Mercurial > hg-stable
changeset 29578:4a4b8d3b4e43
sslutil: move comment about protocol constants
protocolsettings() is the appropriate place for this comment.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Sun, 17 Jul 2016 11:03:08 -0700 |
parents | 9654ef41f7cc |
children | 43f3c0df2fab |
files | mercurial/sslutil.py |
diffstat | 1 files changed, 11 insertions(+), 16 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Sun Jul 17 10:59:32 2016 -0700 +++ b/mercurial/sslutil.py Sun Jul 17 11:03:08 2016 -0700 @@ -139,18 +139,6 @@ 'ciphers': None, } - # Despite its name, PROTOCOL_SSLv23 selects the highest protocol - # that both ends support, including TLS protocols. On legacy stacks, - # the highest it likely goes is TLS 1.0. On modern stacks, it can - # support TLS 1.2. - # - # The PROTOCOL_TLSv* constants select a specific TLS version - # only (as opposed to multiple versions). So the method for - # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and - # disable protocols via SSLContext.options and OP_NO_* constants. - # However, SSLContext.options doesn't work unless we have the - # full/real SSLContext available to us. - # Allow minimum TLS protocol to be specified in the config. def validateprotocol(protocol, key): if protocol not in configprotocols: @@ -289,10 +277,17 @@ if protocol not in configprotocols: raise ValueError('protocol value not supported: %s' % protocol) - # Legacy ssl module only supports up to TLS 1.0. Ideally we'd use - # PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However, - # SSLContext.options doesn't work in our implementation since we use - # a fake SSLContext on these Python versions. + # Despite its name, PROTOCOL_SSLv23 selects the highest protocol + # that both ends support, including TLS protocols. On legacy stacks, + # the highest it likely goes is TLS 1.0. On modern stacks, it can + # support TLS 1.2. + # + # The PROTOCOL_TLSv* constants select a specific TLS version + # only (as opposed to multiple versions). So the method for + # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and + # disable protocols via SSLContext.options and OP_NO_* constants. + # However, SSLContext.options doesn't work unless we have the + # full/real SSLContext available to us. if not modernssl: if protocol != 'tls1.0': raise error.Abort(_('current Python does not support protocol '