setup: require TLS 1.2 support from the Python interpreter (BC)
Before it was optional, and either 1.1 or 1.2 was sufficient. Now that the
default minimum is 1.2, it needs to be present to work out of the box.
The code here is more convoluted than the corresponding checks in `sslutil.py`,
but I'm leaving it alone because it can all be simplified when py38 is dropped.
--- a/mercurial/sslutil.py Thu Nov 21 01:07:47 2024 -0500
+++ b/mercurial/sslutil.py Thu Nov 21 11:46:10 2024 -0500
@@ -103,8 +103,8 @@
# BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
# options in case a legacy server is encountered.
- # setup.py checks that TLS 1.1 or TLS 1.2 is present, so the following
- # assert should not fail.
+ # setup.py checks that TLS 1.2 is present, so the following assert should
+ # not fail.
assert supportedprotocols - {b'tls1.0', b'tls1.1'}
defaultminimumprotocol = b'tls1.2'
--- a/setup.py Thu Nov 21 01:07:47 2024 -0500
+++ b/setup.py Thu Nov 21 11:46:10 2024 -0500
@@ -32,15 +32,12 @@
# were defined only if compiled against a OpenSSL version with TLS 1.1 / 1.2
# support. At the mentioned commit, they were unconditionally defined.
_notset = object()
-has_tlsv1_1 = getattr(ssl, 'HAS_TLSv1_1', _notset)
-if has_tlsv1_1 is _notset:
- has_tlsv1_1 = getattr(ssl, 'PROTOCOL_TLSv1_1', _notset) is not _notset
has_tlsv1_2 = getattr(ssl, 'HAS_TLSv1_2', _notset)
if has_tlsv1_2 is _notset:
has_tlsv1_2 = getattr(ssl, 'PROTOCOL_TLSv1_2', _notset) is not _notset
-if not (has_tlsv1_1 or has_tlsv1_2):
+if not has_tlsv1_2:
error = """
-The `ssl` module does not advertise support for TLS 1.1 or TLS 1.2.
+The `ssl` module does not advertise support for TLS 1.2.
Please make sure that your Python installation was compiled against an OpenSSL
version enabling these features (likely this requires the OpenSSL version to
be at least 1.0.1).