Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 44888:95903a8d8c97
sslutil: stop returning argument as third return value of protocolsettings()
The third return value was always the same as the argument.
| author | Manuel Jacob <me@manueljacob.de> |
|---|---|
| date | Sun, 31 May 2020 09:55:45 +0200 |
| parents | 7dd63a8cb1ee |
| children | ceb7318013d5 |
comparison
equal
deleted
inserted
replaced
| 44887:61cdc8137d53 | 44888:95903a8d8c97 |
|---|---|
| 129 # We always print a "connection security to %s is disabled..." message when | 129 # We always print a "connection security to %s is disabled..." message when |
| 130 # --insecure is used. So no need to print anything more here. | 130 # --insecure is used. So no need to print anything more here. |
| 131 if ui.insecureconnections: | 131 if ui.insecureconnections: |
| 132 protocol = b'tls1.0' | 132 protocol = b'tls1.0' |
| 133 | 133 |
| 134 s[b'protocol'], s[b'ctxoptions'], s[b'protocolui'] = protocolsettings( | 134 s[b'protocolui'] = protocol |
| 135 protocol | 135 s[b'protocol'], s[b'ctxoptions'] = protocolsettings(protocol) |
| 136 ) | |
| 137 | 136 |
| 138 ciphers = ui.config(b'hostsecurity', b'ciphers') | 137 ciphers = ui.config(b'hostsecurity', b'ciphers') |
| 139 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) | 138 ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) |
| 140 s[b'ciphers'] = ciphers | 139 s[b'ciphers'] = ciphers |
| 141 | 140 |
| 243 | 242 |
| 244 | 243 |
| 245 def protocolsettings(protocol): | 244 def protocolsettings(protocol): |
| 246 """Resolve the protocol for a config value. | 245 """Resolve the protocol for a config value. |
| 247 | 246 |
| 248 Returns a 3-tuple of (protocol, options, ui value) where the first | 247 Returns a tuple of (protocol, options) which are values used by SSLContext. |
| 249 2 items are values used by SSLContext and the last is a string value | |
| 250 of the ``minimumprotocol`` config option equivalent. | |
| 251 """ | 248 """ |
| 252 if protocol not in configprotocols: | 249 if protocol not in configprotocols: |
| 253 raise ValueError(b'protocol value not supported: %s' % protocol) | 250 raise ValueError(b'protocol value not supported: %s' % protocol) |
| 254 | 251 |
| 255 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol | 252 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
| 270 b'upgrade Python or disable setting since ' | 267 b'upgrade Python or disable setting since ' |
| 271 b'only TLS 1.0 is supported' | 268 b'only TLS 1.0 is supported' |
| 272 ), | 269 ), |
| 273 ) | 270 ) |
| 274 | 271 |
| 275 return ssl.PROTOCOL_TLSv1, 0, b'tls1.0' | 272 return ssl.PROTOCOL_TLSv1, 0 |
| 276 | 273 |
| 277 # SSLv2 and SSLv3 are broken. We ban them outright. | 274 # SSLv2 and SSLv3 are broken. We ban them outright. |
| 278 options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | 275 options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 |
| 279 | 276 |
| 280 if protocol == b'tls1.0': | 277 if protocol == b'tls1.0': |
| 289 | 286 |
| 290 # Prevent CRIME. | 287 # Prevent CRIME. |
| 291 # There is no guarantee this attribute is defined on the module. | 288 # There is no guarantee this attribute is defined on the module. |
| 292 options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) | 289 options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
| 293 | 290 |
| 294 return ssl.PROTOCOL_SSLv23, options, protocol | 291 return ssl.PROTOCOL_SSLv23, options |
| 295 | 292 |
| 296 | 293 |
| 297 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): | 294 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): |
| 298 """Add SSL/TLS to a socket. | 295 """Add SSL/TLS to a socket. |
| 299 | 296 |
| 541 if f and not os.path.exists(f): | 538 if f and not os.path.exists(f): |
| 542 raise error.Abort( | 539 raise error.Abort( |
| 543 _(b'referenced certificate file (%s) does not exist') % f | 540 _(b'referenced certificate file (%s) does not exist') % f |
| 544 ) | 541 ) |
| 545 | 542 |
| 546 protocol, options, _protocolui = protocolsettings(b'tls1.0') | 543 protocol, options = protocolsettings(b'tls1.0') |
| 547 | 544 |
| 548 # This config option is intended for use in tests only. It is a giant | 545 # This config option is intended for use in tests only. It is a giant |
| 549 # footgun to kill security. Don't define it. | 546 # footgun to kill security. Don't define it. |
| 550 exactprotocol = ui.config(b'devel', b'serverexactprotocol') | 547 exactprotocol = ui.config(b'devel', b'serverexactprotocol') |
| 551 if exactprotocol == b'tls1.0': | 548 if exactprotocol == b'tls1.0': |