Mercurial > hg
comparison mercurial/sslutil.py @ 23849:58080815f667
sslutil: drop support for clients of sslutil specifying a TLS version
We really just want to support the newest thing possible, so we may as
well consolidate that knowledge into this module. Right now this
doesn't change any behavior, but a future change will fix the defaults
for Python 2.7.9 so we can use slightly better defaults there (which
is the only place it's possible at the moment.)
| author | Augie Fackler <augie@google.com> |
|---|---|
| date | Wed, 14 Jan 2015 15:31:16 -0500 |
| parents | bf07c19b4c82 |
| children | e1931f7cd977 |
comparison
equal
deleted
inserted
replaced
| 23848:c5456b64eb07 | 23849:58080815f667 |
|---|---|
| 16 CERT_REQUIRED = ssl.CERT_REQUIRED | 16 CERT_REQUIRED = ssl.CERT_REQUIRED |
| 17 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1 | 17 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1 |
| 18 try: | 18 try: |
| 19 ssl_context = ssl.SSLContext | 19 ssl_context = ssl.SSLContext |
| 20 | 20 |
| 21 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, | 21 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE, |
| 22 cert_reqs=ssl.CERT_NONE, ca_certs=None, | 22 ca_certs=None, serverhostname=None): |
| 23 serverhostname=None): | 23 sslcontext = ssl.SSLContext(PROTOCOL_TLSv1) |
| 24 sslcontext = ssl.SSLContext(ssl_version) | |
| 25 if certfile is not None: | 24 if certfile is not None: |
| 26 sslcontext.load_cert_chain(certfile, keyfile) | 25 sslcontext.load_cert_chain(certfile, keyfile) |
| 27 sslcontext.verify_mode = cert_reqs | 26 sslcontext.verify_mode = cert_reqs |
| 28 if ca_certs is not None: | 27 if ca_certs is not None: |
| 29 sslcontext.load_verify_locations(cafile=ca_certs) | 28 sslcontext.load_verify_locations(cafile=ca_certs) |
| 35 # - see http://bugs.python.org/issue13721 | 34 # - see http://bugs.python.org/issue13721 |
| 36 if not sslsocket.cipher(): | 35 if not sslsocket.cipher(): |
| 37 raise util.Abort(_('ssl connection failed')) | 36 raise util.Abort(_('ssl connection failed')) |
| 38 return sslsocket | 37 return sslsocket |
| 39 except AttributeError: | 38 except AttributeError: |
| 40 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, | 39 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE, |
| 41 cert_reqs=ssl.CERT_NONE, ca_certs=None, | 40 ca_certs=None, serverhostname=None): |
| 42 serverhostname=None): | |
| 43 sslsocket = ssl.wrap_socket(sock, keyfile, certfile, | 41 sslsocket = ssl.wrap_socket(sock, keyfile, certfile, |
| 44 cert_reqs=cert_reqs, ca_certs=ca_certs, | 42 cert_reqs=cert_reqs, ca_certs=ca_certs, |
| 45 ssl_version=ssl_version) | 43 ssl_version=PROTOCOL_TLSv1) |
| 46 # check if wrap_socket failed silently because socket had been | 44 # check if wrap_socket failed silently because socket had been |
| 47 # closed | 45 # closed |
| 48 # - see http://bugs.python.org/issue13721 | 46 # - see http://bugs.python.org/issue13721 |
| 49 if not sslsocket.cipher(): | 47 if not sslsocket.cipher(): |
| 50 raise util.Abort(_('ssl connection failed')) | 48 raise util.Abort(_('ssl connection failed')) |
| 54 | 52 |
| 55 PROTOCOL_TLSv1 = 3 | 53 PROTOCOL_TLSv1 = 3 |
| 56 | 54 |
| 57 import socket, httplib | 55 import socket, httplib |
| 58 | 56 |
| 59 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, | 57 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=CERT_REQUIRED, |
| 60 cert_reqs=CERT_REQUIRED, ca_certs=None, | 58 ca_certs=None, serverhostname=None): |
| 61 serverhostname=None): | |
| 62 if not util.safehasattr(socket, 'ssl'): | 59 if not util.safehasattr(socket, 'ssl'): |
| 63 raise util.Abort(_('Python SSL support not found')) | 60 raise util.Abort(_('Python SSL support not found')) |
| 64 if ca_certs: | 61 if ca_certs: |
| 65 raise util.Abort(_( | 62 raise util.Abort(_( |
| 66 'certificate checking requires Python 2.6')) | 63 'certificate checking requires Python 2.6')) |
| 124 exe = (sys.executable or '').lower() | 121 exe = (sys.executable or '').lower() |
| 125 return (exe.startswith('/usr/bin/python') or | 122 return (exe.startswith('/usr/bin/python') or |
| 126 exe.startswith('/system/library/frameworks/python.framework/')) | 123 exe.startswith('/system/library/frameworks/python.framework/')) |
| 127 | 124 |
| 128 def sslkwargs(ui, host): | 125 def sslkwargs(ui, host): |
| 129 kws = {'ssl_version': PROTOCOL_TLSv1, | 126 kws = {} |
| 130 } | |
| 131 hostfingerprint = ui.config('hostfingerprints', host) | 127 hostfingerprint = ui.config('hostfingerprints', host) |
| 132 if hostfingerprint: | 128 if hostfingerprint: |
| 133 return kws | 129 return kws |
| 134 cacerts = ui.config('web', 'cacerts') | 130 cacerts = ui.config('web', 'cacerts') |
| 135 if cacerts: | 131 if cacerts: |