Show More
@@ -113,16 +113,18 b' def _hostsettings(ui, hostname):' | |||||
113 | minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) |
|
113 | minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) | |
114 | validateprotocol(minimumprotocol, key) |
|
114 | validateprotocol(minimumprotocol, key) | |
115 |
|
115 | |||
|
116 | ciphers = ui.config(b'hostsecurity', b'ciphers') | |||
|
117 | ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) | |||
|
118 | ||||
116 | # If --insecure is used, we allow the use of TLS 1.0 despite config options. |
|
119 | # If --insecure is used, we allow the use of TLS 1.0 despite config options. | |
117 | # We always print a "connection security to %s is disabled..." message when |
|
120 | # We always print a "connection security to %s is disabled..." message when | |
118 | # --insecure is used. So no need to print anything more here. |
|
121 | # --insecure is used. So no need to print anything more here. | |
119 | if ui.insecureconnections: |
|
122 | if ui.insecureconnections: | |
120 | minimumprotocol = b'tls1.0' |
|
123 | minimumprotocol = b'tls1.0' | |
|
124 | if not ciphers: | |||
|
125 | ciphers = b'DEFAULT' | |||
121 |
|
126 | |||
122 | s[b'minimumprotocol'] = minimumprotocol |
|
127 | s[b'minimumprotocol'] = minimumprotocol | |
123 |
|
||||
124 | ciphers = ui.config(b'hostsecurity', b'ciphers') |
|
|||
125 | ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
|
|||
126 | s[b'ciphers'] = ciphers |
|
128 | s[b'ciphers'] = ciphers | |
127 |
|
129 | |||
128 | # Look for fingerprints in [hostsecurity] section. Value is a list |
|
130 | # Look for fingerprints in [hostsecurity] section. Value is a list | |
@@ -617,8 +619,11 b' def wrapserversocket(' | |||||
617 | sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) |
|
619 | sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) | |
618 | sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) |
|
620 | sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) | |
619 |
|
621 | |||
620 | # Use the list of more secure ciphers if found in the ssl module. |
|
622 | # In tests, allow insecure ciphers | |
621 | if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): |
|
623 | # Otherwise, use the list of more secure ciphers if found in the ssl module. | |
|
624 | if exactprotocol: | |||
|
625 | sslcontext.set_ciphers('DEFAULT') | |||
|
626 | elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): | |||
622 | sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) |
|
627 | sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) | |
623 | # pytype: disable=module-attr |
|
628 | # pytype: disable=module-attr | |
624 | sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) |
|
629 | sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) |
General Comments 0
You need to be logged in to leave comments.
Login now