equal
deleted
inserted
replaced
18 from . import ( |
18 from . import ( |
19 error, |
19 error, |
20 node, |
20 node, |
21 pycompat, |
21 pycompat, |
22 util, |
22 util, |
|
23 ) |
|
24 from .utils import ( |
|
25 stringutil, |
23 ) |
26 ) |
24 |
27 |
25 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added |
28 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added |
26 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are |
29 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are |
27 # all exposed via the "ssl" module. |
30 # all exposed via the "ssl" module. |
372 if settings['ciphers']: |
375 if settings['ciphers']: |
373 try: |
376 try: |
374 sslcontext.set_ciphers(pycompat.sysstr(settings['ciphers'])) |
377 sslcontext.set_ciphers(pycompat.sysstr(settings['ciphers'])) |
375 except ssl.SSLError as e: |
378 except ssl.SSLError as e: |
376 raise error.Abort( |
379 raise error.Abort( |
377 _('could not set ciphers: %s') % util.forcebytestr(e.args[0]), |
380 _('could not set ciphers: %s') |
|
381 % stringutil.forcebytestr(e.args[0]), |
378 hint=_('change cipher string (%s) in config') % |
382 hint=_('change cipher string (%s) in config') % |
379 settings['ciphers']) |
383 settings['ciphers']) |
380 |
384 |
381 if certfile is not None: |
385 if certfile is not None: |
382 def password(): |
386 def password(): |
391 if len(e.args) == 1: # pypy has different SSLError args |
395 if len(e.args) == 1: # pypy has different SSLError args |
392 msg = e.args[0] |
396 msg = e.args[0] |
393 else: |
397 else: |
394 msg = e.args[1] |
398 msg = e.args[1] |
395 raise error.Abort(_('error loading CA file %s: %s') % ( |
399 raise error.Abort(_('error loading CA file %s: %s') % ( |
396 settings['cafile'], util.forcebytestr(msg)), |
400 settings['cafile'], stringutil.forcebytestr(msg)), |
397 hint=_('file is empty or malformed?')) |
401 hint=_('file is empty or malformed?')) |
398 caloaded = True |
402 caloaded = True |
399 elif settings['allowloaddefaultcerts']: |
403 elif settings['allowloaddefaultcerts']: |
400 # This is a no-op on old Python. |
404 # This is a no-op on old Python. |
401 sslcontext.load_default_certs() |
405 sslcontext.load_default_certs() |
640 if key == 'DNS': |
644 if key == 'DNS': |
641 try: |
645 try: |
642 if _dnsnamematch(value, hostname): |
646 if _dnsnamematch(value, hostname): |
643 return |
647 return |
644 except wildcarderror as e: |
648 except wildcarderror as e: |
645 return util.forcebytestr(e.args[0]) |
649 return stringutil.forcebytestr(e.args[0]) |
646 |
650 |
647 dnsnames.append(value) |
651 dnsnames.append(value) |
648 |
652 |
649 if not dnsnames: |
653 if not dnsnames: |
650 # The subject is only checked when there is no DNS in subjectAltName. |
654 # The subject is only checked when there is no DNS in subjectAltName. |
661 |
665 |
662 try: |
666 try: |
663 if _dnsnamematch(value, hostname): |
667 if _dnsnamematch(value, hostname): |
664 return |
668 return |
665 except wildcarderror as e: |
669 except wildcarderror as e: |
666 return util.forcebytestr(e.args[0]) |
670 return stringutil.forcebytestr(e.args[0]) |
667 |
671 |
668 dnsnames.append(value) |
672 dnsnames.append(value) |
669 |
673 |
670 if len(dnsnames) > 1: |
674 if len(dnsnames) > 1: |
671 return _('certificate is for %s') % ', '.join(dnsnames) |
675 return _('certificate is for %s') % ', '.join(dnsnames) |