Mercurial Mercurial > hg / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: set context security level for legacy tls testing (issue6760) stable
authorpacien <pacien.trangirard@pacien.net>
Wed, 12 Apr 2023 17:28:39 +0200
branchstable
changeset 50342 c54e9bb5737e
parent 50341 698ffff7024b
child 50343 83ea6ce48b4f
sslutil: set context security level for legacy tls testing (issue6760) Current versions of OpenSSL do not allow the use of TLS <1.2 when the library's security level is >=1 (1 being the default on most distributions). Setting the security level in addition to the minimum protocol is therefore necessary for the legacy protocol tests. This is done here ONLY when testing, when: - explicitly setting the cipher string, or - using the "--insecure" flag, or - using the "devel.serverexactprotocol" testing option. See: https://github.com/openssl/openssl/blob/master/NEWS.md#major-changes-between-openssl-30-and-openssl-310-14-mar-2023
mercurial/sslutil.py file | annotate | diff | comparison | revisions
tests/test-https.t file | annotate | diff | comparison | revisions 
--- a/mercurial/sslutil.py	Thu Apr 13 11:28:48 2023 +0200
+++ b/mercurial/sslutil.py	Wed Apr 12 17:28:39 2023 +0200
@@ -122,7 +122,7 @@
     if ui.insecureconnections:
         minimumprotocol = b'tls1.0'
         if not ciphers:
-            ciphers = b'DEFAULT'
+            ciphers = b'DEFAULT:@SECLEVEL=0'
 
     s[b'minimumprotocol'] = minimumprotocol
     s[b'ciphers'] = ciphers
@@ -627,7 +627,7 @@
     # In tests, allow insecure ciphers
     # Otherwise, use the list of more secure ciphers if found in the ssl module.
     if exactprotocol:
-        sslcontext.set_ciphers('DEFAULT')
+        sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
     elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
         # pytype: disable=module-attr
--- a/tests/test-https.t	Thu Apr 13 11:28:48 2023 +0200
+++ b/tests/test-https.t	Wed Apr 12 17:28:39 2023 +0200
@@ -356,9 +356,9 @@
 
 Clients talking same TLS versions work
 
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT/
   5fed3813f7f5
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" id https://localhost:$HGPORT1/
   5fed3813f7f5
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
   5fed3813f7f5
@@ -400,7 +400,7 @@
 The per-host config option overrides the default
 
   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
-  > --config hostsecurity.ciphers=DEFAULT \
+  > --config hostsecurity.ciphers="DEFAULT:@SECLEVEL=0" \
   > --config hostsecurity.minimumprotocol=tls1.2 \
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
   5fed3813f7f5
Mercurial