Show More
| @@ -139,18 +139,6 b' def _hostsettings(ui, hostname):' | |||||
| 139 | 'ciphers': None, |
|
139 | 'ciphers': None, | |
| 140 | } |
|
140 | } | |
| 141 |
|
141 | |||
| 142 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
|
|||
| 143 | # that both ends support, including TLS protocols. On legacy stacks, |
|
|||
| 144 | # the highest it likely goes is TLS 1.0. On modern stacks, it can |
|
|||
| 145 | # support TLS 1.2. |
|
|||
| 146 | # |
|
|||
| 147 | # The PROTOCOL_TLSv* constants select a specific TLS version |
|
|||
| 148 | # only (as opposed to multiple versions). So the method for |
|
|||
| 149 | # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and |
|
|||
| 150 | # disable protocols via SSLContext.options and OP_NO_* constants. |
|
|||
| 151 | # However, SSLContext.options doesn't work unless we have the |
|
|||
| 152 | # full/real SSLContext available to us. |
|
|||
| 153 |
|
||||
| 154 | # Allow minimum TLS protocol to be specified in the config. |
|
142 | # Allow minimum TLS protocol to be specified in the config. | |
| 155 | def validateprotocol(protocol, key): |
|
143 | def validateprotocol(protocol, key): | |
| 156 | if protocol not in configprotocols: |
|
144 | if protocol not in configprotocols: | |
| @@ -289,10 +277,17 b' def protocolsettings(protocol):' | |||||
| 289 | if protocol not in configprotocols: |
|
277 | if protocol not in configprotocols: | |
| 290 | raise ValueError('protocol value not supported: %s' % protocol) |
|
278 | raise ValueError('protocol value not supported: %s' % protocol) | |
| 291 |
|
279 | |||
| 292 | # Legacy ssl module only supports up to TLS 1.0. Ideally we'd use |
|
280 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol | |
| 293 | # PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However, |
|
281 | # that both ends support, including TLS protocols. On legacy stacks, | |
| 294 | # SSLContext.options doesn't work in our implementation since we use |
|
282 | # the highest it likely goes is TLS 1.0. On modern stacks, it can | |
| 295 | # a fake SSLContext on these Python versions. |
|
283 | # support TLS 1.2. | |
|
|
284 | # | |||
|
|
285 | # The PROTOCOL_TLSv* constants select a specific TLS version | |||
|
|
286 | # only (as opposed to multiple versions). So the method for | |||
|
|
287 | # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and | |||
|
|
288 | # disable protocols via SSLContext.options and OP_NO_* constants. | |||
|
|
289 | # However, SSLContext.options doesn't work unless we have the | |||
|
|
290 | # full/real SSLContext available to us. | |||
| 296 | if not modernssl: |
|
291 | if not modernssl: | |
| 297 | if protocol != 'tls1.0': |
|
292 | if protocol != 'tls1.0': | |
| 298 | raise error.Abort(_('current Python does not support protocol ' |
|
293 | raise error.Abort(_('current Python does not support protocol ' | |
General Comments 0
You need to be logged in to leave comments.
Login now