Comments
Patch
@@ -100,27 +100,10 @@ def _hostsettings(ui, hostname):
% b' '.join(sorted(configprotocols)),
)
- # We default to TLS 1.1+ where we can because TLS 1.0 has known
- # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
- # TLS 1.0+ via config options in case a legacy server is encountered.
- if b'tls1.1' in supportedprotocols:
- defaultprotocol = b'tls1.1'
- else:
- # Let people know they are borderline secure.
- # We don't document this config option because we want people to see
- # the bold warnings on the web site.
- # internal config: hostsecurity.disabletls10warning
- if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
- ui.warn(
- _(
- b'warning: connecting to %s using legacy security '
- b'technology (TLS 1.0); see '
- b'https://mercurial-scm.org/wiki/SecureConnections for '
- b'more info\n'
- )
- % bhostname
- )
- defaultprotocol = b'tls1.0'
+ # We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like
+ # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
+ # options in case a legacy server is encountered.
+ defaultprotocol = b'tls1.1'
key = b'minimumprotocol'
protocol = ui.config(b'hostsecurity', key, defaultprotocol)
@@ -264,18 +247,6 @@ def protocolsettings(protocol):
# only (as opposed to multiple versions). So the method for
# supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
# disable protocols via SSLContext.options and OP_NO_* constants.
- if supportedprotocols == {b'tls1.0'}:
- if protocol != b'tls1.0':
- raise error.Abort(
- _(b'current Python does not support protocol setting %s')
- % protocol,
- hint=_(
- b'upgrade Python or disable setting since '
- b'only TLS 1.0 is supported'
- ),
- )
-
- return ssl.PROTOCOL_TLSv1, 0, b'tls1.0'
# SSLv2 and SSLv3 are broken. We ban them outright.
options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
@@ -518,12 +489,8 @@ def wrapserversocket(
if exactprotocol == b'tls1.0':
protocol = ssl.PROTOCOL_TLSv1
elif exactprotocol == b'tls1.1':
- if b'tls1.1' not in supportedprotocols:
- raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_1
elif exactprotocol == b'tls1.2':
- if b'tls1.2' not in supportedprotocols:
- raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_2
elif exactprotocol:
raise error.Abort(