Tweak cipher selection to make TLS < 1.2 work with OpenSSL 3. Taken from Debian: https://salsa.debian.org/python-team/packages/mercurial/-/blob/debian/master/debian/patches/openssl_3_cipher_tlsv1.patch --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -117,17 +117,17 @@ def _hostsettings(ui, hostname): ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) # If --insecure is used, we allow the use of TLS 1.0 despite config options. # We always print a "connection security to %s is disabled..." message when # --insecure is used. So no need to print anything more here. if ui.insecureconnections: minimumprotocol = b'tls1.0' if not ciphers: - ciphers = b'DEFAULT' + ciphers = b'DEFAULT:@SECLEVEL=0' s[b'minimumprotocol'] = minimumprotocol s[b'ciphers'] = ciphers # Look for fingerprints in [hostsecurity] section. Value is a list # of : strings. fingerprints = ui.configlist( b'hostsecurity', b'%s:fingerprints' % bhostname @@ -621,17 +621,17 @@ def wrapserversocket( # Improve forward secrecy. sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) # In tests, allow insecure ciphers # Otherwise, use the list of more secure ciphers if found in the ssl module. if exactprotocol: - sslcontext.set_ciphers('DEFAULT') + sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0') elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) # pytype: disable=module-attr sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) # pytype: enable=module-attr if requireclientcert: sslcontext.verify_mode = ssl.CERT_REQUIRED --- a/tests/test-https.t +++ b/test;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 Steve Sprang <scs@stevesprang.com> ;;; Copyright © 2015-2024 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2015 Aljosha Papsch <misc@rpapsch.de> ;;; Copyright © 2016 Christine Lemmer-Webber <cwebber@dustycloud.org> ;;; Copyright © 2016 Jessica Tallon <tsyesika@tsyesika.se> ;;; Copyright © 2016 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2016 Lukas Gradl <lgradl@openmailbox.org> ;;; Copyright © 2016, 2019, 2020 Alex Griffin <a@ajgrf.com> ;;; Copyright © 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2017–2021 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2017 Jelle Licht <jlicht@fsfe.org> ;;; Copyright © 2017, 2019 Eric Bavier <bavier@member.fsf.org> ;;; Copyright © 2017, 2020-2022, 2024 Nicolas Goaziou <mail@nicolasgoaziou.fr> ;;; Copyright © 2017 Manolis Fragkiskos Ragkousis <manolis837@gmail.com> ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com> ;;; Copyright © 2018, 2022 Marius Bakke <marius@gnu.org> ;;; Copyright © 2018 Konrad Hinsen <konrad.hinsen@fastmail.net> ;;; Copyright © 2018 Thomas Sigurdsen <tonton@riseup.net> ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz> ;;; Copyright © 2018 Amirouche Boubekki <amirouche@hypermove.net> ;;; Copyright © 2018, 2019, 2020 Tim Gesthuizen <tim.gesthuizen@yahoo.de> ;;; Copyright © 2019 Jens Mølgaard <jens@zete.tk> ;;; Copyright © 2019,2022 Tanguy Le Carrour <tanguy@bioneland.org> ;;; Copyright © 2020, 2024 Guillaume Le Vaillant <glv@posteo.net> ;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re> ;;; Copyright © 2020 Jean-Baptiste Note <jean-baptiste.note@m4x.org> ;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de> ;;; Copyright © 2020 Vinicius Monego <monego@posteo.net> ;;; Copyright © 2020 Hartmut