Mercurial Mercurial > public > mercurial-scm > hg / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mercurial/sslutil.py
changeset 29560 303e9300772a
parent 29559 7dec5e441bf7
child 29561 1a782fabf80d 
--- a/mercurial/sslutil.py	Thu Jul 14 20:47:22 2016 -0700
+++ b/mercurial/sslutil.py	Wed Jul 13 21:35:54 2016 -0700
@@ -154,9 +154,17 @@
                 hint=_('valid protocols: %s') %
                      ' '.join(sorted(configprotocols)))
 
+    # Legacy Python can only do TLS 1.0. We default to TLS 1.1+ where we
+    # can because TLS 1.0 has known vulnerabilities (like BEAST and POODLE).
+    # We allow users to downgrade to TLS 1.0+ via config options in case a
+    # legacy server is encountered.
+    if modernssl:
+        defaultprotocol = 'tls1.1'
+    else:
+        defaultprotocol = 'tls1.0'
+
     key = 'minimumprotocol'
-    # Default to TLS 1.0+ as that is what browsers are currently doing.
-    protocol = ui.config('hostsecurity', key, 'tls1.0')
+    protocol = ui.config('hostsecurity', key, defaultprotocol)
     validateprotocol(protocol, key)
 
     key = '%s:minimumprotocol' % hostname
mercurial-scm/hg