Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 44891:abcd6db1f2cc
sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available
This case isn't very likely, but possible, especially if supportedprotocols
gets fixed to contain only correct items (see the FIXME above in the file).
| author | Manuel Jacob <me@manueljacob.de> |
|---|---|
| date | Sun, 31 May 2020 11:10:21 +0200 |
| parents | 4942c1bdd080 |
| children | dd7c4a208a4e |
comparison
equal
deleted
inserted
replaced
| 44890:4942c1bdd080 | 44891:abcd6db1f2cc |
|---|---|
| 103 ) | 103 ) |
| 104 | 104 |
| 105 # We default to TLS 1.1+ where we can because TLS 1.0 has known | 105 # We default to TLS 1.1+ where we can because TLS 1.0 has known |
| 106 # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to | 106 # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to |
| 107 # TLS 1.0+ via config options in case a legacy server is encountered. | 107 # TLS 1.0+ via config options in case a legacy server is encountered. |
| 108 if b'tls1.1' in supportedprotocols: | 108 if supportedprotocols - {b'tls1.0'}: |
| 109 defaultminimumprotocol = b'tls1.1' | 109 defaultminimumprotocol = b'tls1.1' |
| 110 else: | 110 else: |
| 111 # Let people know they are borderline secure. | 111 # Let people know they are borderline secure. |
| 112 # We don't document this config option because we want people to see | 112 # We don't document this config option because we want people to see |
| 113 # the bold warnings on the web site. | 113 # the bold warnings on the web site. |