projects / mercurial.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 904e339)
openssl_3_cipher_tlsv1
authorDebian Python Team <team+python@tracker.debian.org>
Fri, 7 Oct 2022 12:26:54 +0000 (13:26 +0100)
committerJulien Cristau <jcristau@debian.org>
Fri, 7 Oct 2022 12:26:54 +0000 (13:26 +0100)
Tweak cipher selection further to make tls < 1.2 work with openssl 3

Ref: https://bugs.debian.org/1011076

Gbp-Pq: Name openssl_3_cipher_tlsv1.patch

mercurial/sslutil.py patch | blob | history
tests/test-https.t patch | blob | history

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
index 5747ed92aba38e89ab2b7a504c268be7f4c15a36..b91da151d54f17f12168d88f64f061dfc6cca977 100644 (file)
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -122,7 +122,7 @@ def _hostsettings(ui, hostname):
     if ui.insecureconnections:
         minimumprotocol = b'tls1.0'
         if not ciphers:
-            ciphers = b'DEFAULT'
+            ciphers = b'DEFAULT:@SECLEVEL=0'
 
     s[b'minimumprotocol'] = minimumprotocol
     s[b'ciphers'] = ciphers
@@ -626,7 +626,7 @@ def wrapserversocket(
     # In tests, allow insecure ciphers
     # Otherwise, use the list of more secure ciphers if found in the ssl module.
     if exactprotocol:
-        sslcontext.set_ciphers('DEFAULT')
+        sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
     elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
         # pytype: disable=module-attr
diff --git a/tests/test-https.t b/tests/test-https.t
index b2e48760d3313857361d577124c6f3b1c6e7ae32..8fdbfa943256945a3c4f3180ff4fa9674b961f18 100644 (file)
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -361,9 +361,9 @@ Start servers running supported TLS versions
 
 Clients talking same TLS versions work
 
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
   5fed3813f7f5
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
   5fed3813f7f5
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
   5fed3813f7f5
@@ -405,7 +405,7 @@ Clients requiring newer TLS version than what server supports fail
 The per-host config option overrides the default
 
   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
-  > --config hostsecurity.ciphers=DEFAULT \
+  > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
   > --config hostsecurity.minimumprotocol=tls1.2 \
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
   5fed3813f7f5
Unnamed repository; edit this file 'description' to name the repository.