upstream/mercurial-mirror Commit - r49931:50bd2910

113

minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)

113

minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)

114

validateprotocol(minimumprotocol, key)

114

validateprotocol(minimumprotocol, key)

115

116

ciphers = ui.config(b'hostsecurity', b'ciphers')

117

ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)

118

116

# If --insecure is used, we allow the use of TLS 1.0 despite config options.

119

# If --insecure is used, we allow the use of TLS 1.0 despite config options.

117

# We always print a "connection security to %s is disabled..." message when

120

# We always print a "connection security to %s is disabled..." message when

118

# --insecure is used. So no need to print anything more here.

121

# --insecure is used. So no need to print anything more here.

119

if ui.insecureconnections:

122

if ui.insecureconnections:

120

minimumprotocol = b'tls1.0'

123

minimumprotocol = b'tls1.0'

124

if not ciphers:

125

ciphers = b'DEFAULT'

121

126

122

s[b'minimumprotocol'] = minimumprotocol

127

s[b'minimumprotocol'] = minimumprotocol

123

124

ciphers = ui.config(b'hostsecurity', b'ciphers')

125

ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)

126

s[b'ciphers'] = ciphers

128

s[b'ciphers'] = ciphers

127

129

128

# Look for fingerprints in [hostsecurity] section. Value is a list

130

# Look for fingerprints in [hostsecurity] section. Value is a list

617

sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)

619

sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)

618

sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)

620

sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)

619

621

620

# Use the list of more secure ciphers if found in the ssl module.

622

# In tests, allow insecure ciphers

621

if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):

623

# Otherwise, use the list of more secure ciphers if found in the ssl module.

624

if exactprotocol:

625

sslcontext.set_ciphers('DEFAULT')

626

elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):

622

sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)

627

sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)

623

# pytype: disable=module-attr

628

# pytype: disable=module-attr

624

sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)

629

sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

                 minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)
                 validateprotocol(minimumprotocol, key)
+                ciphers = ui.config(b'hostsecurity', b'ciphers')
+                ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
                 # If --insecure is used, we allow the use of TLS 1.0 despite config options.
                 # We always print a "connection security to %s is disabled..." message when
                 # --insecure is used. So no need to print anything more here.
                 if ui.insecureconnections:
                     minimumprotocol = b'tls1.0'
+                    if not ciphers:
+                        ciphers = b'DEFAULT'
                 s[b'minimumprotocol'] = minimumprotocol
-                ciphers = ui.config(b'hostsecurity', b'ciphers')
-                ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
                 s[b'ciphers'] = ciphers
                 # Look for fingerprints in [hostsecurity] section. Value is a list
                 sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
                 sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
-                # Use the list of more secure ciphers if found in the ssl module.
+                # In tests, allow insecure ciphers
-                if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
+                # Otherwise, use the list of more secure ciphers if found in the ssl module.
+                if exactprotocol:
+                    sslcontext.set_ciphers('DEFAULT')
+                elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
                     sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
                     # pytype: disable=module-attr
                     sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)