Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 52312:a820a7a1fce0
setup: require TLS 1.2 support from the Python interpreter (BC)
Before it was optional, and either 1.1 or 1.2 was sufficient. Now that the
default minimum is 1.2, it needs to be present to work out of the box.
The code here is more convoluted than the corresponding checks in `sslutil.py`,
but I'm leaving it alone because it can all be simplified when py38 is dropped.
| author | Matt Harbison <matt_harbison@yahoo.com> |
|---|---|
| date | Thu, 21 Nov 2024 11:46:10 -0500 |
| parents | 085cc409847d |
| children |
comparison
equal
deleted
inserted
replaced
| 52311:d49144a1422f | 52312:a820a7a1fce0 |
|---|---|
| 101 | 101 |
| 102 # We default to TLS 1.2+ because TLS 1.0 has known vulnerabilities (like | 102 # We default to TLS 1.2+ because TLS 1.0 has known vulnerabilities (like |
| 103 # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config | 103 # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config |
| 104 # options in case a legacy server is encountered. | 104 # options in case a legacy server is encountered. |
| 105 | 105 |
| 106 # setup.py checks that TLS 1.1 or TLS 1.2 is present, so the following | 106 # setup.py checks that TLS 1.2 is present, so the following assert should |
| 107 # assert should not fail. | 107 # not fail. |
| 108 assert supportedprotocols - {b'tls1.0', b'tls1.1'} | 108 assert supportedprotocols - {b'tls1.0', b'tls1.1'} |
| 109 defaultminimumprotocol = b'tls1.2' | 109 defaultminimumprotocol = b'tls1.2' |
| 110 | 110 |
| 111 key = b'minimumprotocol' | 111 key = b'minimumprotocol' |
| 112 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) | 112 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) |