Mercurial > hg
changeset 52316:a820a7a1fce0 default tip
setup: require TLS 1.2 support from the Python interpreter (BC)
Before it was optional, and either 1.1 or 1.2 was sufficient. Now that the
default minimum is 1.2, it needs to be present to work out of the box.
The code here is more convoluted than the corresponding checks in `sslutil.py`,
but I'm leaving it alone because it can all be simplified when py38 is dropped.
| author | Matt Harbison <matt_harbison@yahoo.com> |
|---|---|
| date | Thu, 21 Nov 2024 11:46:10 -0500 |
| parents | d49144a1422f |
| children | |
| files | mercurial/sslutil.py setup.py |
| diffstat | 2 files changed, 4 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Thu Nov 21 01:07:47 2024 -0500 +++ b/mercurial/sslutil.py Thu Nov 21 11:46:10 2024 -0500 @@ -103,8 +103,8 @@ # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config # options in case a legacy server is encountered. - # setup.py checks that TLS 1.1 or TLS 1.2 is present, so the following - # assert should not fail. + # setup.py checks that TLS 1.2 is present, so the following assert should + # not fail. assert supportedprotocols - {b'tls1.0', b'tls1.1'} defaultminimumprotocol = b'tls1.2'
--- a/setup.py Thu Nov 21 01:07:47 2024 -0500 +++ b/setup.py Thu Nov 21 11:46:10 2024 -0500 @@ -32,15 +32,12 @@ # were defined only if compiled against a OpenSSL version with TLS 1.1 / 1.2 # support. At the mentioned commit, they were unconditionally defined. _notset = object() -has_tlsv1_1 = getattr(ssl, 'HAS_TLSv1_1', _notset) -if has_tlsv1_1 is _notset: - has_tlsv1_1 = getattr(ssl, 'PROTOCOL_TLSv1_1', _notset) is not _notset has_tlsv1_2 = getattr(ssl, 'HAS_TLSv1_2', _notset) if has_tlsv1_2 is _notset: has_tlsv1_2 = getattr(ssl, 'PROTOCOL_TLSv1_2', _notset) is not _notset -if not (has_tlsv1_1 or has_tlsv1_2): +if not has_tlsv1_2: error = """ -The `ssl` module does not advertise support for TLS 1.1 or TLS 1.2. +The `ssl` module does not advertise support for TLS 1.2. Please make sure that your Python installation was compiled against an OpenSSL version enabling these features (likely this requires the OpenSSL version to be at least 1.0.1).