624 sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) | 629 sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) |
| 625 # pytype: enable=module-attr | 630 # pytype: enable=module-attr |
| 626 | 631 |