42 b'tls1.2', |
42 b'tls1.2', |
43 } |
43 } |
44 |
44 |
45 hassni = getattr(ssl, 'HAS_SNI', False) |
45 hassni = getattr(ssl, 'HAS_SNI', False) |
46 |
46 |
47 # TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled |
47 # ssl.HAS_TLSv1* are preferred to check support but they were added in Python |
48 # against doesn't support them. |
48 # 3.7. Prior to CPython commit 6e8cda91d92da72800d891b2fc2073ecbc134d98 |
49 # FIXME: Since CPython commit 6e8cda91d92da72800d891b2fc2073ecbc134d98 |
49 # (backported to the 3.7 branch), ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 |
50 # individual TLS versions can be turned on and off, and the |
50 # were defined only if compiled against a OpenSSL version with TLS 1.1 / 1.2 |
51 # ssl.PROTOCOL_TLSv1_* constants are always defined. |
51 # support. At the mentioned commit, they were unconditionally defined. |
52 # This means that, on unusual configurations, the following dict may contain |
52 supportedprotocols = set() |
53 # too many entries. A proper fix would be to check ssl.HAS_TLSv* where |
53 if getattr(ssl, 'HAS_TLSv1', util.safehasattr(ssl, 'PROTOCOL_TLSv1')): |
54 # available (Python 3.7+). Before that, this module should be proofed against |
54 supportedprotocols.add(b'tls1.0') |
55 # all possible combinations. |
55 if getattr(ssl, 'HAS_TLSv1_1', util.safehasattr(ssl, 'PROTOCOL_TLSv1_1')): |
56 supportedprotocols = {b'tls1.0'} |
|
57 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'): |
|
58 supportedprotocols.add(b'tls1.1') |
56 supportedprotocols.add(b'tls1.1') |
59 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): |
57 if getattr(ssl, 'HAS_TLSv1_2', util.safehasattr(ssl, 'PROTOCOL_TLSv1_2')): |
60 supportedprotocols.add(b'tls1.2') |
58 supportedprotocols.add(b'tls1.2') |
61 |
59 |
62 |
60 |
63 def _hostsettings(ui, hostname): |
61 def _hostsettings(ui, hostname): |
64 """Obtain security settings for a hostname. |
62 """Obtain security settings for a hostname. |