# HG changeset patch # User Gregory Szorc # Date 1459112826 25200 # Node ID 834d1c4ba749e33799a2f8f5c5b9b4a3c343dd8b # Parent f452c1cf7a8f06a4084de2049a7d801c4bde7498 sslutil: better document state of security/ssl module Pythons older than 2.7.9 are lacking the modern ssl module and have horrible security. Let's document this explicitly. diff -r f452c1cf7a8f -r 834d1c4ba749 mercurial/sslutil.py --- a/mercurial/sslutil.py Mon Mar 28 01:57:44 2016 +0530 +++ b/mercurial/sslutil.py Sun Mar 27 14:07:06 2016 -0700 @@ -19,10 +19,20 @@ util, ) +# Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added +# support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are +# all exposed via the "ssl" module. +# +# Depending on the version of Python being used, SSL/TLS support is either +# modern/secure or legacy/insecure. Many operations in this module have +# separate code paths depending on support in Python. + hassni = getattr(ssl, 'HAS_SNI', False) _canloaddefaultcerts = False try: + # ssl.SSLContext was added in 2.7.9 and presence indicates modern + # SSL/TLS features are available. ssl_context = ssl.SSLContext _canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs') @@ -58,6 +68,8 @@ raise error.Abort(_('ssl connection failed')) return sslsocket except AttributeError: + # We don't have a modern version of the "ssl" module and are running + # Python <2.7.9. def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE, ca_certs=None, serverhostname=None): sslsocket = ssl.wrap_socket(sock, keyfile, certfile,