Mercurial > hg
changeset 29617:2960ceee1948 stable
sslutil: allow TLS 1.0 when --insecure is used
--insecure is our psuedo-supported footgun for disabling connection
security.
The flag already disables CA verification. I think allowing the use of
TLS 1.0 when specified is appropriate.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Tue, 19 Jul 2016 20:16:51 -0700 |
parents | 3fde328d0913 |
children | fbf4adc0d8f2 |
files | mercurial/sslutil.py tests/test-https.t |
diffstat | 2 files changed, 12 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Tue Jul 19 19:57:34 2016 -0700 +++ b/mercurial/sslutil.py Tue Jul 19 20:16:51 2016 -0700 @@ -181,6 +181,12 @@ protocol = ui.config('hostsecurity', key, protocol) validateprotocol(protocol, key) + # If --insecure is used, we allow the use of TLS 1.0 despite config options. + # We always print a "connection security to %s is disabled..." message when + # --insecure is used. So no need to print anything more here. + if ui.insecureconnections: + protocol = 'tls1.0' + s['protocol'], s['ctxoptions'] = protocolsettings(protocol) ciphers = ui.config('hostsecurity', 'ciphers')
--- a/tests/test-https.t Tue Jul 19 19:57:34 2016 -0700 +++ b/tests/test-https.t Tue Jul 19 20:16:51 2016 -0700 @@ -486,6 +486,12 @@ abort: error: *unsupported protocol* (glob) [255] +--insecure will allow TLS 1.0 connections and override configs + + $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ + warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering + 5fed3813f7f5 + The per-host config option overrides the default $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \