[PATCH v3] sslutil-add tls 1.3 support - done during IETF101 Hackathon

Yuya Nishihara yuya at tcha.org
Sun Apr 1 05:45:33 EDT 2018


On Sun, 1 Apr 2018 08:55:27 +0400, Codarren Velvindron wrote:
> # HG changeset patch
> # User Codarren Velvindron <codarren at hackers.mu>
> # Date 1522557692 -14400
> #      Sun Apr 01 08:41:32 2018 +0400
> # Node ID 3a1cdeff1f61187e4a8af5f7259ca48039571b9e
> # Parent  2ed180117f7658d0cbf6a1ece20944465c55c947
> sslutil: add tls 1.3 support

[...]

> -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
> +# TLS 1.1, 1.2 and 1.3 may not be supported if the OpenSSL Python is compiled
>  # against doesn't support them.
>  supportedprotocols = {'tls1.0'}
>  if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'):
>      supportedprotocols.add('tls1.1')
>  if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'):
>      supportedprotocols.add('tls1.2')
> +if util.safehasattr(ssl, 'PROTOCOL_TLSv1_3'):
> +    supportedprotocols.add('tls1.3')

While checking the test code, I noticed PROTOCOL_TLSv1_3 appears not provided
by the next Python 2. OP_NO_TLSv1_3 is claimed to be available in 2.7.15,
though.

https://docs.python.org/2.7/library/ssl.html

> +#if sslcontext tls1.3
> +Start servers running supported TLS versions
> +
> +  $ cd test
> +  $ hg serve -p $HGPORT3 -d --pid-file=../hg3.pid --certificate=$PRIV \
> +  > --config devel.serverexactprotocol=tls1.3
> +  $ cat ../hg3.pid >> $DAEMON_PIDS

$HGPORT3 isn't defined.

> +Clients talking same TLS versions work
> +
> +  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT3/
> +  5fed3813f7f5
> +
> +Clients requiring newer TLS version than what server supports fail
> +
> +  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT3/

Here we need to test the pair of TLS=1.3 client + TLS<1.3 server, but the server
supports TLS 1.3.


More information about the Mercurial-devel mailing list