sslutil: use saner TLS settings on Python 2.7.9
Asking for TLSv1 locks us out of TLSv1_2 etc. This is at least less
bad. Ideally we'd use ssl.create_default_context(), but that causes
more mayhem in the testsuite than I really want to deal with right
now.
--- a/mercurial/sslutil.py Wed Jan 14 15:31:16 2015 -0500
+++ b/mercurial/sslutil.py Wed Jan 14 15:46:00 2015 -0500
@@ -20,7 +20,17 @@
def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
ca_certs=None, serverhostname=None):
- sslcontext = ssl.SSLContext(PROTOCOL_TLSv1)
+ # Allow any version of SSL starting with TLSv1 and
+ # up. Note that specifying TLSv1 here prohibits use of
+ # newer standards (like TLSv1_2), so this is the right way
+ # to do this. Note that in the future it'd be better to
+ # support using ssl.create_default_context(), which sets
+ # up a bunch of things in smart ways (strong ciphers,
+ # protocol versions, etc) and is upgraded by Python
+ # maintainers for us, but that breaks too many things to
+ # do it in a hurry.
+ sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
if certfile is not None:
sslcontext.load_cert_chain(certfile, keyfile)
sslcontext.verify_mode = cert_reqs