[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mercurial-devel
Subject:    [PATCH 4 of 5] sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available
From:       Manuel_Jacob <me () manueljacob ! de>
Date:       2020-05-31 10:24:47
Message-ID: d950d0faa52d3db15914.1590920687 () tmp
[Download RAW message or body]

# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590916221 -7200
#      Sun May 31 11:10:21 2020 +0200
# Node ID d950d0faa52d3db159147891e58f4488042d9afe
# Parent  14fb5b19169473e9a14a5ad4371ca727cd8c8293
# EXP-Topic sslutil_cleanup
sslutil: don't set minimum TLS version to 1.0 if 1.2 but not 1.1 is available

This case isn't very likely, but possible, especially if supportedprotocols
gets fixed to contain only correct items (see the FIXME above in the file).

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -105,7 +105,7 @@ def _hostsettings(ui, hostname):
     # We default to TLS 1.1+ where we can because TLS 1.0 has known
     # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
     # TLS 1.0+ via config options in case a legacy server is encountered.
-    if b'tls1.1' in supportedprotocols:
+    if supportedprotocols - {b'tls1.0'}:
         defaultminimumprotocol = b'tls1.1'
     else:
         # Let people know they are borderline secure.

_______________________________________________
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

[prev in list] [next in list] [prev in thread] [next in thread]