changeset 44900:38e3df9ff1e7

sslutil: stop storing protocol and options for SSLContext in settings dict Call protocolsettings() where its return values are needed.
author Manuel Jacob <me@manueljacob.de>
date Mon, 01 Jun 2020 14:20:13 +0200
parents 4ca1110991c4
children 53b3baaadb64
files mercurial/sslutil.py
diffstat 1 files changed, 3 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Mon Jun 01 14:07:06 2020 +0200
+++ b/mercurial/sslutil.py	Mon Jun 01 14:20:13 2020 +0200
@@ -77,15 +77,11 @@
         b'disablecertverification': False,
         # Whether the legacy [hostfingerprints] section has data for this host.
         b'legacyfingerprint': False,
-        # PROTOCOL_* constant to use for SSLContext.__init__.
-        b'protocol': None,
         # String representation of minimum protocol to be used for UI
         # presentation.
         b'minimumprotocol': None,
         # ssl.CERT_* constant used by SSLContext.verify_mode.
         b'verifymode': None,
-        # Defines extra ssl.OP* bitwise options to set.
-        b'ctxoptions': None,
         # OpenSSL Cipher List to use (instead of default).
         b'ciphers': None,
     }
@@ -124,7 +120,6 @@
         minimumprotocol = b'tls1.0'
 
     s[b'minimumprotocol'] = minimumprotocol
-    s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol)
 
     ciphers = ui.config(b'hostsecurity', b'ciphers')
     ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
@@ -226,8 +221,6 @@
             # user).
             s[b'verifymode'] = ssl.CERT_NONE
 
-    assert s[b'protocol'] is not None
-    assert s[b'ctxoptions'] is not None
     assert s[b'verifymode'] is not None
 
     return s
@@ -321,8 +314,9 @@
     # bundle with a specific CA cert removed. If the system/default CA bundle
     # is loaded and contains that removed CA, you've just undone the user's
     # choice.
-    sslcontext = ssl.SSLContext(settings[b'protocol'])
-    sslcontext.options |= settings[b'ctxoptions']
+    protocol, options = protocolsettings(settings[b'minimumprotocol'])
+    sslcontext = ssl.SSLContext(protocol)
+    sslcontext.options |= options
     sslcontext.verify_mode = settings[b'verifymode']
 
     if settings[b'ciphers']: