Mercurial > public > mercurial-scm > hg-stable
comparison mercurial/sslutil.py @ 44959:38e3df9ff1e7
sslutil: stop storing protocol and options for SSLContext in settings dict
Call protocolsettings() where its return values are needed.
| author | Manuel Jacob <me@manueljacob.de> |
|---|---|
| date | Mon, 01 Jun 2020 14:20:13 +0200 |
| parents | 4ca1110991c4 |
| children | 53b3baaadb64 |
comparison
equal
deleted
inserted
replaced
| 44958:4ca1110991c4 | 44959:38e3df9ff1e7 |
|---|---|
| 75 b'cafile': None, | 75 b'cafile': None, |
| 76 # Whether certificate verification should be disabled. | 76 # Whether certificate verification should be disabled. |
| 77 b'disablecertverification': False, | 77 b'disablecertverification': False, |
| 78 # Whether the legacy [hostfingerprints] section has data for this host. | 78 # Whether the legacy [hostfingerprints] section has data for this host. |
| 79 b'legacyfingerprint': False, | 79 b'legacyfingerprint': False, |
| 80 # PROTOCOL_* constant to use for SSLContext.__init__. | |
| 81 b'protocol': None, | |
| 82 # String representation of minimum protocol to be used for UI | 80 # String representation of minimum protocol to be used for UI |
| 83 # presentation. | 81 # presentation. |
| 84 b'minimumprotocol': None, | 82 b'minimumprotocol': None, |
| 85 # ssl.CERT_* constant used by SSLContext.verify_mode. | 83 # ssl.CERT_* constant used by SSLContext.verify_mode. |
| 86 b'verifymode': None, | 84 b'verifymode': None, |
| 87 # Defines extra ssl.OP* bitwise options to set. | |
| 88 b'ctxoptions': None, | |
| 89 # OpenSSL Cipher List to use (instead of default). | 85 # OpenSSL Cipher List to use (instead of default). |
| 90 b'ciphers': None, | 86 b'ciphers': None, |
| 91 } | 87 } |
| 92 | 88 |
| 93 # Allow minimum TLS protocol to be specified in the config. | 89 # Allow minimum TLS protocol to be specified in the config. |
| 122 # --insecure is used. So no need to print anything more here. | 118 # --insecure is used. So no need to print anything more here. |
| 123 if ui.insecureconnections: | 119 if ui.insecureconnections: |
| 124 minimumprotocol = b'tls1.0' | 120 minimumprotocol = b'tls1.0' |
| 125 | 121 |
| 126 s[b'minimumprotocol'] = minimumprotocol | 122 s[b'minimumprotocol'] = minimumprotocol |
| 127 s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) | |
| 128 | 123 |
| 129 ciphers = ui.config(b'hostsecurity', b'ciphers') | 124 ciphers = ui.config(b'hostsecurity', b'ciphers') |
| 130 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) | 125 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
| 131 s[b'ciphers'] = ciphers | 126 s[b'ciphers'] = ciphers |
| 132 | 127 |
| 224 # is insecure. We allow the connection and abort during | 219 # is insecure. We allow the connection and abort during |
| 225 # validation (once we have the fingerprint to print to the | 220 # validation (once we have the fingerprint to print to the |
| 226 # user). | 221 # user). |
| 227 s[b'verifymode'] = ssl.CERT_NONE | 222 s[b'verifymode'] = ssl.CERT_NONE |
| 228 | 223 |
| 229 assert s[b'protocol'] is not None | |
| 230 assert s[b'ctxoptions'] is not None | |
| 231 assert s[b'verifymode'] is not None | 224 assert s[b'verifymode'] is not None |
| 232 | 225 |
| 233 return s | 226 return s |
| 234 | 227 |
| 235 | 228 |
| 319 # have explicit control over CA loading because implicitly loading | 312 # have explicit control over CA loading because implicitly loading |
| 320 # CAs may undermine the user's intent. For example, a user may define a CA | 313 # CAs may undermine the user's intent. For example, a user may define a CA |
| 321 # bundle with a specific CA cert removed. If the system/default CA bundle | 314 # bundle with a specific CA cert removed. If the system/default CA bundle |
| 322 # is loaded and contains that removed CA, you've just undone the user's | 315 # is loaded and contains that removed CA, you've just undone the user's |
| 323 # choice. | 316 # choice. |
| 324 sslcontext = ssl.SSLContext(settings[b'protocol']) | 317 protocol, options = protocolsettings(settings[b'minimumprotocol']) |
| 325 sslcontext.options |= settings[b'ctxoptions'] | 318 sslcontext = ssl.SSLContext(protocol) |
| 319 sslcontext.options |= options | |
| 326 sslcontext.verify_mode = settings[b'verifymode'] | 320 sslcontext.verify_mode = settings[b'verifymode'] |
| 327 | 321 |
| 328 if settings[b'ciphers']: | 322 if settings[b'ciphers']: |
| 329 try: | 323 try: |
| 330 sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) | 324 sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) |