openssl_3_cipher_tlsv1

author Debian Python Team <team+python@tracker.debian.org>

Thu, 20 Mar 2025 12:56:44 +0000 (13:56 +0100)

committer Julien Cristau <jcristau@debian.org>

Thu, 20 Mar 2025 12:56:44 +0000 (13:56 +0100)
author Debian Python Team <team+python@tracker.debian.org>
Thu, 20 Mar 2025 12:56:44 +0000 (13:56 +0100)
committer Julien Cristau <jcristau@debian.org>
Thu, 20 Mar 2025 12:56:44 +0000 (13:56 +0100)
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py

index 5747ed92aba38e89ab2b7a504c268be7f4c15a36..b91da151d54f17f12168d88f64f061dfc6cca977 100644 (file)
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -122,7 +122,7 @@ def _hostsettings(ui, hostname):
      if ui.insecureconnections:
          minimumprotocol = b'tls1.0'
          if not ciphers:
-            ciphers = b'DEFAULT'
+            ciphers = b'DEFAULT:@SECLEVEL=0'
  
      s[b'minimumprotocol'] = minimumprotocol
      s[b'ciphers'] = ciphers
@@ -626,7 +626,7 @@ def wrapserversocket(
      # In tests, allow insecure ciphers
      # Otherwise, use the list of more secure ciphers if found in the ssl module.
      if exactprotocol:
-        sslcontext.set_ciphers('DEFAULT')
+        sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
      elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
          sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
          # pytype: disable=module-attr
diff --git a/tests/test-https.t b/tests/test-https.t

index 26304ea0413b8fc565c4ae82f56399b8c5f71543..ff481a49174eee6323e05c809cc7c4426d8c8cd3 100644 (file)
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -361,9 +361,9 @@ Start servers running supported TLS versions
  
  Clients talking same TLS versions work
  
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
    5fed3813f7f5
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
    5fed3813f7f5
    $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
    5fed3813f7f5
@@ -405,7 +405,7 @@ Clients requiring newer TLS version than what server supports fail
  The per-host config option overrides the default
  
    $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
-  > --config hostsecurity.ciphers=DEFAULT \
+  > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
    > --config hostsecurity.minimumprotocol=tls1.2 \
    > --config hostsecurity.localhost:minimumprotocol=tls1.0
    5fed3813f7f5
author	Debian Python Team <team+python@tracker.debian.org>
	Thu, 20 Mar 2025 12:56:44 +0000 (13:56 +0100)
committer	Julien Cristau <jcristau@debian.org>
	Thu, 20 Mar 2025 12:56:44 +0000 (13:56 +0100)
mercurial/sslutil.py		patch \| blob \| history
tests/test-https.t		patch \| blob \| history