sslutil: only support TLS (BC)
In light of the POODLE[0] attack on SSLv3, let's just drop the ability to
use anything older than TLSv1 entirely.
This only fixes the client side. Another commit will fix the server
side. There are still a few SSLv[23] constants hiding in httpclient,
but I'll fix those separately upstream and import them when we're not
in a code freeze.
0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
--- a/mercurial/sslutil.py Wed Oct 22 16:10:23 2014 +0200
+++ b/mercurial/sslutil.py Tue Oct 21 17:01:23 2014 -0400
@@ -14,7 +14,6 @@
# avoid using deprecated/broken FakeSocket in python 2.6
import ssl
CERT_REQUIRED = ssl.CERT_REQUIRED
- PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23
PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1
def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
cert_reqs=ssl.CERT_NONE, ca_certs=None):
@@ -29,7 +28,6 @@
except ImportError:
CERT_REQUIRED = 2
- PROTOCOL_SSLv23 = 2
PROTOCOL_TLSv1 = 3
import socket, httplib
@@ -103,12 +101,7 @@
exe.startswith('/system/library/frameworks/python.framework/'))
def sslkwargs(ui, host):
- forcetls = ui.configbool('ui', 'tls', default=True)
- if forcetls:
- ssl_version = PROTOCOL_TLSv1
- else:
- ssl_version = PROTOCOL_SSLv23
- kws = {'ssl_version': ssl_version,
+ kws = {'ssl_version': PROTOCOL_TLSv1,
}
hostfingerprint = ui.config('hostfingerprints', host)
if hostfingerprint: