Mercurial > hg

changeset 28647:834d1c4ba749

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: better document state of security/ssl module Pythons older than 2.7.9 are lacking the modern ssl module and have horrible security. Let's document this explicitly.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sun, 27 Mar 2016 14:07:06 -0700
parents f452c1cf7a8f
children 7fc787e5d8ec
files mercurial/sslutil.py
diffstat 1 files changed, 12 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Mon Mar 28 01:57:44 2016 +0530
+++ b/mercurial/sslutil.py	Sun Mar 27 14:07:06 2016 -0700
@@ -19,10 +19,20 @@
     util,
 )
 
+# Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
+# support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
+# all exposed via the "ssl" module.
+#
+# Depending on the version of Python being used, SSL/TLS support is either
+# modern/secure or legacy/insecure. Many operations in this module have
+# separate code paths depending on support in Python.
+
 hassni = getattr(ssl, 'HAS_SNI', False)
 
 _canloaddefaultcerts = False
 try:
+    # ssl.SSLContext was added in 2.7.9 and presence indicates modern
+    # SSL/TLS features are available.
     ssl_context = ssl.SSLContext
     _canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs')
 
@@ -58,6 +68,8 @@
             raise error.Abort(_('ssl connection failed'))
         return sslsocket
 except AttributeError:
+    # We don't have a modern version of the "ssl" module and are running
+    # Python <2.7.9.
     def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
                    ca_certs=None, serverhostname=None):
         sslsocket = ssl.wrap_socket(sock, keyfile, certfile,