sslutil: allow TLS 1.0 when --insecure is used
--insecure is our psuedo-supported footgun for disabling connection
security.
The flag already disables CA verification. I think allowing the use of
TLS 1.0 when specified is appropriate.
--- a/mercurial/sslutil.py Tue Jul 19 19:57:34 2016 -0700
+++ b/mercurial/sslutil.py Tue Jul 19 20:16:51 2016 -0700
@@ -181,6 +181,12 @@
protocol = ui.config('hostsecurity', key, protocol)
validateprotocol(protocol, key)
+ # If --insecure is used, we allow the use of TLS 1.0 despite config options.
+ # We always print a "connection security to %s is disabled..." message when
+ # --insecure is used. So no need to print anything more here.
+ if ui.insecureconnections:
+ protocol = 'tls1.0'
+
s['protocol'], s['ctxoptions'] = protocolsettings(protocol)
ciphers = ui.config('hostsecurity', 'ciphers')
--- a/tests/test-https.t Tue Jul 19 19:57:34 2016 -0700
+++ b/tests/test-https.t Tue Jul 19 20:16:51 2016 -0700
@@ -486,6 +486,12 @@
abort: error: *unsupported protocol* (glob)
[255]
+--insecure will allow TLS 1.0 connections and override configs
+
+ $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
+ warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
+ 5fed3813f7f5
+
The per-host config option overrides the default
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \