mercurial-scm/hg: comparison mercurial/sslutil.py

equal deleted inserted replaced

-:737863b01d9f
+:4827d07073e6
 args['ciphers'] = self._ciphers
 return ssl.wrap_socket(socket, **args)
 try:
-# ssl.SSLContext was added in 2.7.9 and presence indicates modern
-# SSL/TLS features are available.
-ssl_context = ssl.SSLContext
 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
 ca_certs=None, serverhostname=None):
-# Allow any version of SSL starting with TLSv1 and
+# Despite its name, PROTOCOL_SSLv23 selects the highest protocol
-# up. Note that specifying TLSv1 here prohibits use of
+# that both ends support, including TLS protocols. On legacy stacks,
-# newer standards (like TLSv1_2), so this is the right way
+# the highest it likely goes in TLS 1.0. On modern stacks, it can
-# to do this. Note that in the future it'd be better to
+# support TLS 1.2.
-# support using ssl.create_default_context(), which sets
+#
-# up a bunch of things in smart ways (strong ciphers,
+# The PROTOCOL_TLSv* constants select a specific TLS version
-# protocol versions, etc) and is upgraded by Python
+# only (as opposed to multiple versions). So the method for
-# maintainers for us, but that breaks too many things to
+# supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
-# do it in a hurry.
+# disable protocols via SSLContext.options and OP_NO_* constants.
-sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+# However, SSLContext.options doesn't work unless we have the
+# full/real SSLContext available to us.
+#
+# SSLv2 and SSLv3 are broken. We ban them outright.
+if modernssl:
+protocol = ssl.PROTOCOL_SSLv23
+else:
+protocol = ssl.PROTOCOL_TLSv1
+# TODO use ssl.create_default_context() on modernssl.
+sslcontext = SSLContext(protocol)
+# This is a no-op on old Python.
 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
 if certfile is not None:
 def password():
 f = keyfile or certfile
 return ui.getpass(_('passphrase for %s: ') % f, '')
 sslcontext.load_cert_chain(certfile, keyfile, password)
 sslcontext.verify_mode = cert_reqs
 if ca_certs is not None:
 sslcontext.load_verify_locations(cafile=ca_certs)
-elif _canloaddefaultcerts:
+else:
+# This is a no-op on old Python.
 sslcontext.load_default_certs()
 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
 # check if wrap_socket failed silently because socket had been
 # closed
 # - see http://bugs.python.org/issue13721
 if not sslsocket.cipher():
 raise error.Abort(_('ssl connection failed'))
 return sslsocket
 except AttributeError:
-# We don't have a modern version of the "ssl" module and are running
+raise util.Abort('this should not happen')
-# Python <2.7.9.
-def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
-ca_certs=None, serverhostname=None):
-sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
-cert_reqs=cert_reqs, ca_certs=ca_certs,
-ssl_version=ssl.PROTOCOL_TLSv1)
-# check if wrap_socket failed silently because socket had been
-# closed
-# - see http://bugs.python.org/issue13721
-if not sslsocket.cipher():
-raise error.Abort(_('ssl connection failed'))
-return sslsocket
 def _verifycert(cert, hostname):
 '''Verify that cert (in socket.getpeercert() format) matches hostname.
 CRLs is not handled.

changeset 28651	4827d07073e6
parent 28650	737863b01d9f
child 28652	c617614aefd2