Mon, 01 Jun 2020 14:34:22 +0200 sslutil: propagate return value ssl.PROTOCOL_SSLv23 from protocolsettings()
Manuel Jacob <me@manueljacob.de> [Mon, 01 Jun 2020 14:34:22 +0200] rev 44960
sslutil: propagate return value ssl.PROTOCOL_SSLv23 from protocolsettings() Also, protocolsettings() was renamed to commonssloptions() to reflect that only the options are returned.
Mon, 01 Jun 2020 14:20:13 +0200 sslutil: stop storing protocol and options for SSLContext in settings dict
Manuel Jacob <me@manueljacob.de> [Mon, 01 Jun 2020 14:20:13 +0200] rev 44959
sslutil: stop storing protocol and options for SSLContext in settings dict Call protocolsettings() where its return values are needed.
Mon, 01 Jun 2020 14:07:06 +0200 sslutil: rename 'minimumprotocolui' -> 'minimumprotocol'
Manuel Jacob <me@manueljacob.de> [Mon, 01 Jun 2020 14:07:06 +0200] rev 44958
sslutil: rename 'minimumprotocolui' -> 'minimumprotocol' Before, both 'minimumprotocolui' and 'minimumprotocol' were used, but meaning the same.
Mon, 01 Jun 2020 03:51:54 +0200 sslutil: properly detect which TLS versions are supported by the ssl module
Manuel Jacob <me@manueljacob.de> [Mon, 01 Jun 2020 03:51:54 +0200] rev 44957
sslutil: properly detect which TLS versions are supported by the ssl module For the record, I contacted the CPython developers to remark that unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is problematic: https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316
Sun, 31 May 2020 22:31:49 +0200 sslutil: remove dead code (that failed if only TLS 1.0 is available)
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 22:31:49 +0200] rev 44956
sslutil: remove dead code (that failed if only TLS 1.0 is available) We ensure in setup.py that TLS 1.1 or TLS 1.2 is present.
Sun, 31 May 2020 00:30:49 +0200 config: remove unused hostsecurity.disabletls10warning config
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 00:30:49 +0200] rev 44955
config: remove unused hostsecurity.disabletls10warning config
Sun, 31 May 2020 22:15:35 +0200 sslutil: remove dead code (that downgraded default minimum TLS version)
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 22:15:35 +0200] rev 44954
sslutil: remove dead code (that downgraded default minimum TLS version) We ensure in setup.py that TLS 1.1 or TLS 1.2 is present.
Fri, 29 May 2020 22:47:58 +0200 sslutil: remove comment referring to unsupported legacy stacks
Manuel Jacob <me@manueljacob.de> [Fri, 29 May 2020 22:47:58 +0200] rev 44953
sslutil: remove comment referring to unsupported legacy stacks
Sat, 30 May 2020 23:42:19 +0200 setup: require that Python has TLS 1.1 or TLS 1.2
Manuel Jacob <me@manueljacob.de> [Sat, 30 May 2020 23:42:19 +0200] rev 44952
setup: require that Python has TLS 1.1 or TLS 1.2 This ensures that Mercurial never downgrades the minimum TLS version from TLS 1.1+ to TLS 1.0+ and enables us to remove that compatibility code. It is reasonable to expect that distributions having Python 2.7.9+ or having backported modern features to the ssl module (which we require) have a OpenSSL version supporting TLS 1.1 or TLS 1.2, as this is the main reason why distributions would want to backport these features. TLS 1.1 and TLS 1.2 are often either both enabled or both not enabled. However, both can be disabled independently, at least on current Python / OpenSSL versions. For the record, I contacted the CPython developers to remark that unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is problematic: https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316
Sun, 31 May 2020 12:07:17 +0200 sslutil: check for OpenSSL without TLS 1.0 support in one case
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 12:07:17 +0200] rev 44951
sslutil: check for OpenSSL without TLS 1.0 support in one case It can only happen if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file).
Sun, 31 May 2020 11:10:21 +0200 sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 11:10:21 +0200] rev 44950
sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available This case isn't very likely, but possible, especially if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file).
Sun, 31 May 2020 11:41:03 +0200 sslutil: add FIXME about supportedprotocols possibly containing too many items
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 11:41:03 +0200] rev 44949
sslutil: add FIXME about supportedprotocols possibly containing too many items
Sun, 31 May 2020 10:47:38 +0200 sslutil: fix names of variables containing minimum protocol strings
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 10:47:38 +0200] rev 44948
sslutil: fix names of variables containing minimum protocol strings When working in this module, I found it very confusing that "protocol" as a variable name could mean either "minimum protocol string" or an exact version (as a string or ssl.PROTOCOL_* value). This patch prefixes variables of the former type with "minimum".
Sun, 31 May 2020 09:55:45 +0200 sslutil: stop returning argument as third return value of protocolsettings()
Manuel Jacob <me@manueljacob.de> [Sun, 31 May 2020 09:55:45 +0200] rev 44947
sslutil: stop returning argument as third return value of protocolsettings() The third return value was always the same as the argument.
Sat, 30 May 2020 23:18:57 +0200 relnotes: note that we now require modern SSL/TLS features in Python
Manuel Jacob <me@manueljacob.de> [Sat, 30 May 2020 23:18:57 +0200] rev 44946
relnotes: note that we now require modern SSL/TLS features in Python
Sat, 30 May 2020 19:04:53 +0200 tests: stop checking for optional, now impossible output
Manuel Jacob <me@manueljacob.de> [Sat, 30 May 2020 19:04:53 +0200] rev 44945
tests: stop checking for optional, now impossible output In 7dd63a8cb1ee, the code that could output that line was removed.
(0) -30000 -10000 -3000 -1000 -300 -100 -16 +16 +100 +300 +1000 +3000 tip