# HG changeset patch
# User pacien <pacien.trangirard@pacien.net>
# Date 2023-04-12 15:28:39
# Node ID c54e9bb5737e0684bda52a2ebc173d7aa964cc80
# Parent  698ffff7024bfeba5c51d5fc3a03098f22d5beae

sslutil: set context security level for legacy tls testing (issue6760)

Current versions of OpenSSL do not allow the use of TLS <1.2 when the
library's security level is >=1 (1 being the default on most distributions).

Setting the security level in addition to the minimum protocol is therefore
necessary for the legacy protocol tests.

This is done here ONLY when testing, when:
- explicitly setting the cipher string, or
- using the "--insecure" flag, or
- using the "devel.serverexactprotocol" testing option.

See: https://github.com/openssl/openssl/blob/master/NEWS.md#major-changes-between-openssl-30-and-openssl-310-14-mar-2023

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -122,7 +122,7 @@ def _hostsettings(ui, hostname):
     if ui.insecureconnections:
         minimumprotocol = b'tls1.0'
         if not ciphers:
-            ciphers = b'DEFAULT'
+            ciphers = b'DEFAULT:@SECLEVEL=0'
 
     s[b'minimumprotocol'] = minimumprotocol
     s[b'ciphers'] = ciphers
@@ -627,7 +627,7 @@ def wrapserversocket(
     # In tests, allow insecure ciphers
     # Otherwise, use the list of more secure ciphers if found in the ssl module.
     if exactprotocol:
-        sslcontext.set_ciphers('DEFAULT')
+        sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
     elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
         # pytype: disable=module-attr
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -356,9 +356,9 @@ Start servers running supported TLS vers
 
 Clients talking same TLS versions work
 
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT/
   5fed3813f7f5
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT1/
   5fed3813f7f5
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
   5fed3813f7f5
@@ -400,7 +400,7 @@ Clients requiring newer TLS version than
 The per-host config option overrides the default
 
   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
-  > --config hostsecurity.ciphers=DEFAULT \
+  > --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" \
   > --config hostsecurity.minimumprotocol=tls1.2 \
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
   5fed3813f7f5