Show More
| @@ -76,7 +76,7 b' def _hostsettings(ui, hostname):' | |||||
| 76 | b'protocol': None, |
|
76 | b'protocol': None, | |
| 77 | # String representation of minimum protocol to be used for UI |
|
77 | # String representation of minimum protocol to be used for UI | |
| 78 | # presentation. |
|
78 | # presentation. | |
| 79 | b'protocolui': None, |
|
79 | b'minimumprotocolui': None, | |
| 80 | # ssl.CERT_* constant used by SSLContext.verify_mode. |
|
80 | # ssl.CERT_* constant used by SSLContext.verify_mode. | |
| 81 | b'verifymode': None, |
|
81 | b'verifymode': None, | |
| 82 | # Defines extra ssl.OP* bitwise options to set. |
|
82 | # Defines extra ssl.OP* bitwise options to set. | |
| @@ -99,7 +99,7 b' def _hostsettings(ui, hostname):' | |||||
| 99 | # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to |
|
99 | # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to | |
| 100 | # TLS 1.0+ via config options in case a legacy server is encountered. |
|
100 | # TLS 1.0+ via config options in case a legacy server is encountered. | |
| 101 | if b'tls1.1' in supportedprotocols: |
|
101 | if b'tls1.1' in supportedprotocols: | |
| 102 | defaultprotocol = b'tls1.1' |
|
102 | defaultminimumprotocol = b'tls1.1' | |
| 103 | else: |
|
103 | else: | |
| 104 | # Let people know they are borderline secure. |
|
104 | # Let people know they are borderline secure. | |
| 105 | # We don't document this config option because we want people to see |
|
105 | # We don't document this config option because we want people to see | |
| @@ -115,24 +115,24 b' def _hostsettings(ui, hostname):' | |||||
| 115 | ) |
|
115 | ) | |
| 116 | % bhostname |
|
116 | % bhostname | |
| 117 | ) |
|
117 | ) | |
| 118 | defaultprotocol = b'tls1.0' |
|
118 | defaultminimumprotocol = b'tls1.0' | |
| 119 |
|
119 | |||
| 120 | key = b'minimumprotocol' |
|
120 | key = b'minimumprotocol' | |
| 121 | protocol = ui.config(b'hostsecurity', key, defaultprotocol) |
|
121 | minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) | |
| 122 | validateprotocol(protocol, key) |
|
122 | validateprotocol(minimumprotocol, key) | |
| 123 |
|
123 | |||
| 124 | key = b'%s:minimumprotocol' % bhostname |
|
124 | key = b'%s:minimumprotocol' % bhostname | |
| 125 | protocol = ui.config(b'hostsecurity', key, protocol) |
|
125 | minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) | |
| 126 | validateprotocol(protocol, key) |
|
126 | validateprotocol(minimumprotocol, key) | |
| 127 |
|
127 | |||
| 128 | # If --insecure is used, we allow the use of TLS 1.0 despite config options. |
|
128 | # If --insecure is used, we allow the use of TLS 1.0 despite config options. | |
| 129 | # We always print a "connection security to %s is disabled..." message when |
|
129 | # We always print a "connection security to %s is disabled..." message when | |
| 130 | # --insecure is used. So no need to print anything more here. |
|
130 | # --insecure is used. So no need to print anything more here. | |
| 131 | if ui.insecureconnections: |
|
131 | if ui.insecureconnections: | |
| 132 | protocol = b'tls1.0' |
|
132 | minimumprotocol = b'tls1.0' | |
| 133 |
|
133 | |||
| 134 | s[b'protocolui'] = protocol |
|
134 | s[b'minimumprotocolui'] = minimumprotocol | |
| 135 | s[b'protocol'], s[b'ctxoptions'] = protocolsettings(protocol) |
|
135 | s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) | |
| 136 |
|
136 | |||
| 137 | ciphers = ui.config(b'hostsecurity', b'ciphers') |
|
137 | ciphers = ui.config(b'hostsecurity', b'ciphers') | |
| 138 | ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
|
138 | ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) | |
| @@ -241,13 +241,13 b' def _hostsettings(ui, hostname):' | |||||
| 241 | return s |
|
241 | return s | |
| 242 |
|
242 | |||
| 243 |
|
243 | |||
| 244 | def protocolsettings(protocol): |
|
244 | def protocolsettings(minimumprotocol): | |
| 245 | """Resolve the protocol for a config value. |
|
245 | """Resolve the protocol for a config value. | |
| 246 |
|
246 | |||
| 247 | Returns a tuple of (protocol, options) which are values used by SSLContext. |
|
247 | Returns a tuple of (protocol, options) which are values used by SSLContext. | |
| 248 | """ |
|
248 | """ | |
| 249 | if protocol not in configprotocols: |
|
249 | if minimumprotocol not in configprotocols: | |
| 250 | raise ValueError(b'protocol value not supported: %s' % protocol) |
|
250 | raise ValueError(b'protocol value not supported: %s' % minimumprotocol) | |
| 251 |
|
251 | |||
| 252 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
|
252 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol | |
| 253 | # that both ends support, including TLS protocols. On legacy stacks, |
|
253 | # that both ends support, including TLS protocols. On legacy stacks, | |
| @@ -259,10 +259,10 b' def protocolsettings(protocol):' | |||||
| 259 | # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and |
|
259 | # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and | |
| 260 | # disable protocols via SSLContext.options and OP_NO_* constants. |
|
260 | # disable protocols via SSLContext.options and OP_NO_* constants. | |
| 261 | if supportedprotocols == {b'tls1.0'}: |
|
261 | if supportedprotocols == {b'tls1.0'}: | |
| 262 | if protocol != b'tls1.0': |
|
262 | if minimumprotocol != b'tls1.0': | |
| 263 | raise error.Abort( |
|
263 | raise error.Abort( | |
| 264 | _(b'current Python does not support protocol setting %s') |
|
264 | _(b'current Python does not support protocol setting %s') | |
| 265 | % protocol, |
|
265 | % minimumprotocol, | |
| 266 | hint=_( |
|
266 | hint=_( | |
| 267 | b'upgrade Python or disable setting since ' |
|
267 | b'upgrade Python or disable setting since ' | |
| 268 | b'only TLS 1.0 is supported' |
|
268 | b'only TLS 1.0 is supported' | |
| @@ -274,12 +274,12 b' def protocolsettings(protocol):' | |||||
| 274 | # SSLv2 and SSLv3 are broken. We ban them outright. |
|
274 | # SSLv2 and SSLv3 are broken. We ban them outright. | |
| 275 | options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 |
|
275 | options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | |
| 276 |
|
276 | |||
| 277 | if protocol == b'tls1.0': |
|
277 | if minimumprotocol == b'tls1.0': | |
| 278 | # Defaults above are to use TLS 1.0+ |
|
278 | # Defaults above are to use TLS 1.0+ | |
| 279 | pass |
|
279 | pass | |
| 280 | elif protocol == b'tls1.1': |
|
280 | elif minimumprotocol == b'tls1.1': | |
| 281 | options |= ssl.OP_NO_TLSv1 |
|
281 | options |= ssl.OP_NO_TLSv1 | |
| 282 | elif protocol == b'tls1.2': |
|
282 | elif minimumprotocol == b'tls1.2': | |
| 283 | options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 |
|
283 | options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | |
| 284 | else: |
|
284 | else: | |
| 285 | raise error.Abort(_(b'this should not happen')) |
|
285 | raise error.Abort(_(b'this should not happen')) | |
| @@ -424,7 +424,7 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
| 424 | # reason, try to emit an actionable warning. |
|
424 | # reason, try to emit an actionable warning. | |
| 425 | if e.reason == 'UNSUPPORTED_PROTOCOL': |
|
425 | if e.reason == 'UNSUPPORTED_PROTOCOL': | |
| 426 | # We attempted TLS 1.0+. |
|
426 | # We attempted TLS 1.0+. | |
| 427 | if settings[b'protocolui'] == b'tls1.0': |
|
427 | if settings[b'minimumprotocolui'] == b'tls1.0': | |
| 428 | # We support more than just TLS 1.0+. If this happens, |
|
428 | # We support more than just TLS 1.0+. If this happens, | |
| 429 | # the likely scenario is either the client or the server |
|
429 | # the likely scenario is either the client or the server | |
| 430 | # is really old. (e.g. server doesn't support TLS 1.0+ or |
|
430 | # is really old. (e.g. server doesn't support TLS 1.0+ or | |
| @@ -469,7 +469,7 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
| 469 | b'to be more secure than the server can support)\n' |
|
469 | b'to be more secure than the server can support)\n' | |
| 470 | ) |
|
470 | ) | |
| 471 | % ( |
|
471 | % ( | |
| 472 | settings[b'protocolui'], |
|
472 | settings[b'minimumprotocolui'], | |
| 473 | pycompat.bytesurl(serverhostname), |
|
473 | pycompat.bytesurl(serverhostname), | |
| 474 | ) |
|
474 | ) | |
| 475 | ) |
|
475 | ) | |
General Comments 0
You need to be logged in to leave comments.
Login now