Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 50342:c54e9bb5737e stable
sslutil: set context security level for legacy tls testing (issue6760)
Current versions of OpenSSL do not allow the use of TLS <1.2 when the
library's security level is >=1 (1 being the default on most distributions).
Setting the security level in addition to the minimum protocol is therefore
necessary for the legacy protocol tests.
This is done here ONLY when testing, when:
- explicitly setting the cipher string, or
- using the "--insecure" flag, or
- using the "devel.serverexactprotocol" testing option.
See: https://github.com/openssl/openssl/blob/master/NEWS.md#major-changes-between-openssl-30-and-openssl-310-14-mar-2023
| author | pacien <pacien.trangirard@pacien.net> |
|---|---|
| date | Wed, 12 Apr 2023 17:28:39 +0200 |
| parents | 698ffff7024b |
| children | a2f922825721 |
comparison
equal
deleted
inserted
replaced
| 50341:698ffff7024b | 50342:c54e9bb5737e |
|---|---|
| 120 # We always print a "connection security to %s is disabled..." message when | 120 # We always print a "connection security to %s is disabled..." message when |
| 121 # --insecure is used. So no need to print anything more here. | 121 # --insecure is used. So no need to print anything more here. |
| 122 if ui.insecureconnections: | 122 if ui.insecureconnections: |
| 123 minimumprotocol = b'tls1.0' | 123 minimumprotocol = b'tls1.0' |
| 124 if not ciphers: | 124 if not ciphers: |
| 125 ciphers = b'DEFAULT' | 125 ciphers = b'DEFAULT:@SECLEVEL=0' |
| 126 | 126 |
| 127 s[b'minimumprotocol'] = minimumprotocol | 127 s[b'minimumprotocol'] = minimumprotocol |
| 128 s[b'ciphers'] = ciphers | 128 s[b'ciphers'] = ciphers |
| 129 | 129 |
| 130 # Look for fingerprints in [hostsecurity] section. Value is a list | 130 # Look for fingerprints in [hostsecurity] section. Value is a list |
| 625 sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) | 625 sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) |
| 626 | 626 |
| 627 # In tests, allow insecure ciphers | 627 # In tests, allow insecure ciphers |
| 628 # Otherwise, use the list of more secure ciphers if found in the ssl module. | 628 # Otherwise, use the list of more secure ciphers if found in the ssl module. |
| 629 if exactprotocol: | 629 if exactprotocol: |
| 630 sslcontext.set_ciphers('DEFAULT') | 630 sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0') |
| 631 elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): | 631 elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): |
| 632 sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) | 632 sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) |
| 633 # pytype: disable=module-attr | 633 # pytype: disable=module-attr |
| 634 sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) | 634 sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) |
| 635 # pytype: enable=module-attr | 635 # pytype: enable=module-attr |