Mercurial > hg
changeset 23850:e1931f7cd977
sslutil: use saner TLS settings on Python 2.7.9
Asking for TLSv1 locks us out of TLSv1_2 etc. This is at least less
bad. Ideally we'd use ssl.create_default_context(), but that causes
more mayhem in the testsuite than I really want to deal with right
now.
author | Augie Fackler <augie@google.com> |
---|---|
date | Wed, 14 Jan 2015 15:46:00 -0500 |
parents | 58080815f667 |
children | 948a8ca27152 |
files | mercurial/sslutil.py |
diffstat | 1 files changed, 11 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Wed Jan 14 15:31:16 2015 -0500 +++ b/mercurial/sslutil.py Wed Jan 14 15:46:00 2015 -0500 @@ -20,7 +20,17 @@ def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE, ca_certs=None, serverhostname=None): - sslcontext = ssl.SSLContext(PROTOCOL_TLSv1) + # Allow any version of SSL starting with TLSv1 and + # up. Note that specifying TLSv1 here prohibits use of + # newer standards (like TLSv1_2), so this is the right way + # to do this. Note that in the future it'd be better to + # support using ssl.create_default_context(), which sets + # up a bunch of things in smart ways (strong ciphers, + # protocol versions, etc) and is upgraded by Python + # maintainers for us, but that breaks too many things to + # do it in a hurry. + sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3 if certfile is not None: sslcontext.load_cert_chain(certfile, keyfile) sslcontext.verify_mode = cert_reqs