27 # |
27 # |
28 # Depending on the version of Python being used, SSL/TLS support is either |
28 # Depending on the version of Python being used, SSL/TLS support is either |
29 # modern/secure or legacy/insecure. Many operations in this module have |
29 # modern/secure or legacy/insecure. Many operations in this module have |
30 # separate code paths depending on support in Python. |
30 # separate code paths depending on support in Python. |
31 |
31 |
32 configprotocols = set([ |
32 configprotocols = { |
33 'tls1.0', |
33 'tls1.0', |
34 'tls1.1', |
34 'tls1.1', |
35 'tls1.2', |
35 'tls1.2', |
36 ]) |
36 } |
37 |
37 |
38 hassni = getattr(ssl, 'HAS_SNI', False) |
38 hassni = getattr(ssl, 'HAS_SNI', False) |
39 |
39 |
40 # TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled |
40 # TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled |
41 # against doesn't support them. |
41 # against doesn't support them. |
42 supportedprotocols = set(['tls1.0']) |
42 supportedprotocols = {'tls1.0'} |
43 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'): |
43 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'): |
44 supportedprotocols.add('tls1.1') |
44 supportedprotocols.add('tls1.1') |
45 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'): |
45 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'): |
46 supportedprotocols.add('tls1.2') |
46 supportedprotocols.add('tls1.2') |
47 |
47 |
294 # only (as opposed to multiple versions). So the method for |
294 # only (as opposed to multiple versions). So the method for |
295 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and |
295 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and |
296 # disable protocols via SSLContext.options and OP_NO_* constants. |
296 # disable protocols via SSLContext.options and OP_NO_* constants. |
297 # However, SSLContext.options doesn't work unless we have the |
297 # However, SSLContext.options doesn't work unless we have the |
298 # full/real SSLContext available to us. |
298 # full/real SSLContext available to us. |
299 if supportedprotocols == set(['tls1.0']): |
299 if supportedprotocols == {'tls1.0'}: |
300 if protocol != 'tls1.0': |
300 if protocol != 'tls1.0': |
301 raise error.Abort(_('current Python does not support protocol ' |
301 raise error.Abort(_('current Python does not support protocol ' |
302 'setting %s') % protocol, |
302 'setting %s') % protocol, |
303 hint=_('upgrade Python or disable setting since ' |
303 hint=_('upgrade Python or disable setting since ' |
304 'only TLS 1.0 is supported')) |
304 'only TLS 1.0 is supported')) |
428 # We support more than just TLS 1.0+. If this happens, |
428 # We support more than just TLS 1.0+. If this happens, |
429 # the likely scenario is either the client or the server |
429 # the likely scenario is either the client or the server |
430 # is really old. (e.g. server doesn't support TLS 1.0+ or |
430 # is really old. (e.g. server doesn't support TLS 1.0+ or |
431 # client doesn't support modern TLS versions introduced |
431 # client doesn't support modern TLS versions introduced |
432 # several years from when this comment was written). |
432 # several years from when this comment was written). |
433 if supportedprotocols != set(['tls1.0']): |
433 if supportedprotocols != {'tls1.0'}: |
434 ui.warn(_( |
434 ui.warn(_( |
435 '(could not communicate with %s using security ' |
435 '(could not communicate with %s using security ' |
436 'protocols %s; if you are using a modern Mercurial ' |
436 'protocols %s; if you are using a modern Mercurial ' |
437 'version, consider contacting the operator of this ' |
437 'version, consider contacting the operator of this ' |
438 'server; see ' |
438 'server; see ' |