Mercurial > hg
changeset 44900:38e3df9ff1e7
sslutil: stop storing protocol and options for SSLContext in settings dict
Call protocolsettings() where its return values are needed.
author | Manuel Jacob <me@manueljacob.de> |
---|---|
date | Mon, 01 Jun 2020 14:20:13 +0200 |
parents | 4ca1110991c4 |
children | 53b3baaadb64 |
files | mercurial/sslutil.py |
diffstat | 1 files changed, 3 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Mon Jun 01 14:07:06 2020 +0200 +++ b/mercurial/sslutil.py Mon Jun 01 14:20:13 2020 +0200 @@ -77,15 +77,11 @@ b'disablecertverification': False, # Whether the legacy [hostfingerprints] section has data for this host. b'legacyfingerprint': False, - # PROTOCOL_* constant to use for SSLContext.__init__. - b'protocol': None, # String representation of minimum protocol to be used for UI # presentation. b'minimumprotocol': None, # ssl.CERT_* constant used by SSLContext.verify_mode. b'verifymode': None, - # Defines extra ssl.OP* bitwise options to set. - b'ctxoptions': None, # OpenSSL Cipher List to use (instead of default). b'ciphers': None, } @@ -124,7 +120,6 @@ minimumprotocol = b'tls1.0' s[b'minimumprotocol'] = minimumprotocol - s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) ciphers = ui.config(b'hostsecurity', b'ciphers') ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) @@ -226,8 +221,6 @@ # user). s[b'verifymode'] = ssl.CERT_NONE - assert s[b'protocol'] is not None - assert s[b'ctxoptions'] is not None assert s[b'verifymode'] is not None return s @@ -321,8 +314,9 @@ # bundle with a specific CA cert removed. If the system/default CA bundle # is loaded and contains that removed CA, you've just undone the user's # choice. - sslcontext = ssl.SSLContext(settings[b'protocol']) - sslcontext.options |= settings[b'ctxoptions'] + protocol, options = protocolsettings(settings[b'minimumprotocol']) + sslcontext = ssl.SSLContext(protocol) + sslcontext.options |= options sslcontext.verify_mode = settings[b'verifymode'] if settings[b'ciphers']: