Mercurial Mercurial > public > mercurial-scm > hg / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mercurial/sslutil.py
branchstable
changeset 50341 698ffff7024b
parent 49383 de2e158c380a
child 50342 c54e9bb5737e
equal deleted inserted replaced
50340:9f33d12f6f48 50341:698ffff7024b 
   551         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
 
   551         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
 
   552         sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
 
   552         sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
 
   553 
   553 
   554         # This config option is intended for use in tests only. It is a giant
 
   554         # This config option is intended for use in tests only. It is a giant
 
   555         # footgun to kill security. Don't define it.
 
   555         # footgun to kill security. Don't define it.
 
   556         exactprotocol = ui.config(b'devel', b'serverexactprotocol')
 
   556         exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
 
   557         if exactprotocol == b'tls1.0':
 
   557         if exactprotocol == b'tls1.0':
 
   558             if b'tls1.0' not in supportedprotocols:
 
   558             if b'tls1.0' not in supportedprotocols:
 
   559                 raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
 
   559                 raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
 
   560             with warnings.catch_warnings():
 
   560             with warnings.catch_warnings():
 
   561                 warnings.filterwarnings(
 
   561                 warnings.filterwarnings(
 
   581                 raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
 
   581                 raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
 
   582             sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
 
   582             sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
 
   583             sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
 
   583             sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
 
   584         elif exactprotocol:
 
   584         elif exactprotocol:
 
   585             raise error.Abort(
 
   585             raise error.Abort(
 
   586                 _(b'invalid value for serverexactprotocol: %s') % exactprotocol
 
   586                 _(b'invalid value for server-insecure-exact-protocol: %s')
 
       
   587                 % exactprotocol
 
   587             )
 
   588             )
 
   588     else:
 
   589     else:
 
   589         # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
 
   590         # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
 
   590         # ends support, including TLS protocols. commonssloptions() restricts the
 
   591         # ends support, including TLS protocols. commonssloptions() restricts the
 
   591         # set of allowed protocols.
 
   592         # set of allowed protocols.
 
   592         protocol = ssl.PROTOCOL_SSLv23
 
   593         protocol = ssl.PROTOCOL_SSLv23
 
   593         options = commonssloptions(b'tls1.0')
 
   594         options = commonssloptions(b'tls1.0')
 
   594 
   595 
   595         # This config option is intended for use in tests only. It is a giant
 
   596         # This config option is intended for use in tests only. It is a giant
 
   596         # footgun to kill security. Don't define it.
 
   597         # footgun to kill security. Don't define it.
 
   597         exactprotocol = ui.config(b'devel', b'serverexactprotocol')
 
   598         exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
 
   598         if exactprotocol == b'tls1.0':
 
   599         if exactprotocol == b'tls1.0':
 
   599             if b'tls1.0' not in supportedprotocols:
 
   600             if b'tls1.0' not in supportedprotocols:
 
   600                 raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
 
   601                 raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
 
   601             protocol = ssl.PROTOCOL_TLSv1
 
   602             protocol = ssl.PROTOCOL_TLSv1
 
   602         elif exactprotocol == b'tls1.1':
 
   603         elif exactprotocol == b'tls1.1':
 
   607             if b'tls1.2' not in supportedprotocols:
 
   608             if b'tls1.2' not in supportedprotocols:
 
   608                 raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
 
   609                 raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
 
   609             protocol = ssl.PROTOCOL_TLSv1_2
 
   610             protocol = ssl.PROTOCOL_TLSv1_2
 
   610         elif exactprotocol:
 
   611         elif exactprotocol:
 
   611             raise error.Abort(
 
   612             raise error.Abort(
 
   612                 _(b'invalid value for serverexactprotocol: %s') % exactprotocol
 
   613                 _(b'invalid value for server-insecure-exact-protocol: %s')
 
       
   614                 % exactprotocol
 
   613             )
 
   615             )
 
   614 
   616 
   615         # We /could/ use create_default_context() here since it doesn't load
 
   617         # We /could/ use create_default_context() here since it doesn't load
 
   616         # CAs when configured for client auth. However, it is hard-coded to
 
   618         # CAs when configured for client auth. However, it is hard-coded to
 
   617         # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
 
   619         # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
mercurial-scm/hg