[PATCH 4 of 8 v5] sslutil: remove dead code (that downgraded default minimum TLS version)

Manuel Jacob me at manueljacob.de
Mon Jun 1 03:28:15 UTC 2020 

# HG changeset patch
# User Manuel Jacob <me at manueljacob.de>
# Date 1590956135 -7200
#      Sun May 31 22:15:35 2020 +0200
# Node ID ed90a9083487c637edb528826046f36646baf2a7
# Parent  e0d6fc43f3227a11934a69c8eff40d307a5ad697
# EXP-Topic require_modern_ssl
sslutil: remove dead code (that downgraded default minimum TLS version)

We ensure in setup.py that TLS 1.1 or TLS 1.2 is present.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -102,27 +102,14 @@ def _hostsettings(ui, hostname):
                 % b' '.join(sorted(configprotocols)),
             )
 
-    # We default to TLS 1.1+ where we can because TLS 1.0 has known
-    # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
-    # TLS 1.0+ via config options in case a legacy server is encountered.
-    if supportedprotocols - {b'tls1.0'}:
-        defaultminimumprotocol = b'tls1.1'
-    else:
-        # Let people know they are borderline secure.
-        # We don't document this config option because we want people to see
-        # the bold warnings on the web site.
-        # internal config: hostsecurity.disabletls10warning
-        if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
-            ui.warn(
-                _(
-                    b'warning: connecting to %s using legacy security '
-                    b'technology (TLS 1.0); see '
-                    b'https://mercurial-scm.org/wiki/SecureConnections for '
-                    b'more info\n'
-                )
-                % bhostname
-            )
-        defaultminimumprotocol = b'tls1.0'
+    # We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like
+    # BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
+    # options in case a legacy server is encountered.
+
+    # setup.py checks that either TLS 1.1 or TLS 1.2 is present, so the
+    # following assert should not fail.
+    assert supportedprotocols - {b'tls1.0'}
+    defaultminimumprotocol = b'tls1.1'
 
     key = b'minimumprotocol'
     minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol)

More information about the Mercurial-devel mailing list