Mercurial > public > mercurial-scm > hg-stable
comparison mercurial/sslutil.py @ 44935:dca2629f6d2e
sslutil: remove comments referring to removed SSLContext emulation class
| author | Manuel Jacob <me@manueljacob.de> |
|---|---|
| date | Fri, 29 May 2020 22:31:26 +0200 |
| parents | 7c19eb372438 |
| children | 035199ba04ee |
comparison
equal
deleted
inserted
replaced
| 44934:7c19eb372438 | 44935:dca2629f6d2e |
|---|---|
| 262 # | 262 # |
| 263 # The PROTOCOL_TLSv* constants select a specific TLS version | 263 # The PROTOCOL_TLSv* constants select a specific TLS version |
| 264 # only (as opposed to multiple versions). So the method for | 264 # only (as opposed to multiple versions). So the method for |
| 265 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and | 265 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and |
| 266 # disable protocols via SSLContext.options and OP_NO_* constants. | 266 # disable protocols via SSLContext.options and OP_NO_* constants. |
| 267 # However, SSLContext.options doesn't work unless we have the | |
| 268 # full/real SSLContext available to us. | |
| 269 if supportedprotocols == {b'tls1.0'}: | 267 if supportedprotocols == {b'tls1.0'}: |
| 270 if protocol != b'tls1.0': | 268 if protocol != b'tls1.0': |
| 271 raise error.Abort( | 269 raise error.Abort( |
| 272 _(b'current Python does not support protocol setting %s') | 270 _(b'current Python does not support protocol setting %s') |
| 273 % protocol, | 271 % protocol, |
| 277 ), | 275 ), |
| 278 ) | 276 ) |
| 279 | 277 |
| 280 return ssl.PROTOCOL_TLSv1, 0, b'tls1.0' | 278 return ssl.PROTOCOL_TLSv1, 0, b'tls1.0' |
| 281 | 279 |
| 282 # WARNING: returned options don't work unless the modern ssl module | |
| 283 # is available. Be careful when adding options here. | |
| 284 | |
| 285 # SSLv2 and SSLv3 are broken. We ban them outright. | 280 # SSLv2 and SSLv3 are broken. We ban them outright. |
| 286 options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | 281 options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 |
| 287 | 282 |
| 288 if protocol == b'tls1.0': | 283 if protocol == b'tls1.0': |
| 289 # Defaults above are to use TLS 1.0+ | 284 # Defaults above are to use TLS 1.0+ |
| 353 # CAs may undermine the user's intent. For example, a user may define a CA | 348 # CAs may undermine the user's intent. For example, a user may define a CA |
| 354 # bundle with a specific CA cert removed. If the system/default CA bundle | 349 # bundle with a specific CA cert removed. If the system/default CA bundle |
| 355 # is loaded and contains that removed CA, you've just undone the user's | 350 # is loaded and contains that removed CA, you've just undone the user's |
| 356 # choice. | 351 # choice. |
| 357 sslcontext = ssl.SSLContext(settings[b'protocol']) | 352 sslcontext = ssl.SSLContext(settings[b'protocol']) |
| 358 | |
| 359 # This is a no-op unless using modern ssl. | |
| 360 sslcontext.options |= settings[b'ctxoptions'] | 353 sslcontext.options |= settings[b'ctxoptions'] |
| 361 | |
| 362 # This still works on our fake SSLContext. | |
| 363 sslcontext.verify_mode = settings[b'verifymode'] | 354 sslcontext.verify_mode = settings[b'verifymode'] |
| 364 | 355 |
| 365 if settings[b'ciphers']: | 356 if settings[b'ciphers']: |
| 366 try: | 357 try: |
| 367 sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) | 358 sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) |