_sslutil__be_less_strict_about_which_ciphers_are_allowed_when_using___insecure

# HG changeset patch
# User Julien Cristau <jcristau@debian.org>
# Date 1649507032 -7200
#      Sat Apr 09 14:23:52 2022 +0200
# Node ID c871c4fbc94f88e8c78a6bd4ece15d239cbdea10
# Parent  410916fc5935c7855c2cf4876d8311d34aabc29a
sslutil: be less strict about which ciphers are allowed when using --insecure

Python 3.10 restricted which ciphers are enabled by default, leading to
no available ciphers for TLS < 1.2.  When using the --insecure flag we
allow old TLS, so also adjust the cipher list to give connections a
chance to work.

On the server side, also loosen the cipher selection in tests (when
using the devel.serverexactprotocol option).

Differential Revision: https://phab.mercurial-scm.org/D12489

Gbp-Pq: Topic py310
Gbp-Pq: Name 4_sslutil__be_less_strict_about_which_ciphers_are_allowed_when_using___insecure.patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
index 38b670ecfbb801f608a9ccc1eff6fc7f3106368a..26a8ec28717729fe7e8391b19e029cce079c61d9 100644 (file)
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -114,16 +114,18 @@ def _hostsettings(ui, hostname):
     minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)
     validateprotocol(minimumprotocol, key)
 
+    ciphers = ui.config(b'hostsecurity', b'ciphers')
+    ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
+
     # If --insecure is used, we allow the use of TLS 1.0 despite config options.
     # We always print a "connection security to %s is disabled..." message when
     # --insecure is used. So no need to print anything more here.
     if ui.insecureconnections:
         minimumprotocol = b'tls1.0'
+        if not ciphers:
+            ciphers = b'DEFAULT'
 
     s[b'minimumprotocol'] = minimumprotocol
-
-    ciphers = ui.config(b'hostsecurity', b'ciphers')
-    ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
     s[b'ciphers'] = ciphers
 
     # Look for fingerprints in [hostsecurity] section. Value is a list
@@ -603,8 +605,11 @@ def wrapserversocket(
     sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
     sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
 
-    # Use the list of more secure ciphers if found in the ssl module.
-    if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
+    # In tests, allow insecure ciphers
+    # Otherwise, use the list of more secure ciphers if found in the ssl module.
+    if exactprotocol:
+        sslcontext.set_ciphers('DEFAULT')
+    elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
         # pytype: disable=module-attr
         sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)