From 071ec33bf114f99637efa18493ef9a88355d633d Mon Sep 17 00:00:00 2001
From: Debian Python Team <team+python@tracker.debian.org>
Date: Wed, 7 Dec 2022 12:59:55 +0000
Subject: [PATCH] openssl_3_cipher_tlsv1

Tweak cipher selection further to make tls < 1.2 work with openssl 3

Ref: https://bugs.debian.org/1011076


Gbp-Pq: Name openssl_3_cipher_tlsv1.patch
---
 mercurial/sslutil.py | 4 ++--
 tests/test-https.t   | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
index 5747ed9..b91da15 100644
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -122,7 +122,7 @@ def _hostsettings(ui, hostname):
     if ui.insecureconnections:
         minimumprotocol = b'tls1.0'
         if not ciphers:
-            ciphers = b'DEFAULT'
+            ciphers = b'DEFAULT:@SECLEVEL=0'
 
     s[b'minimumprotocol'] = minimumprotocol
     s[b'ciphers'] = ciphers
@@ -626,7 +626,7 @@ def wrapserversocket(
     # In tests, allow insecure ciphers
     # Otherwise, use the list of more secure ciphers if found in the ssl module.
     if exactprotocol:
-        sslcontext.set_ciphers('DEFAULT')
+        sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
     elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
         # pytype: disable=module-attr
diff --git a/tests/test-https.t b/tests/test-https.t
index 26304ea..ff481a4 100644
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -361,9 +361,9 @@ Start servers running supported TLS versions
 
 Clients talking same TLS versions work
 
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
   5fed3813f7f5
-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
   5fed3813f7f5
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
   5fed3813f7f5
@@ -405,7 +405,7 @@ Clients requiring newer TLS version than what server supports fail
 The per-host config option overrides the default
 
   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
-  > --config hostsecurity.ciphers=DEFAULT \
+  > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
   > --config hostsecurity.minimumprotocol=tls1.2 \
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
   5fed3813f7f5
-- 
2.30.2