[PATCH v4] sslutil-add tls 1.3 support - done during IETF101 Hackathon
Yuya Nishihara
yuya at tcha.org
Sun Apr 8 05:25:36 EDT 2018
On Sun, 8 Apr 2018 09:51:45 +0400, Codarren Velvindron wrote:
> # HG changeset patch
> # User Codarren Velvindron <codarren at hackers.mu>
> # Date 1523166519 -14400
> # Sun Apr 08 09:48:39 2018 +0400
> # Node ID 5df15ef67ce1674a8f408058cd953de5ab9601cf
> # Parent 632b928992039afe96df8f99a8dec6127ff983f1
> slutil: add tls 1.3 support
> -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
> +# TLS 1.1,1.2 and 1.3 may not be supported if the OpenSSL Python is compiled
> # against doesn't support them.
> supportedprotocols = {'tls1.0'}
> if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'):
> supportedprotocols.add('tls1.1')
> if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'):
> supportedprotocols.add('tls1.2')
> +if util.safehasattr(ssl, 'PROTOCOL_TLS'):
> + supportedprotocols.add('tls1.3')
PROTOCOL_TLS doesn't mean the Python supports TLS 1.3.
https://docs.python.org/2.7/library/ssl.html#ssl.PROTOCOL_TLS
Perhaps HAS_TLSv1_3 can be used instead.
if getattr(ssl, 'HAS_TLSv1_3', False)
https://docs.python.org/2.7/library/ssl.html#ssl.HAS_TLSv1_3
> @@ -542,6 +547,10 @@
> if 'tls1.2' not in supportedprotocols:
> raise error.Abort(_('TLS 1.2 not supported by this Python'))
> protocol = ssl.PROTOCOL_TLSv1_2
> + elif exactprotocol == 'tls1.3':
> + if 'tls1.3' not in supportedprotocols:
> + raise error.Abort(_('TLS 1.3 not supported by this Python'))
> + protocol = ssl.PROTOCOL_TLSv1_3
Undefined. I have no idea how to enforce the TLS 1.3 here.
Did you run tests? Since you're adding feature depending on unreleased
Python, you'll have to build Python from source.
More information about the Mercurial-devel
mailing list