Mercurial > hg-stable
changeset 44948:ceb7318013d5
sslutil: fix names of variables containing minimum protocol strings
When working in this module, I found it very confusing that "protocol" as a
variable name could mean either "minimum protocol string" or an exact version
(as a string or ssl.PROTOCOL_* value). This patch prefixes variables of the
former type with "minimum".
author | Manuel Jacob <me@manueljacob.de> |
---|---|
date | Sun, 31 May 2020 10:47:38 +0200 |
parents | 95903a8d8c97 |
children | 4942c1bdd080 |
files | mercurial/sslutil.py |
diffstat | 1 files changed, 20 insertions(+), 20 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Sun May 31 09:55:45 2020 +0200 +++ b/mercurial/sslutil.py Sun May 31 10:47:38 2020 +0200 @@ -76,7 +76,7 @@ b'protocol': None, # String representation of minimum protocol to be used for UI # presentation. - b'protocolui': None, + b'minimumprotocolui': None, # ssl.CERT_* constant used by SSLContext.verify_mode. b'verifymode': None, # Defines extra ssl.OP* bitwise options to set. @@ -99,7 +99,7 @@ # vulnerabilities (like BEAST and POODLE). We allow users to downgrade to # TLS 1.0+ via config options in case a legacy server is encountered. if b'tls1.1' in supportedprotocols: - defaultprotocol = b'tls1.1' + defaultminimumprotocol = b'tls1.1' else: # Let people know they are borderline secure. # We don't document this config option because we want people to see @@ -115,24 +115,24 @@ ) % bhostname ) - defaultprotocol = b'tls1.0' + defaultminimumprotocol = b'tls1.0' key = b'minimumprotocol' - protocol = ui.config(b'hostsecurity', key, defaultprotocol) - validateprotocol(protocol, key) + minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) + validateprotocol(minimumprotocol, key) key = b'%s:minimumprotocol' % bhostname - protocol = ui.config(b'hostsecurity', key, protocol) - validateprotocol(protocol, key) + minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) + validateprotocol(minimumprotocol, key) # If --insecure is used, we allow the use of TLS 1.0 despite config options. # We always print a "connection security to %s is disabled..." message when # --insecure is used. So no need to print anything more here. if ui.insecureconnections: - protocol = b'tls1.0' + minimumprotocol = b'tls1.0' - s[b'protocolui'] = protocol - s[b'protocol'], s[b'ctxoptions'] = protocolsettings(protocol) + s[b'minimumprotocolui'] = minimumprotocol + s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) ciphers = ui.config(b'hostsecurity', b'ciphers') ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) @@ -241,13 +241,13 @@ return s -def protocolsettings(protocol): +def protocolsettings(minimumprotocol): """Resolve the protocol for a config value. Returns a tuple of (protocol, options) which are values used by SSLContext. """ - if protocol not in configprotocols: - raise ValueError(b'protocol value not supported: %s' % protocol) + if minimumprotocol not in configprotocols: + raise ValueError(b'protocol value not supported: %s' % minimumprotocol) # Despite its name, PROTOCOL_SSLv23 selects the highest protocol # that both ends support, including TLS protocols. On legacy stacks, @@ -259,10 +259,10 @@ # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and # disable protocols via SSLContext.options and OP_NO_* constants. if supportedprotocols == {b'tls1.0'}: - if protocol != b'tls1.0': + if minimumprotocol != b'tls1.0': raise error.Abort( _(b'current Python does not support protocol setting %s') - % protocol, + % minimumprotocol, hint=_( b'upgrade Python or disable setting since ' b'only TLS 1.0 is supported' @@ -274,12 +274,12 @@ # SSLv2 and SSLv3 are broken. We ban them outright. options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 - if protocol == b'tls1.0': + if minimumprotocol == b'tls1.0': # Defaults above are to use TLS 1.0+ pass - elif protocol == b'tls1.1': + elif minimumprotocol == b'tls1.1': options |= ssl.OP_NO_TLSv1 - elif protocol == b'tls1.2': + elif minimumprotocol == b'tls1.2': options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 else: raise error.Abort(_(b'this should not happen')) @@ -424,7 +424,7 @@ # reason, try to emit an actionable warning. if e.reason == 'UNSUPPORTED_PROTOCOL': # We attempted TLS 1.0+. - if settings[b'protocolui'] == b'tls1.0': + if settings[b'minimumprotocolui'] == b'tls1.0': # We support more than just TLS 1.0+. If this happens, # the likely scenario is either the client or the server # is really old. (e.g. server doesn't support TLS 1.0+ or @@ -469,7 +469,7 @@ b'to be more secure than the server can support)\n' ) % ( - settings[b'protocolui'], + settings[b'minimumprotocolui'], pycompat.bytesurl(serverhostname), ) )