Patchwork [4,of,5] sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available

login
register
mail settings
Submitter Manuel Jacob
Date May 31, 2020, 10:24 a.m.
Message ID <d950d0faa52d3db15914.1590920687@tmp>
Download mbox | patch
Permalink /patch/46436/
State New
Headers show

Comments

Manuel Jacob - May 31, 2020, 10:24 a.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590916221 -7200
#      Sun May 31 11:10:21 2020 +0200
# Node ID d950d0faa52d3db159147891e58f4488042d9afe
# Parent  14fb5b19169473e9a14a5ad4371ca727cd8c8293
# EXP-Topic sslutil_cleanup
sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available

This case isn't very likely, but possible, especially if supportedprotocols
gets fixed to contain only correct items (see the FIXME above in the file).

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -105,7 +105,7 @@  def _hostsettings(ui, hostname):
     # We default to TLS 1.1+ where we can because TLS 1.0 has known
     # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
     # TLS 1.0+ via config options in case a legacy server is encountered.
-    if b'tls1.1' in supportedprotocols:
+    if supportedprotocols - {b'tls1.0'}:
         defaultminimumprotocol = b'tls1.1'
     else:
         # Let people know they are borderline secure.