Patchwork [13,of,15] sslutil: simplify code, now that `supportedprotocols` is constant

login
register
mail settings
Submitter Manuel Jacob
Date May 30, 2020, 5:52 a.m.
Message ID <e42ce24c506a9336dd6e.1590817945@tmp>
Download mbox | patch
Permalink /patch/46408/
State New
Headers show

Comments

Manuel Jacob - May 30, 2020, 5:52 a.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590798598 -7200
#      Sat May 30 02:29:58 2020 +0200
# Node ID e42ce24c506a9336dd6ecc8b4f83889580d8af6b
# Parent  de89534c092fffff5d2e2eb8c7b21dcb81d83aa3
# EXP-Topic require_modern_ssl
sslutil: simplify code, now that `supportedprotocols` is constant

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -100,27 +100,10 @@  def _hostsettings(ui, hostname):
                 % b' '.join(sorted(configprotocols)),
             )
 
-    # We default to TLS 1.1+ where we can because TLS 1.0 has known
-    # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
-    # TLS 1.0+ via config options in case a legacy server is encountered.
-    if b'tls1.1' in supportedprotocols:
-        defaultprotocol = b'tls1.1'
-    else:
-        # Let people know they are borderline secure.
-        # We don't document this config option because we want people to see
-        # the bold warnings on the web site.
-        # internal config: hostsecurity.disabletls10warning
-        if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
-            ui.warn(
-                _(
-                    b'warning: connecting to %s using legacy security '
-                    b'technology (TLS 1.0); see '
-                    b'https://mercurial-scm.org/wiki/SecureConnections for '
-                    b'more info\n'
-                )
-                % bhostname
-            )
-        defaultprotocol = b'tls1.0'
+    # We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like
+    # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
+    # options in case a legacy server is encountered.
+    defaultprotocol = b'tls1.1'
 
     key = b'minimumprotocol'
     protocol = ui.config(b'hostsecurity', key, defaultprotocol)
@@ -264,18 +247,6 @@  def protocolsettings(protocol):
     # only (as opposed to multiple versions). So the method for
     # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
     # disable protocols via SSLContext.options and OP_NO_* constants.
-    if supportedprotocols == {b'tls1.0'}:
-        if protocol != b'tls1.0':
-            raise error.Abort(
-                _(b'current Python does not support protocol setting %s')
-                % protocol,
-                hint=_(
-                    b'upgrade Python or disable setting since '
-                    b'only TLS 1.0 is supported'
-                ),
-            )
-
-        return ssl.PROTOCOL_TLSv1, 0, b'tls1.0'
 
     # SSLv2 and SSLv3 are broken. We ban them outright.
     options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
@@ -518,12 +489,8 @@  def wrapserversocket(
     if exactprotocol == b'tls1.0':
         protocol = ssl.PROTOCOL_TLSv1
     elif exactprotocol == b'tls1.1':
-        if b'tls1.1' not in supportedprotocols:
-            raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
         protocol = ssl.PROTOCOL_TLSv1_1
     elif exactprotocol == b'tls1.2':
-        if b'tls1.2' not in supportedprotocols:
-            raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
         protocol = ssl.PROTOCOL_TLSv1_2
     elif exactprotocol:
         raise error.Abort(