configitems: make devel.serverexactprotocol look dangerous
Because it is.
--- a/i18n/ja.po Thu Apr 13 04:12:31 2023 +0200
+++ b/i18n/ja.po Thu Apr 13 11:28:48 2023 +0200
@@ -37064,8 +37064,8 @@
msgstr "利用中の Python では TLS 1.2 が未サポートです"
#, python-format
-msgid "invalid value for serverexactprotocol: %s"
-msgstr "不正な serverexactprotocol 指定値: %s"
+msgid "invalid value for server-insecure-exact-protocol: %s"
+msgstr "不正な server-insecure-exact-protocol 指定値: %s"
#, python-format
msgid "too many wildcards in certificate DNS name: %s"
--- a/i18n/pt_BR.po Thu Apr 13 04:12:31 2023 +0200
+++ b/i18n/pt_BR.po Thu Apr 13 11:28:48 2023 +0200
@@ -38342,8 +38342,8 @@
msgstr "TLS 1.2 não é suportado por esta versão do Python"
#, python-format
-msgid "invalid value for serverexactprotocol: %s"
-msgstr "valor inválido para serverexactprotocol: %s"
+msgid "invalid value for server-insecure-exact-protocol: %s"
+msgstr "valor inválido para server-insecure-exact-protocol: %s"
#, python-format
msgid "too many wildcards in certificate DNS name: %s"
--- a/mercurial/configitems.py Thu Apr 13 04:12:31 2023 +0200
+++ b/mercurial/configitems.py Thu Apr 13 11:28:48 2023 +0200
@@ -688,9 +688,11 @@
b'servercafile',
default=b'',
)
+# This config option is intended for use in tests only. It is a giant
+# footgun to kill security. Don't define it.
coreconfigitem(
b'devel',
- b'serverexactprotocol',
+ b'server-insecure-exact-protocol',
default=b'',
)
coreconfigitem(
--- a/mercurial/sslutil.py Thu Apr 13 04:12:31 2023 +0200
+++ b/mercurial/sslutil.py Thu Apr 13 11:28:48 2023 +0200
@@ -553,7 +553,7 @@
# This config option is intended for use in tests only. It is a giant
# footgun to kill security. Don't define it.
- exactprotocol = ui.config(b'devel', b'serverexactprotocol')
+ exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
if exactprotocol == b'tls1.0':
if b'tls1.0' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
@@ -583,7 +583,8 @@
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
elif exactprotocol:
raise error.Abort(
- _(b'invalid value for serverexactprotocol: %s') % exactprotocol
+ _(b'invalid value for server-insecure-exact-protocol: %s')
+ % exactprotocol
)
else:
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
@@ -594,7 +595,7 @@
# This config option is intended for use in tests only. It is a giant
# footgun to kill security. Don't define it.
- exactprotocol = ui.config(b'devel', b'serverexactprotocol')
+ exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
if exactprotocol == b'tls1.0':
if b'tls1.0' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
@@ -609,7 +610,8 @@
protocol = ssl.PROTOCOL_TLSv1_2
elif exactprotocol:
raise error.Abort(
- _(b'invalid value for serverexactprotocol: %s') % exactprotocol
+ _(b'invalid value for server-insecure-exact-protocol: %s')
+ % exactprotocol
)
# We /could/ use create_default_context() here since it doesn't load
--- a/tests/test-https.t Thu Apr 13 04:12:31 2023 +0200
+++ b/tests/test-https.t Thu Apr 13 11:28:48 2023 +0200
@@ -344,13 +344,13 @@
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
- > --config devel.serverexactprotocol=tls1.0
+ > --config devel.server-insecure-exact-protocol=tls1.0
$ cat ../hg0.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
- > --config devel.serverexactprotocol=tls1.1
+ > --config devel.server-insecure-exact-protocol=tls1.1
$ cat ../hg1.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
- > --config devel.serverexactprotocol=tls1.2
+ > --config devel.server-insecure-exact-protocol=tls1.2
$ cat ../hg2.pid >> $DAEMON_PIDS
$ cd ..