mercurial-scm/hg: mercurial/sslutil.py comparison

comparison mercurial/sslutil.py @ 28647:834d1c4ba749

sslutil: better document state of security/ssl module Pythons older than 2.7.9 are lacking the modern ssl module and have horrible security. Let's document this explicitly.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Sun, 27 Mar 2016 14:07:06 -0700
parents	7efff6ce9826
children	7fc787e5d8ec

comparison

equal deleted inserted replaced

-:f452c1cf7a8f
+:834d1c4ba749
 from . import (
 error,
 util,
 )
+# Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
+# support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
+# all exposed via the "ssl" module.
+#
+# Depending on the version of Python being used, SSL/TLS support is either
+# modern/secure or legacy/insecure. Many operations in this module have
+# separate code paths depending on support in Python.
 hassni = getattr(ssl, 'HAS_SNI', False)
 _canloaddefaultcerts = False
 try:
+# ssl.SSLContext was added in 2.7.9 and presence indicates modern
+# SSL/TLS features are available.
 ssl_context = ssl.SSLContext
 _canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs')
 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
 ca_certs=None, serverhostname=None):
 # - see http://bugs.python.org/issue13721
 if not sslsocket.cipher():
 raise error.Abort(_('ssl connection failed'))
 return sslsocket
 except AttributeError:
+# We don't have a modern version of the "ssl" module and are running
+# Python <2.7.9.
 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
 ca_certs=None, serverhostname=None):
 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
 cert_reqs=cert_reqs, ca_certs=ca_certs,
 ssl_version=ssl.PROTOCOL_TLSv1)

Mercurial > public > mercurial-scm > hg

comparison mercurial/sslutil.py @ 28647:834d1c4ba749