Mercurial Mercurial > public > mercurial-scm > hg / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mercurial/sslutil.py
changeset 49055 50bd2910d162
parent 49054 5144d3579a9c
child 49057 27ef2aa953dd
equal deleted inserted replaced
49054:5144d3579a9c 49055:50bd2910d162 
   111 
   111 
   112     key = b'%s:minimumprotocol' % bhostname
 
   112     key = b'%s:minimumprotocol' % bhostname
 
   113     minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)
 
   113     minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)
 
   114     validateprotocol(minimumprotocol, key)
 
   114     validateprotocol(minimumprotocol, key)
 
   115 
   115 
       
   116     ciphers = ui.config(b'hostsecurity', b'ciphers')
 
       
   117     ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
 
       
   118 
   116     # If --insecure is used, we allow the use of TLS 1.0 despite config options.
 
   119     # If --insecure is used, we allow the use of TLS 1.0 despite config options.
 
   117     # We always print a "connection security to %s is disabled..." message when
 
   120     # We always print a "connection security to %s is disabled..." message when
 
   118     # --insecure is used. So no need to print anything more here.
 
   121     # --insecure is used. So no need to print anything more here.
 
   119     if ui.insecureconnections:
 
   122     if ui.insecureconnections:
 
   120         minimumprotocol = b'tls1.0'
 
   123         minimumprotocol = b'tls1.0'
 
       
   124         if not ciphers:
 
       
   125             ciphers = b'DEFAULT'
 
   121 
   126 
   122     s[b'minimumprotocol'] = minimumprotocol
 
   127     s[b'minimumprotocol'] = minimumprotocol
 
   123 
       
   124     ciphers = ui.config(b'hostsecurity', b'ciphers')
 
       
   125     ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
 
       
   126     s[b'ciphers'] = ciphers
 
   128     s[b'ciphers'] = ciphers
 
   127 
   129 
   128     # Look for fingerprints in [hostsecurity] section. Value is a list
 
   130     # Look for fingerprints in [hostsecurity] section. Value is a list
 
   129     # of <alg>:<fingerprint> strings.
 
   131     # of <alg>:<fingerprint> strings.
 
   130     fingerprints = ui.configlist(
 
   132     fingerprints = ui.configlist(
 
   615 
   617 
   616     # Improve forward secrecy.
 
   618     # Improve forward secrecy.
 
   617     sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
 
   619     sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
 
   618     sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
 
   620     sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
 
   619 
   621 
   620     # Use the list of more secure ciphers if found in the ssl module.
 
   622     # In tests, allow insecure ciphers
 
   621     if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
 
   623     # Otherwise, use the list of more secure ciphers if found in the ssl module.
 
       
   624     if exactprotocol:
 
       
   625         sslcontext.set_ciphers('DEFAULT')
 
       
   626     elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
 
   622         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
 
   627         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
 
   623         # pytype: disable=module-attr
 
   628         # pytype: disable=module-attr
 
   624         sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
 
   629         sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
 
   625         # pytype: enable=module-attr
 
   630         # pytype: enable=module-attr
 
   626 
   631
mercurial-scm/hg