sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available
authorManuel Jacob <me@manueljacob.de>
Sun, 31 May 2020 11:10:21 +0200
changeset 44891 abcd6db1f2cc
parent 44890 4942c1bdd080
child 44892 dd7c4a208a4e
sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available This case isn't very likely, but possible, especially if supportedprotocols gets fixed to contain only correct items (see the FIXME above in the file).
mercurial/sslutil.py
--- a/mercurial/sslutil.py	Sun May 31 11:41:03 2020 +0200
+++ b/mercurial/sslutil.py	Sun May 31 11:10:21 2020 +0200
@@ -105,7 +105,7 @@
     # We default to TLS 1.1+ where we can because TLS 1.0 has known
     # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
     # TLS 1.0+ via config options in case a legacy server is encountered.
-    if b'tls1.1' in supportedprotocols:
+    if supportedprotocols - {b'tls1.0'}:
         defaultminimumprotocol = b'tls1.1'
     else:
         # Let people know they are borderline secure.