# HG changeset patch # User Matt Harbison # Date 1731113286 18000 # Node ID 94cf83d9a2c995da44a595cccebb8fb99e4f9c5a # Parent f4aede0f01af2ae47a551eed30047391092a0191 sslutil: drop support for Python prior to 3.7 There's also a block of code around line 47 related to `ssl.HAS_TLSv1` to determine the supported protocols that references "Python 3.7", but I'm not altering that because the commit referenced there wasn't landed until just prior to the 3.9 release, and I'm not sure what flavors of py38 might not have a backport. Avoid de-indenting for now for a clearer text diff. diff -r f4aede0f01af -r 94cf83d9a2c9 mercurial/sslutil.py --- a/mercurial/sslutil.py Tue Nov 12 23:20:04 2024 +0100 +++ b/mercurial/sslutil.py Fri Nov 08 19:48:06 2024 -0500 @@ -312,8 +312,7 @@ # is loaded and contains that removed CA, you've just undone the user's # choice. - if hasattr(ssl, 'TLSVersion'): - # python 3.7+ + if True: sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) minimumprotocol = settings[b'minimumprotocol'] if minimumprotocol == b'tls1.0': @@ -339,12 +338,6 @@ # Prevent CRIME. # There is no guarantee this attribute is defined on the module. sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) - else: - # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both - # ends support, including TLS protocols. commonssloptions() restricts the - # set of allowed protocols. - sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - sslcontext.options |= commonssloptions(settings[b'minimumprotocol']) # We check the hostname ourselves in _verifycert sslcontext.check_hostname = False @@ -545,8 +538,7 @@ _(b'referenced certificate file (%s) does not exist') % f ) - if hasattr(ssl, 'TLSVersion'): - # python 3.7+ + if True: sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) @@ -585,39 +577,6 @@ _(b'invalid value for server-insecure-exact-protocol: %s') % exactprotocol ) - else: - # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both - # ends support, including TLS protocols. commonssloptions() restricts the - # set of allowed protocols. - protocol = ssl.PROTOCOL_SSLv23 - options = commonssloptions(b'tls1.0') - - # This config option is intended for use in tests only. It is a giant - # footgun to kill security. Don't define it. - exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol') - if exactprotocol == b'tls1.0': - if b'tls1.0' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.0 not supported by this Python')) - protocol = ssl.PROTOCOL_TLSv1 - elif exactprotocol == b'tls1.1': - if b'tls1.1' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.1 not supported by this Python')) - protocol = ssl.PROTOCOL_TLSv1_1 - elif exactprotocol == b'tls1.2': - if b'tls1.2' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.2 not supported by this Python')) - protocol = ssl.PROTOCOL_TLSv1_2 - elif exactprotocol: - raise error.Abort( - _(b'invalid value for server-insecure-exact-protocol: %s') - % exactprotocol - ) - - # We /could/ use create_default_context() here since it doesn't load - # CAs when configured for client auth. However, it is hard-coded to - # use ssl.PROTOCOL_SSLv23 which may not be appropriate here. - sslcontext = ssl.SSLContext(protocol) - sslcontext.options |= options # Improve forward secrecy. sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)