Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 50341:698ffff7024b stable
configitems: make devel.serverexactprotocol look dangerous
Because it is.
| author | pacien <pacien.trangirard@pacien.net> |
|---|---|
| date | Thu, 13 Apr 2023 11:28:48 +0200 |
| parents | de2e158c380a |
| children | c54e9bb5737e |
comparison
equal
deleted
inserted
replaced
| 50340:9f33d12f6f48 | 50341:698ffff7024b |
|---|---|
| 551 sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) | 551 sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) |
| 552 sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) | 552 sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
| 553 | 553 |
| 554 # This config option is intended for use in tests only. It is a giant | 554 # This config option is intended for use in tests only. It is a giant |
| 555 # footgun to kill security. Don't define it. | 555 # footgun to kill security. Don't define it. |
| 556 exactprotocol = ui.config(b'devel', b'serverexactprotocol') | 556 exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol') |
| 557 if exactprotocol == b'tls1.0': | 557 if exactprotocol == b'tls1.0': |
| 558 if b'tls1.0' not in supportedprotocols: | 558 if b'tls1.0' not in supportedprotocols: |
| 559 raise error.Abort(_(b'TLS 1.0 not supported by this Python')) | 559 raise error.Abort(_(b'TLS 1.0 not supported by this Python')) |
| 560 with warnings.catch_warnings(): | 560 with warnings.catch_warnings(): |
| 561 warnings.filterwarnings( | 561 warnings.filterwarnings( |
| 581 raise error.Abort(_(b'TLS 1.2 not supported by this Python')) | 581 raise error.Abort(_(b'TLS 1.2 not supported by this Python')) |
| 582 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 | 582 sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 |
| 583 sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2 | 583 sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2 |
| 584 elif exactprotocol: | 584 elif exactprotocol: |
| 585 raise error.Abort( | 585 raise error.Abort( |
| 586 _(b'invalid value for serverexactprotocol: %s') % exactprotocol | 586 _(b'invalid value for server-insecure-exact-protocol: %s') |
| 587 % exactprotocol | |
| 587 ) | 588 ) |
| 588 else: | 589 else: |
| 589 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both | 590 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both |
| 590 # ends support, including TLS protocols. commonssloptions() restricts the | 591 # ends support, including TLS protocols. commonssloptions() restricts the |
| 591 # set of allowed protocols. | 592 # set of allowed protocols. |
| 592 protocol = ssl.PROTOCOL_SSLv23 | 593 protocol = ssl.PROTOCOL_SSLv23 |
| 593 options = commonssloptions(b'tls1.0') | 594 options = commonssloptions(b'tls1.0') |
| 594 | 595 |
| 595 # This config option is intended for use in tests only. It is a giant | 596 # This config option is intended for use in tests only. It is a giant |
| 596 # footgun to kill security. Don't define it. | 597 # footgun to kill security. Don't define it. |
| 597 exactprotocol = ui.config(b'devel', b'serverexactprotocol') | 598 exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol') |
| 598 if exactprotocol == b'tls1.0': | 599 if exactprotocol == b'tls1.0': |
| 599 if b'tls1.0' not in supportedprotocols: | 600 if b'tls1.0' not in supportedprotocols: |
| 600 raise error.Abort(_(b'TLS 1.0 not supported by this Python')) | 601 raise error.Abort(_(b'TLS 1.0 not supported by this Python')) |
| 601 protocol = ssl.PROTOCOL_TLSv1 | 602 protocol = ssl.PROTOCOL_TLSv1 |
| 602 elif exactprotocol == b'tls1.1': | 603 elif exactprotocol == b'tls1.1': |
| 607 if b'tls1.2' not in supportedprotocols: | 608 if b'tls1.2' not in supportedprotocols: |
| 608 raise error.Abort(_(b'TLS 1.2 not supported by this Python')) | 609 raise error.Abort(_(b'TLS 1.2 not supported by this Python')) |
| 609 protocol = ssl.PROTOCOL_TLSv1_2 | 610 protocol = ssl.PROTOCOL_TLSv1_2 |
| 610 elif exactprotocol: | 611 elif exactprotocol: |
| 611 raise error.Abort( | 612 raise error.Abort( |
| 612 _(b'invalid value for serverexactprotocol: %s') % exactprotocol | 613 _(b'invalid value for server-insecure-exact-protocol: %s') |
| 614 % exactprotocol | |
| 613 ) | 615 ) |
| 614 | 616 |
| 615 # We /could/ use create_default_context() here since it doesn't load | 617 # We /could/ use create_default_context() here since it doesn't load |
| 616 # CAs when configured for client auth. However, it is hard-coded to | 618 # CAs when configured for client auth. However, it is hard-coded to |
| 617 # use ssl.PROTOCOL_SSLv23 which may not be appropriate here. | 619 # use ssl.PROTOCOL_SSLv23 which may not be appropriate here. |