changeset 29578:4a4b8d3b4e43

sslutil: move comment about protocol constants protocolsettings() is the appropriate place for this comment.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sun, 17 Jul 2016 11:03:08 -0700
parents 9654ef41f7cc
children 43f3c0df2fab
files mercurial/sslutil.py
diffstat 1 files changed, 11 insertions(+), 16 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Sun Jul 17 10:59:32 2016 -0700
+++ b/mercurial/sslutil.py	Sun Jul 17 11:03:08 2016 -0700
@@ -139,18 +139,6 @@
         'ciphers': None,
     }
 
-    # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
-    # that both ends support, including TLS protocols. On legacy stacks,
-    # the highest it likely goes is TLS 1.0. On modern stacks, it can
-    # support TLS 1.2.
-    #
-    # The PROTOCOL_TLSv* constants select a specific TLS version
-    # only (as opposed to multiple versions). So the method for
-    # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
-    # disable protocols via SSLContext.options and OP_NO_* constants.
-    # However, SSLContext.options doesn't work unless we have the
-    # full/real SSLContext available to us.
-
     # Allow minimum TLS protocol to be specified in the config.
     def validateprotocol(protocol, key):
         if protocol not in configprotocols:
@@ -289,10 +277,17 @@
     if protocol not in configprotocols:
         raise ValueError('protocol value not supported: %s' % protocol)
 
-    # Legacy ssl module only supports up to TLS 1.0. Ideally we'd use
-    # PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However,
-    # SSLContext.options doesn't work in our implementation since we use
-    # a fake SSLContext on these Python versions.
+    # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
+    # that both ends support, including TLS protocols. On legacy stacks,
+    # the highest it likely goes is TLS 1.0. On modern stacks, it can
+    # support TLS 1.2.
+    #
+    # The PROTOCOL_TLSv* constants select a specific TLS version
+    # only (as opposed to multiple versions). So the method for
+    # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
+    # disable protocols via SSLContext.options and OP_NO_* constants.
+    # However, SSLContext.options doesn't work unless we have the
+    # full/real SSLContext available to us.
     if not modernssl:
         if protocol != 'tls1.0':
             raise error.Abort(_('current Python does not support protocol '