# HG changeset patch # User Manuel Jacob # Date 1591014013 -7200 # Node ID 38e3df9ff1e77376017dc4d4e9751bdfdad35fac # Parent 4ca1110991c4aaca107e144e5d4e361f29a22f5a sslutil: stop storing protocol and options for SSLContext in settings dict Call protocolsettings() where its return values are needed. diff -r 4ca1110991c4 -r 38e3df9ff1e7 mercurial/sslutil.py --- a/mercurial/sslutil.py Mon Jun 01 14:07:06 2020 +0200 +++ b/mercurial/sslutil.py Mon Jun 01 14:20:13 2020 +0200 @@ -77,15 +77,11 @@ b'disablecertverification': False, # Whether the legacy [hostfingerprints] section has data for this host. b'legacyfingerprint': False, - # PROTOCOL_* constant to use for SSLContext.__init__. - b'protocol': None, # String representation of minimum protocol to be used for UI # presentation. b'minimumprotocol': None, # ssl.CERT_* constant used by SSLContext.verify_mode. b'verifymode': None, - # Defines extra ssl.OP* bitwise options to set. - b'ctxoptions': None, # OpenSSL Cipher List to use (instead of default). b'ciphers': None, } @@ -124,7 +120,6 @@ minimumprotocol = b'tls1.0' s[b'minimumprotocol'] = minimumprotocol - s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) ciphers = ui.config(b'hostsecurity', b'ciphers') ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) @@ -226,8 +221,6 @@ # user). s[b'verifymode'] = ssl.CERT_NONE - assert s[b'protocol'] is not None - assert s[b'ctxoptions'] is not None assert s[b'verifymode'] is not None return s @@ -321,8 +314,9 @@ # bundle with a specific CA cert removed. If the system/default CA bundle # is loaded and contains that removed CA, you've just undone the user's # choice. - sslcontext = ssl.SSLContext(settings[b'protocol']) - sslcontext.options |= settings[b'ctxoptions'] + protocol, options = protocolsettings(settings[b'minimumprotocol']) + sslcontext = ssl.SSLContext(protocol) + sslcontext.options |= options sslcontext.verify_mode = settings[b'verifymode'] if settings[b'ciphers']: