mercurial-scm/hg: comparison mercurial/sslutil.py

equal deleted inserted replaced

-:94cf83d9a2c9
+:f1b37ed41f01
 # CAs may undermine the user's intent. For example, a user may define a CA
 # bundle with a specific CA cert removed. If the system/default CA bundle
 # is loaded and contains that removed CA, you've just undone the user's
 # choice.
-if True:
+sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+minimumprotocol = settings[b'minimumprotocol']
-minimumprotocol = settings[b'minimumprotocol']
+if minimumprotocol == b'tls1.0':
-if minimumprotocol == b'tls1.0':
+with warnings.catch_warnings():
-with warnings.catch_warnings():
+warnings.filterwarnings(
-warnings.filterwarnings(
+'ignore',
-'ignore',
+'ssl.TLSVersion.TLSv1 is deprecated',
-'ssl.TLSVersion.TLSv1 is deprecated',
+DeprecationWarning,
-DeprecationWarning,
+)
-)
+sslcontext.minimum_version = ssl.TLSVersion.TLSv1
-sslcontext.minimum_version = ssl.TLSVersion.TLSv1
+elif minimumprotocol == b'tls1.1':
-elif minimumprotocol == b'tls1.1':
+with warnings.catch_warnings():
-with warnings.catch_warnings():
+warnings.filterwarnings(
-warnings.filterwarnings(
+'ignore',
-'ignore',
+'ssl.TLSVersion.TLSv1_1 is deprecated',
-'ssl.TLSVersion.TLSv1_1 is deprecated',
+DeprecationWarning,
-DeprecationWarning,
+)
-)
+sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
-sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
+elif minimumprotocol == b'tls1.2':
-elif minimumprotocol == b'tls1.2':
+sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
-sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
+else:
-else:
+raise error.Abort(_(b'this should not happen'))
-raise error.Abort(_(b'this should not happen'))
+# Prevent CRIME.
-# Prevent CRIME.
+# There is no guarantee this attribute is defined on the module.
-# There is no guarantee this attribute is defined on the module.
+sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
-sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
 # We check the hostname ourselves in _verifycert
 sslcontext.check_hostname = False
 sslcontext.verify_mode = settings[b'verifymode']
 if f and not os.path.exists(f):
 raise error.Abort(
 _(b'referenced certificate file (%s) does not exist') % f
 )
-if True:
+sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
-sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+# This config option is intended for use in tests only. It is a giant
-# This config option is intended for use in tests only. It is a giant
+# footgun to kill security. Don't define it.
-# footgun to kill security. Don't define it.
+exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
-exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
+if exactprotocol == b'tls1.0':
-if exactprotocol == b'tls1.0':
+if b'tls1.0' not in supportedprotocols:
-if b'tls1.0' not in supportedprotocols:
+raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
-raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
+with warnings.catch_warnings():
-with warnings.catch_warnings():
+warnings.filterwarnings(
-warnings.filterwarnings(
+'ignore',
-'ignore',
+'ssl.TLSVersion.TLSv1 is deprecated',
-'ssl.TLSVersion.TLSv1 is deprecated',
+DeprecationWarning,
-DeprecationWarning,
+)
-)
+sslcontext.minimum_version = ssl.TLSVersion.TLSv1
-sslcontext.minimum_version = ssl.TLSVersion.TLSv1
+sslcontext.maximum_version = ssl.TLSVersion.TLSv1
-sslcontext.maximum_version = ssl.TLSVersion.TLSv1
+elif exactprotocol == b'tls1.1':
-elif exactprotocol == b'tls1.1':
+if b'tls1.1' not in supportedprotocols:
-if b'tls1.1' not in supportedprotocols:
+raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
-raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
+with warnings.catch_warnings():
-with warnings.catch_warnings():
+warnings.filterwarnings(
-warnings.filterwarnings(
+'ignore',
-'ignore',
+'ssl.TLSVersion.TLSv1_1 is deprecated',
-'ssl.TLSVersion.TLSv1_1 is deprecated',
+DeprecationWarning,
-DeprecationWarning,
+)
-)
+sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
-sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
+sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1
-sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1
+elif exactprotocol == b'tls1.2':
-elif exactprotocol == b'tls1.2':
+if b'tls1.2' not in supportedprotocols:
-if b'tls1.2' not in supportedprotocols:
+raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
-raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
+sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
-sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
+sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
-sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
+elif exactprotocol:
-elif exactprotocol:
+raise error.Abort(
-raise error.Abort(
+_(b'invalid value for server-insecure-exact-protocol: %s')
-_(b'invalid value for server-insecure-exact-protocol: %s')
+% exactprotocol
-% exactprotocol
+)
-)
 # Improve forward secrecy.
 sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
 sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)

changeset 52282	f1b37ed41f01
parent 52281	94cf83d9a2c9
child 52283	baeb5e8d2612