Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 15812:0cc4ad757c77
sslutil: verify that wrap_socket really wrapped the socket
This works around that ssl.wrap_socket silently skips ssl negotiation on
sockets that was connected but since then has been reset by the peer but not
yet closed at the Python level. That leaves the socket in a state where
.getpeercert() fails with an AttributeError on None. See
http://bugs.python.org/issue13721 .
A call to .cipher() is now used to verify that the wrapping really did succeed.
Otherwise it aborts with "ssl connection failed".
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Mon, 09 Jan 2012 14:43:15 +0100 |
| parents | b2d4400398f3 |
| children | 3ae04eb5e38a |
comparison
equal
deleted
inserted
replaced
| 15811:b9886dde3649 | 15812:0cc4ad757c77 |
|---|---|
| 11 from mercurial import util | 11 from mercurial import util |
| 12 from mercurial.i18n import _ | 12 from mercurial.i18n import _ |
| 13 try: | 13 try: |
| 14 # avoid using deprecated/broken FakeSocket in python 2.6 | 14 # avoid using deprecated/broken FakeSocket in python 2.6 |
| 15 import ssl | 15 import ssl |
| 16 ssl_wrap_socket = ssl.wrap_socket | |
| 17 CERT_REQUIRED = ssl.CERT_REQUIRED | 16 CERT_REQUIRED = ssl.CERT_REQUIRED |
| 17 def ssl_wrap_socket(sock, keyfile, certfile, | |
| 18 cert_reqs=ssl.CERT_NONE, ca_certs=None): | |
| 19 sslsocket = ssl.wrap_socket(sock, keyfile, certfile, | |
| 20 cert_reqs=cert_reqs, ca_certs=ca_certs) | |
| 21 # check if wrap_socket failed silently because socket had been closed | |
| 22 # - see http://bugs.python.org/issue13721 | |
| 23 if not sslsocket.cipher(): | |
| 24 raise util.Abort(_('ssl connection failed')) | |
| 25 return sslsocket | |
| 18 except ImportError: | 26 except ImportError: |
| 19 CERT_REQUIRED = 2 | 27 CERT_REQUIRED = 2 |
| 20 | 28 |
| 21 import socket, httplib | 29 import socket, httplib |
| 22 | 30 |