openssl_3_cipher_tlsv1

author Debian Python Team <team+python@tracker.debian.org>

Tue, 7 Jun 2022 18:53:46 +0000 (19:53 +0100)

committer Julien Cristau <jcristau@debian.org>

Tue, 7 Jun 2022 18:53:46 +0000 (19:53 +0100)
author Debian Python Team <team+python@tracker.debian.org>
Tue, 7 Jun 2022 18:53:46 +0000 (19:53 +0100)
committer Julien Cristau <jcristau@debian.org>
Tue, 7 Jun 2022 18:53:46 +0000 (19:53 +0100)
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py

index fcb32bd911865586ad54892cf320cba5cac2da21..a0ab57a8934a701c51e6069790e49a7c8a014751 100644 (file)
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -123,7 +123,7 @@ def _hostsettings(ui, hostname):
      if ui.insecureconnections:
          minimumprotocol = b'tls1.0'
          if not ciphers:
-            ciphers = b'DEFAULT'
+            ciphers = b'DEFAULT:@SECLEVEL=0'
  
      s[b'minimumprotocol'] = minimumprotocol
      s[b'ciphers'] = ciphers
@@ -609,7 +609,7 @@ def wrapserversocket(
      # In tests, allow insecure ciphers
      # Otherwise, use the list of more secure ciphers if found in the ssl module.
      if exactprotocol:
-        sslcontext.set_ciphers('DEFAULT')
+        sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
      elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
          sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
          # pytype: disable=module-attr
diff --git a/tests/test-https.t b/tests/test-https.t

index dc3a57afcb893007fff74dc0fc5c3682033bdb04..68908b3aafc39100cc0d1adc7ea748d6b7b18bb7 100644 (file)
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -361,9 +361,9 @@ Start servers running supported TLS versions
  
  Clients talking same TLS versions work
  
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
    5fed3813f7f5
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
    5fed3813f7f5
    $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
    5fed3813f7f5
@@ -405,7 +405,7 @@ Clients requiring newer TLS version than what server supports fail
  The per-host config option overrides the default
  
    $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
-  > --config hostsecurity.ciphers=DEFAULT \
+  > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
    > --config hostsecurity.minimumprotocol=tls1.2 \
    > --config hostsecurity.localhost:minimumprotocol=tls1.0
    5fed3813f7f5
author	Debian Python Team <team+python@tracker.debian.org>
	Tue, 7 Jun 2022 18:53:46 +0000 (19:53 +0100)
committer	Julien Cristau <jcristau@debian.org>
	Tue, 7 Jun 2022 18:53:46 +0000 (19:53 +0100)
mercurial/sslutil.py		patch \| blob \| history
tests/test-https.t		patch \| blob \| history