Show More
@@ -12,6 +12,7 b' import hashlib' | |||||
12 | import os |
|
12 | import os | |
13 | import re |
|
13 | import re | |
14 | import ssl |
|
14 | import ssl | |
|
15 | import warnings | |||
15 |
|
16 | |||
16 | from .i18n import _ |
|
17 | from .i18n import _ | |
17 | from .pycompat import getattr |
|
18 | from .pycompat import getattr | |
@@ -308,12 +309,43 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
308 | # bundle with a specific CA cert removed. If the system/default CA bundle |
|
309 | # bundle with a specific CA cert removed. If the system/default CA bundle | |
309 | # is loaded and contains that removed CA, you've just undone the user's |
|
310 | # is loaded and contains that removed CA, you've just undone the user's | |
310 | # choice. |
|
311 | # choice. | |
311 | # |
|
312 | ||
|
313 | if util.safehasattr(ssl, 'PROTOCOL_TLS_CLIENT'): | |||
|
314 | # python 3.7+ | |||
|
315 | sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) | |||
|
316 | minimumprotocol = settings[b'minimumprotocol'] | |||
|
317 | if minimumprotocol == b'tls1.0': | |||
|
318 | with warnings.catch_warnings(): | |||
|
319 | warnings.filterwarnings( | |||
|
320 | 'ignore', | |||
|
321 | 'ssl.TLSVersion.TLSv1 is deprecated', | |||
|
322 | DeprecationWarning, | |||
|
323 | ) | |||
|
324 | sslcontext.minimum_version = ssl.TLSVersion.TLSv1 | |||
|
325 | elif minimumprotocol == b'tls1.1': | |||
|
326 | with warnings.catch_warnings(): | |||
|
327 | warnings.filterwarnings( | |||
|
328 | 'ignore', | |||
|
329 | 'ssl.TLSVersion.TLSv1_1 is deprecated', | |||
|
330 | DeprecationWarning, | |||
|
331 | ) | |||
|
332 | sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 | |||
|
333 | elif minimumprotocol == b'tls1.2': | |||
|
334 | sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 | |||
|
335 | else: | |||
|
336 | raise error.Abort(_(b'this should not happen')) | |||
|
337 | # Prevent CRIME. | |||
|
338 | # There is no guarantee this attribute is defined on the module. | |||
|
339 | sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) | |||
|
340 | else: | |||
312 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both |
|
341 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both | |
313 | # ends support, including TLS protocols. commonssloptions() restricts the |
|
342 | # ends support, including TLS protocols. commonssloptions() restricts the | |
314 | # set of allowed protocols. |
|
343 | # set of allowed protocols. | |
315 | sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
|
344 | sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | |
316 | sslcontext.options |= commonssloptions(settings[b'minimumprotocol']) |
|
345 | sslcontext.options |= commonssloptions(settings[b'minimumprotocol']) | |
|
346 | ||||
|
347 | # We check the hostname ourselves in _verifycert | |||
|
348 | sslcontext.check_hostname = False | |||
317 | sslcontext.verify_mode = settings[b'verifymode'] |
|
349 | sslcontext.verify_mode = settings[b'verifymode'] | |
318 |
|
350 | |||
319 | if settings[b'ciphers']: |
|
351 | if settings[b'ciphers']: | |
@@ -509,6 +541,46 b' def wrapserversocket(' | |||||
509 | _(b'referenced certificate file (%s) does not exist') % f |
|
541 | _(b'referenced certificate file (%s) does not exist') % f | |
510 | ) |
|
542 | ) | |
511 |
|
543 | |||
|
544 | if util.safehasattr(ssl, 'PROTOCOL_TLS_SERVER'): | |||
|
545 | # python 3.7+ | |||
|
546 | sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) | |||
|
547 | sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) | |||
|
548 | ||||
|
549 | # This config option is intended for use in tests only. It is a giant | |||
|
550 | # footgun to kill security. Don't define it. | |||
|
551 | exactprotocol = ui.config(b'devel', b'serverexactprotocol') | |||
|
552 | if exactprotocol == b'tls1.0': | |||
|
553 | if b'tls1.0' not in supportedprotocols: | |||
|
554 | raise error.Abort(_(b'TLS 1.0 not supported by this Python')) | |||
|
555 | with warnings.catch_warnings(): | |||
|
556 | warnings.filterwarnings( | |||
|
557 | 'ignore', | |||
|
558 | 'ssl.TLSVersion.TLSv1 is deprecated', | |||
|
559 | DeprecationWarning, | |||
|
560 | ) | |||
|
561 | sslcontext.minimum_version = ssl.TLSVersion.TLSv1 | |||
|
562 | sslcontext.maximum_version = ssl.TLSVersion.TLSv1 | |||
|
563 | elif exactprotocol == b'tls1.1': | |||
|
564 | if b'tls1.1' not in supportedprotocols: | |||
|
565 | raise error.Abort(_(b'TLS 1.1 not supported by this Python')) | |||
|
566 | with warnings.catch_warnings(): | |||
|
567 | warnings.filterwarnings( | |||
|
568 | 'ignore', | |||
|
569 | 'ssl.TLSVersion.TLSv1_1 is deprecated', | |||
|
570 | DeprecationWarning, | |||
|
571 | ) | |||
|
572 | sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 | |||
|
573 | sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1 | |||
|
574 | elif exactprotocol == b'tls1.2': | |||
|
575 | if b'tls1.2' not in supportedprotocols: | |||
|
576 | raise error.Abort(_(b'TLS 1.2 not supported by this Python')) | |||
|
577 | sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 | |||
|
578 | sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2 | |||
|
579 | elif exactprotocol: | |||
|
580 | raise error.Abort( | |||
|
581 | _(b'invalid value for serverexactprotocol: %s') % exactprotocol | |||
|
582 | ) | |||
|
583 | else: | |||
512 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both |
|
584 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both | |
513 | # ends support, including TLS protocols. commonssloptions() restricts the |
|
585 | # ends support, including TLS protocols. commonssloptions() restricts the | |
514 | # set of allowed protocols. |
|
586 | # set of allowed protocols. |
General Comments 0
You need to be logged in to leave comments.
Login now