# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1421267476 18000
# Node ID 58080815f667ab61332b3f225add2d8f43b64cdd
# Parent  c5456b64eb07c37a4e891d641617f42fb8182dc1
sslutil: drop support for clients of sslutil specifying a TLS version

We really just want to support the newest thing possible, so we may as
well consolidate that knowledge into this module. Right now this
doesn't change any behavior, but a future change will fix the defaults
for Python 2.7.9 so we can use slightly better defaults there (which
is the only place it's possible at the moment.)

diff -r c5456b64eb07 -r 58080815f667 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Wed Jan 07 00:07:29 2015 -0800
+++ b/mercurial/sslutil.py	Wed Jan 14 15:31:16 2015 -0500
@@ -18,10 +18,9 @@
     try:
         ssl_context = ssl.SSLContext
 
-        def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
-                            cert_reqs=ssl.CERT_NONE, ca_certs=None,
-                            serverhostname=None):
-            sslcontext = ssl.SSLContext(ssl_version)
+        def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
+                            ca_certs=None, serverhostname=None):
+            sslcontext = ssl.SSLContext(PROTOCOL_TLSv1)
             if certfile is not None:
                 sslcontext.load_cert_chain(certfile, keyfile)
             sslcontext.verify_mode = cert_reqs
@@ -37,12 +36,11 @@
                 raise util.Abort(_('ssl connection failed'))
             return sslsocket
     except AttributeError:
-        def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
-                            cert_reqs=ssl.CERT_NONE, ca_certs=None,
-                            serverhostname=None):
+        def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
+                            ca_certs=None, serverhostname=None):
             sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
                                         cert_reqs=cert_reqs, ca_certs=ca_certs,
-                                        ssl_version=ssl_version)
+                                        ssl_version=PROTOCOL_TLSv1)
             # check if wrap_socket failed silently because socket had been
             # closed
             # - see http://bugs.python.org/issue13721
@@ -56,9 +54,8 @@
 
     import socket, httplib
 
-    def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
-                        cert_reqs=CERT_REQUIRED, ca_certs=None,
-                        serverhostname=None):
+    def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=CERT_REQUIRED,
+                        ca_certs=None, serverhostname=None):
         if not util.safehasattr(socket, 'ssl'):
             raise util.Abort(_('Python SSL support not found'))
         if ca_certs:
@@ -126,8 +123,7 @@
             exe.startswith('/system/library/frameworks/python.framework/'))
 
 def sslkwargs(ui, host):
-    kws = {'ssl_version': PROTOCOL_TLSv1,
-           }
+    kws = {}
     hostfingerprint = ui.config('hostfingerprints', host)
     if hostfingerprint:
         return kws