changeset 44950:abcd6db1f2cc

sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available This case isn't very likely, but possible, especially if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file).
author Manuel Jacob <me@manueljacob.de>
date Sun, 31 May 2020 11:10:21 +0200
parents 4942c1bdd080
children dd7c4a208a4e
files mercurial/sslutil.py
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Sun May 31 11:41:03 2020 +0200
+++ b/mercurial/sslutil.py	Sun May 31 11:10:21 2020 +0200
@@ -105,7 +105,7 @@
     # We default to TLS 1.1+ where we can because TLS 1.0 has known
     # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
     # TLS 1.0+ via config options in case a legacy server is encountered.
-    if b'tls1.1' in supportedprotocols:
+    if supportedprotocols - {b'tls1.0'}:
         defaultminimumprotocol = b'tls1.1'
     else:
         # Let people know they are borderline secure.