Manuel Jacob <me@manueljacob.de> [Fri, 29 May 2020 22:47:58 +0200] rev 44953
sslutil: remove comment referring to unsupported legacy stacks
Manuel Jacob <me@manueljacob.de> [Sat, 30 May 2020 23:42:19 +0200] rev 44952
setup: require that Python has TLS 1.1 or TLS 1.2
This ensures that Mercurial never downgrades the minimum TLS version from
TLS 1.1+ to TLS 1.0+ and enables us to remove that compatibility code.
It is reasonable to expect that distributions having Python 2.7.9+ or having
backported modern features to the ssl module (which we require) have a OpenSSL
version supporting TLS 1.1 or TLS 1.2, as this is the main reason why
distributions would want to backport these features.
TLS 1.1 and TLS 1.2 are often either both enabled or both not enabled.
However, both can be disabled independently, at least on current Python /
OpenSSL versions.
For the record, I contacted the CPython developers to remark that
unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is
problematic:
https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 12:07:17 +0200] rev 44951
sslutil: check for OpenSSL without TLS 1.0 support in one case
It can only happen if supportedprotocols gets fixed to contain only correct
items (see the FIXME above in the file).
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 11:10:21 +0200] rev 44950
sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available
This case isn't very likely, but possible, especially if supportedprotocols
gets fixed to contain only correct items (see the FIXME above in the file).
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 11:41:03 +0200] rev 44949
sslutil: add FIXME about supportedprotocols possibly containing too many items
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 10:47:38 +0200] rev 44948
sslutil: fix names of variables containing minimum protocol strings
When working in this module, I found it very confusing that "protocol" as a
variable name could mean either "minimum protocol string" or an exact version
(as a string or ssl.PROTOCOL_* value). This patch prefixes variables of the
former type with "minimum".
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 09:55:45 +0200] rev 44947
sslutil: stop returning argument as third return value of protocolsettings()
The third return value was always the same as the argument.
Manuel Jacob <me@manueljacob.de> [Sat, 30 May 2020 23:18:57 +0200] rev 44946
relnotes: note that we now require modern SSL/TLS features in Python