Patchwork [5,of,5] sslutil: check for OpenSSL without TLS 1.0 support in one case

login
register
mail settings
Submitter Manuel Jacob
Date May 31, 2020, 10:24 a.m.
Message ID <ccb1f10b9fd61d82a222.1590920688@tmp>
Download mbox | patch
Permalink /patch/46437/
State New
Headers show

Comments

Manuel Jacob - May 31, 2020, 10:24 a.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590919637 -7200
#      Sun May 31 12:07:17 2020 +0200
# Node ID ccb1f10b9fd61d82a2227d648208465f16dccdf3
# Parent  d950d0faa52d3db159147891e58f4488042d9afe
# EXP-Topic sslutil_cleanup
sslutil: check for OpenSSL without TLS 1.0 support in one case

It can only happen if supportedprotocols gets fixed to contain only correct
items (see the FIXME above in the file).

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -553,6 +553,8 @@  def wrapserversocket(
     # footgun to kill security. Don't define it.
     exactprotocol = ui.config(b'devel', b'serverexactprotocol')
     if exactprotocol == b'tls1.0':
+        if b'tls1.0' not in supportedprotocols:
+            raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
         protocol = ssl.PROTOCOL_TLSv1
     elif exactprotocol == b'tls1.1':
         if b'tls1.1' not in supportedprotocols: