100 % (key, protocol), |
100 % (key, protocol), |
101 hint=_(b'valid protocols: %s') |
101 hint=_(b'valid protocols: %s') |
102 % b' '.join(sorted(configprotocols)), |
102 % b' '.join(sorted(configprotocols)), |
103 ) |
103 ) |
104 |
104 |
105 # We default to TLS 1.1+ where we can because TLS 1.0 has known |
105 # We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like |
106 # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to |
106 # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config |
107 # TLS 1.0+ via config options in case a legacy server is encountered. |
107 # options in case a legacy server is encountered. |
108 if supportedprotocols - {b'tls1.0'}: |
108 |
109 defaultminimumprotocol = b'tls1.1' |
109 # setup.py checks that either TLS 1.1 or TLS 1.2 is present, so the |
110 else: |
110 # following assert should not fail. |
111 # Let people know they are borderline secure. |
111 assert supportedprotocols - {b'tls1.0'} |
112 # We don't document this config option because we want people to see |
112 defaultminimumprotocol = b'tls1.1' |
113 # the bold warnings on the web site. |
|
114 # internal config: hostsecurity.disabletls10warning |
|
115 if not ui.configbool(b'hostsecurity', b'disabletls10warning'): |
|
116 ui.warn( |
|
117 _( |
|
118 b'warning: connecting to %s using legacy security ' |
|
119 b'technology (TLS 1.0); see ' |
|
120 b'https://mercurial-scm.org/wiki/SecureConnections for ' |
|
121 b'more info\n' |
|
122 ) |
|
123 % bhostname |
|
124 ) |
|
125 defaultminimumprotocol = b'tls1.0' |
|
126 |
113 |
127 key = b'minimumprotocol' |
114 key = b'minimumprotocol' |
128 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) |
115 minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) |
129 validateprotocol(minimumprotocol, key) |
116 validateprotocol(minimumprotocol, key) |
130 |
117 |