upstream/mercurial-mirror Commit - r49931:50bd2910

sslutil: be less strict about which ciphers are allowed when using --insecure...

Julien Cristau -

r49931:50bd2910 default

parent child

mercurial/sslutil.py

0 +10 -5

                  minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)
                  validateprotocol(minimumprotocol, key)
+                 ciphers = ui.config(b'hostsecurity', b'ciphers')
+                 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
                  # If --insecure is used, we allow the use of TLS 1.0 despite config options.
                  # We always print a "connection security to %s is disabled..." message when
                  # --insecure is used. So no need to print anything more here.
                  if ui.insecureconnections:
                      minimumprotocol = b'tls1.0'
+                     if not ciphers:
+                         ciphers = b'DEFAULT'
                  s[b'minimumprotocol'] = minimumprotocol
-                 ciphers = ui.config(b'hostsecurity', b'ciphers')
-                 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
                  s[b'ciphers'] = ciphers
                  # Look for fingerprints in [hostsecurity] section. Value is a list
                  sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
                  sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
-                 # Use the list of more secure ciphers if found in the ssl module.
-                 if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
+                 # In tests, allow insecure ciphers
+                 # Otherwise, use the list of more secure ciphers if found in the ssl module.
+                 if exactprotocol:
+                     sslcontext.set_ciphers('DEFAULT')
+                 elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
                      sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
                      # pytype: disable=module-attr
                      sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages