mercurial-scm/hg: mercurial/sslutil.py comparison

sslutil: remove dead code (that downgraded default minimum TLS version) We ensure in setup.py that TLS 1.1 or TLS 1.2 is present.

author	Manuel Jacob <me@manueljacob.de>
date	Sun, 31 May 2020 22:15:35 +0200
parents	39c598f1c774
children	941fef7523c7

comparison

equal deleted inserted replaced

-:39c598f1c774
+:5921dc0d5c3a
 % (key, protocol),
 hint=_(b'valid protocols: %s')
 % b' '.join(sorted(configprotocols)),
 )
-# We default to TLS 1.1+ where we can because TLS 1.0 has known
+# We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like
-# vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
+# BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
-# TLS 1.0+ via config options in case a legacy server is encountered.
+# options in case a legacy server is encountered.
-if supportedprotocols - {b'tls1.0'}:
-defaultminimumprotocol = b'tls1.1'
+# setup.py checks that either TLS 1.1 or TLS 1.2 is present, so the
-else:
+# following assert should not fail.
-# Let people know they are borderline secure.
+assert supportedprotocols - {b'tls1.0'}
-# We don't document this config option because we want people to see
+defaultminimumprotocol = b'tls1.1'
-# the bold warnings on the web site.
-# internal config: hostsecurity.disabletls10warning
-if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
-ui.warn(
-_(
-b'warning: connecting to %s using legacy security '
-b'technology (TLS 1.0); see '
-b'https://mercurial-scm.org/wiki/SecureConnections for '
-b'more info\n'
-)
-% bhostname
-)
-defaultminimumprotocol = b'tls1.0'
 key = b'minimumprotocol'
 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol)
 validateprotocol(minimumprotocol, key)

Mercurial > public > mercurial-scm > hg