From: Debian Python Team Date: Mon, 23 May 2022 10:21:07 +0000 (+0100) Subject: _sslutil__be_less_strict_about_which_ciphers_are_allowed_when_using___insecure X-Git-Tag: archive/raspbian/6.1.2-1+rpi1^2~12 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=f8439931641f43db7f11e82348b3c57f4577d4dc;p=mercurial.git _sslutil__be_less_strict_about_which_ciphers_are_allowed_when_using___insecure # HG changeset patch # User Julien Cristau # Date 1649507032 -7200 # Sat Apr 09 14:23:52 2022 +0200 # Node ID c871c4fbc94f88e8c78a6bd4ece15d239cbdea10 # Parent 410916fc5935c7855c2cf4876d8311d34aabc29a sslutil: be less strict about which ciphers are allowed when using --insecure Python 3.10 restricted which ciphers are enabled by default, leading to no available ciphers for TLS < 1.2. When using the --insecure flag we allow old TLS, so also adjust the cipher list to give connections a chance to work. On the server side, also loosen the cipher selection in tests (when using the devel.serverexactprotocol option). Differential Revision: https://phab.mercurial-scm.org/D12489 Gbp-Pq: Topic py310 Gbp-Pq: Name 4_sslutil__be_less_strict_about_which_ciphers_are_allowed_when_using___insecure.patch --- diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py index 38b670e..26a8ec2 100644 --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -114,16 +114,18 @@ def _hostsettings(ui, hostname): minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) validateprotocol(minimumprotocol, key) + ciphers = ui.config(b'hostsecurity', b'ciphers') + ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) + # If --insecure is used, we allow the use of TLS 1.0 despite config options. # We always print a "connection security to %s is disabled..." message when # --insecure is used. So no need to print anything more here. if ui.insecureconnections: minimumprotocol = b'tls1.0' + if not ciphers: + ciphers = b'DEFAULT' s[b'minimumprotocol'] = minimumprotocol - - ciphers = ui.config(b'hostsecurity', b'ciphers') - ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) s[b'ciphers'] = ciphers # Look for fingerprints in [hostsecurity] section. Value is a list @@ -603,8 +605,11 @@ def wrapserversocket( sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) - # Use the list of more secure ciphers if found in the ssl module. - if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): + # In tests, allow insecure ciphers + # Otherwise, use the list of more secure ciphers if found in the ssl module. + if exactprotocol: + sslcontext.set_ciphers('DEFAULT') + elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) # pytype: disable=module-attr sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)