[PATCH 1 of 2 🐩] sslutil: only support TLS

[Augie Fackler]

# HG changeset patch
# User Augie Fackler <raf at durin42.com>
# Date 1413925283 14400
#      Tue Oct 21 17:01:23 2014 -0400
# Branch stable
# Node ID 27430ddc25a17a93b72245a406e8667eafcf43f0
# Parent  c1ae0b2c1719f56b906472efea8b20ca0774c968
sslutil: only support TLS

In light of the POODLE[0] attack on SSLv3, let's just drop the ability to
use anything older than TLSv1 entirely.

This only fixes the client side. Another commit will fix the server
side. There are still a few SSLv[23] constants hiding in httpclient,
but I'll fix those separately upstream and import them when we're not
in a code freeze.


0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -14,7 +14,6 @@ try:
     # avoid using deprecated/broken FakeSocket in python 2.6
     import ssl
     CERT_REQUIRED = ssl.CERT_REQUIRED
-    PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23
     PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1
     def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
                 cert_reqs=ssl.CERT_NONE, ca_certs=None):
@@ -29,7 +28,6 @@ try:
 except ImportError:
     CERT_REQUIRED = 2
 
-    PROTOCOL_SSLv23 = 2
     PROTOCOL_TLSv1 = 3
 
     import socket, httplib
@@ -103,12 +101,7 @@ def _plainapplepython():
             exe.startswith('/system/library/frameworks/python.framework/'))
 
 def sslkwargs(ui, host):
-    forcetls = ui.configbool('ui', 'tls', default=True)
-    if forcetls:
-        ssl_version = PROTOCOL_TLSv1
-    else:
-        ssl_version = PROTOCOL_SSLv23
-    kws = {'ssl_version': ssl_version,
+    kws = {'ssl_version': PROTOCOL_TLSv1,
            }
     hostfingerprint = ui.config('hostfingerprints', host)
     if hostfingerprint: