equal
deleted
inserted
replaced
129 # We always print a "connection security to %s is disabled..." message when |
129 # We always print a "connection security to %s is disabled..." message when |
130 # --insecure is used. So no need to print anything more here. |
130 # --insecure is used. So no need to print anything more here. |
131 if ui.insecureconnections: |
131 if ui.insecureconnections: |
132 protocol = b'tls1.0' |
132 protocol = b'tls1.0' |
133 |
133 |
134 s[b'protocol'], s[b'ctxoptions'], s[b'protocolui'] = protocolsettings( |
134 s[b'protocolui'] = protocol |
135 protocol |
135 s[b'protocol'], s[b'ctxoptions'] = protocolsettings(protocol) |
136 ) |
|
137 |
136 |
138 ciphers = ui.config(b'hostsecurity', b'ciphers') |
137 ciphers = ui.config(b'hostsecurity', b'ciphers') |
139 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
138 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
140 s[b'ciphers'] = ciphers |
139 s[b'ciphers'] = ciphers |
141 |
140 |
243 |
242 |
244 |
243 |
245 def protocolsettings(protocol): |
244 def protocolsettings(protocol): |
246 """Resolve the protocol for a config value. |
245 """Resolve the protocol for a config value. |
247 |
246 |
248 Returns a 3-tuple of (protocol, options, ui value) where the first |
247 Returns a tuple of (protocol, options) which are values used by SSLContext. |
249 2 items are values used by SSLContext and the last is a string value |
|
250 of the ``minimumprotocol`` config option equivalent. |
|
251 """ |
248 """ |
252 if protocol not in configprotocols: |
249 if protocol not in configprotocols: |
253 raise ValueError(b'protocol value not supported: %s' % protocol) |
250 raise ValueError(b'protocol value not supported: %s' % protocol) |
254 |
251 |
255 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
252 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
270 b'upgrade Python or disable setting since ' |
267 b'upgrade Python or disable setting since ' |
271 b'only TLS 1.0 is supported' |
268 b'only TLS 1.0 is supported' |
272 ), |
269 ), |
273 ) |
270 ) |
274 |
271 |
275 return ssl.PROTOCOL_TLSv1, 0, b'tls1.0' |
272 return ssl.PROTOCOL_TLSv1, 0 |
276 |
273 |
277 # SSLv2 and SSLv3 are broken. We ban them outright. |
274 # SSLv2 and SSLv3 are broken. We ban them outright. |
278 options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 |
275 options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 |
279 |
276 |
280 if protocol == b'tls1.0': |
277 if protocol == b'tls1.0': |
289 |
286 |
290 # Prevent CRIME. |
287 # Prevent CRIME. |
291 # There is no guarantee this attribute is defined on the module. |
288 # There is no guarantee this attribute is defined on the module. |
292 options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
289 options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
293 |
290 |
294 return ssl.PROTOCOL_SSLv23, options, protocol |
291 return ssl.PROTOCOL_SSLv23, options |
295 |
292 |
296 |
293 |
297 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): |
294 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): |
298 """Add SSL/TLS to a socket. |
295 """Add SSL/TLS to a socket. |
299 |
296 |
541 if f and not os.path.exists(f): |
538 if f and not os.path.exists(f): |
542 raise error.Abort( |
539 raise error.Abort( |
543 _(b'referenced certificate file (%s) does not exist') % f |
540 _(b'referenced certificate file (%s) does not exist') % f |
544 ) |
541 ) |
545 |
542 |
546 protocol, options, _protocolui = protocolsettings(b'tls1.0') |
543 protocol, options = protocolsettings(b'tls1.0') |
547 |
544 |
548 # This config option is intended for use in tests only. It is a giant |
545 # This config option is intended for use in tests only. It is a giant |
549 # footgun to kill security. Don't define it. |
546 # footgun to kill security. Don't define it. |
550 exactprotocol = ui.config(b'devel', b'serverexactprotocol') |
547 exactprotocol = ui.config(b'devel', b'serverexactprotocol') |
551 if exactprotocol == b'tls1.0': |
548 if exactprotocol == b'tls1.0': |