Mercurial > hg
diff mercurial/sslutil.py @ 52286:f1b37ed41f01
sslutil: de-indent the Python 3.7+ code from the previous commit
author | Matt Harbison <matt_harbison@yahoo.com> |
---|---|
date | Wed, 20 Nov 2024 16:31:40 -0500 |
parents | 94cf83d9a2c9 |
children | baeb5e8d2612 |
line wrap: on
line diff
--- a/mercurial/sslutil.py Fri Nov 08 19:48:06 2024 -0500 +++ b/mercurial/sslutil.py Wed Nov 20 16:31:40 2024 -0500 @@ -312,32 +312,31 @@ # is loaded and contains that removed CA, you've just undone the user's # choice. - if True: - sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - minimumprotocol = settings[b'minimumprotocol'] - if minimumprotocol == b'tls1.0': - with warnings.catch_warnings(): - warnings.filterwarnings( - 'ignore', - 'ssl.TLSVersion.TLSv1 is deprecated', - DeprecationWarning, - ) - sslcontext.minimum_version = ssl.TLSVersion.TLSv1 - elif minimumprotocol == b'tls1.1': - with warnings.catch_warnings(): - warnings.filterwarnings( - 'ignore', - 'ssl.TLSVersion.TLSv1_1 is deprecated', - DeprecationWarning, - ) - sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 - elif minimumprotocol == b'tls1.2': - sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 - else: - raise error.Abort(_(b'this should not happen')) - # Prevent CRIME. - # There is no guarantee this attribute is defined on the module. - sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) + sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + minimumprotocol = settings[b'minimumprotocol'] + if minimumprotocol == b'tls1.0': + with warnings.catch_warnings(): + warnings.filterwarnings( + 'ignore', + 'ssl.TLSVersion.TLSv1 is deprecated', + DeprecationWarning, + ) + sslcontext.minimum_version = ssl.TLSVersion.TLSv1 + elif minimumprotocol == b'tls1.1': + with warnings.catch_warnings(): + warnings.filterwarnings( + 'ignore', + 'ssl.TLSVersion.TLSv1_1 is deprecated', + DeprecationWarning, + ) + sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 + elif minimumprotocol == b'tls1.2': + sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 + else: + raise error.Abort(_(b'this should not happen')) + # Prevent CRIME. + # There is no guarantee this attribute is defined on the module. + sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) # We check the hostname ourselves in _verifycert sslcontext.check_hostname = False @@ -538,45 +537,44 @@ _(b'referenced certificate file (%s) does not exist') % f ) - if True: - sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) - sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) + sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) - # This config option is intended for use in tests only. It is a giant - # footgun to kill security. Don't define it. - exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol') - if exactprotocol == b'tls1.0': - if b'tls1.0' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.0 not supported by this Python')) - with warnings.catch_warnings(): - warnings.filterwarnings( - 'ignore', - 'ssl.TLSVersion.TLSv1 is deprecated', - DeprecationWarning, - ) - sslcontext.minimum_version = ssl.TLSVersion.TLSv1 - sslcontext.maximum_version = ssl.TLSVersion.TLSv1 - elif exactprotocol == b'tls1.1': - if b'tls1.1' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.1 not supported by this Python')) - with warnings.catch_warnings(): - warnings.filterwarnings( - 'ignore', - 'ssl.TLSVersion.TLSv1_1 is deprecated', - DeprecationWarning, - ) - sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 - sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1 - elif exactprotocol == b'tls1.2': - if b'tls1.2' not in supportedprotocols: - raise error.Abort(_(b'TLS 1.2 not supported by this Python')) - sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 - sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2 - elif exactprotocol: - raise error.Abort( - _(b'invalid value for server-insecure-exact-protocol: %s') - % exactprotocol + # This config option is intended for use in tests only. It is a giant + # footgun to kill security. Don't define it. + exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol') + if exactprotocol == b'tls1.0': + if b'tls1.0' not in supportedprotocols: + raise error.Abort(_(b'TLS 1.0 not supported by this Python')) + with warnings.catch_warnings(): + warnings.filterwarnings( + 'ignore', + 'ssl.TLSVersion.TLSv1 is deprecated', + DeprecationWarning, ) + sslcontext.minimum_version = ssl.TLSVersion.TLSv1 + sslcontext.maximum_version = ssl.TLSVersion.TLSv1 + elif exactprotocol == b'tls1.1': + if b'tls1.1' not in supportedprotocols: + raise error.Abort(_(b'TLS 1.1 not supported by this Python')) + with warnings.catch_warnings(): + warnings.filterwarnings( + 'ignore', + 'ssl.TLSVersion.TLSv1_1 is deprecated', + DeprecationWarning, + ) + sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1 + sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1 + elif exactprotocol == b'tls1.2': + if b'tls1.2' not in supportedprotocols: + raise error.Abort(_(b'TLS 1.2 not supported by this Python')) + sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2 + sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2 + elif exactprotocol: + raise error.Abort( + _(b'invalid value for server-insecure-exact-protocol: %s') + % exactprotocol + ) # Improve forward secrecy. sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)