Mercurial > hg
changeset 52285:94cf83d9a2c9
sslutil: drop support for Python prior to 3.7
There's also a block of code around line 47 related to `ssl.HAS_TLSv1` to
determine the supported protocols that references "Python 3.7", but I'm not
altering that because the commit referenced there wasn't landed until just prior
to the 3.9 release, and I'm not sure what flavors of py38 might not have a
backport.
Avoid de-indenting for now for a clearer text diff.
| author | Matt Harbison <matt_harbison@yahoo.com> |
|---|---|
| date | Fri, 08 Nov 2024 19:48:06 -0500 |
| parents | f4aede0f01af |
| children | f1b37ed41f01 |
| files | mercurial/sslutil.py |
| diffstat | 1 files changed, 2 insertions(+), 43 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Tue Nov 12 23:20:04 2024 +0100 +++ b/mercurial/sslutil.py Fri Nov 08 19:48:06 2024 -0500 @@ -312,8 +312,7 @@ # is loaded and contains that removed CA, you've just undone the user's # choice. - if hasattr(ssl, 'TLSVersion'): - # python 3.7+ + if True: sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) minimumprotocol = settings[b'minimumprotocol'] if minimumprotocol == b'tls1.0': @@ -339,12 +338,6 @@ # Prevent CRIME. # There is no guarantee this attribute is defined on the module. sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) - else: - # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both - # ends support, including TLS protocols. commonssloptions() restricts the - # set of allowed protocols. - sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - sslcontext.options |= commonssloptions(settings[b'minimumprotocol']) # We check the hostname ourselves in _verifycert sslcontext.check_hostname = False @@ -545,8 +538,7 @@ _(b'referenced certificate file (%s) does not exist') % f ) - if hasattr(ssl, 'TLSVersion'): - # python 3.7+ + if True: sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) @@ -585,39 +577,6 @@ _(b'invalid value for server-insecure-exact-protocol: %s') % exactprotocol ) - else: - # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both - # ends support, including TLS protocols. commonssloptions() restricts the - # set of allowed protocols. - protocol = ssl.PROTOCOL_SSLv23 - options = commonssloptions(b'tls1.0') - - # This config option is intended for use in tests only. It is a giant - # footgun to kill security. Don't define it. - exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol') - if exactprotocol == b'tls1.0': - if b'tls1.0' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.0 not supported by this Python')) - protocol = ssl.PROTOCOL_TLSv1 - elif exactprotocol == b'tls1.1': - if b'tls1.1' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.1 not supported by this Python')) - protocol = ssl.PROTOCOL_TLSv1_1 - elif exactprotocol == b'tls1.2': - if b'tls1.2' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.2 not supported by this Python')) - protocol = ssl.PROTOCOL_TLSv1_2 - elif exactprotocol: - raise error.Abort( - _(b'invalid value for server-insecure-exact-protocol: %s') - % exactprotocol - ) - - # We /could/ use create_default_context() here since it doesn't load - # CAs when configured for client auth. However, it is hard-coded to - # use ssl.PROTOCOL_SSLv23 which may not be appropriate here. - sslcontext = ssl.SSLContext(protocol) - sslcontext.options |= options # Improve forward secrecy. sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)