changeset 25431:96159068c506

ssl: drop try-except clause that was necessary for ancient Python
author Yuya Nishihara <yuya@tcha.org>
date Fri, 05 Jun 2015 21:40:59 +0900
parents 19fa0cb71cd3
children bdc15b3c9bdb
files mercurial/sslutil.py
diffstat 1 files changed, 45 insertions(+), 52 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Fri Jun 05 21:37:46 2015 +0900
+++ b/mercurial/sslutil.py	Fri Jun 05 21:40:59 2015 +0900
@@ -12,61 +12,54 @@
 from mercurial.i18n import _
 
 _canloaddefaultcerts = False
+CERT_REQUIRED = ssl.CERT_REQUIRED
 try:
-    CERT_REQUIRED = ssl.CERT_REQUIRED
-    try:
-        ssl_context = ssl.SSLContext
-        _canloaddefaultcerts = util.safehasattr(ssl_context,
-                                                'load_default_certs')
+    ssl_context = ssl.SSLContext
+    _canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs')
 
-        def wrapsocket(sock, keyfile, certfile, ui,
-                       cert_reqs=ssl.CERT_NONE,
-                       ca_certs=None, serverhostname=None):
-            # Allow any version of SSL starting with TLSv1 and
-            # up. Note that specifying TLSv1 here prohibits use of
-            # newer standards (like TLSv1_2), so this is the right way
-            # to do this. Note that in the future it'd be better to
-            # support using ssl.create_default_context(), which sets
-            # up a bunch of things in smart ways (strong ciphers,
-            # protocol versions, etc) and is upgraded by Python
-            # maintainers for us, but that breaks too many things to
-            # do it in a hurry.
-            sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-            sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
-            if certfile is not None:
-                def password():
-                    f = keyfile or certfile
-                    return ui.getpass(_('passphrase for %s: ') % f, '')
-                sslcontext.load_cert_chain(certfile, keyfile, password)
-            sslcontext.verify_mode = cert_reqs
-            if ca_certs is not None:
-                sslcontext.load_verify_locations(cafile=ca_certs)
-            elif _canloaddefaultcerts:
-                sslcontext.load_default_certs()
+    def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
+                   ca_certs=None, serverhostname=None):
+        # Allow any version of SSL starting with TLSv1 and
+        # up. Note that specifying TLSv1 here prohibits use of
+        # newer standards (like TLSv1_2), so this is the right way
+        # to do this. Note that in the future it'd be better to
+        # support using ssl.create_default_context(), which sets
+        # up a bunch of things in smart ways (strong ciphers,
+        # protocol versions, etc) and is upgraded by Python
+        # maintainers for us, but that breaks too many things to
+        # do it in a hurry.
+        sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
+        if certfile is not None:
+            def password():
+                f = keyfile or certfile
+                return ui.getpass(_('passphrase for %s: ') % f, '')
+            sslcontext.load_cert_chain(certfile, keyfile, password)
+        sslcontext.verify_mode = cert_reqs
+        if ca_certs is not None:
+            sslcontext.load_verify_locations(cafile=ca_certs)
+        elif _canloaddefaultcerts:
+            sslcontext.load_default_certs()
 
-            sslsocket = sslcontext.wrap_socket(sock,
-                                               server_hostname=serverhostname)
-            # check if wrap_socket failed silently because socket had been
-            # closed
-            # - see http://bugs.python.org/issue13721
-            if not sslsocket.cipher():
-                raise util.Abort(_('ssl connection failed'))
-            return sslsocket
-    except AttributeError:
-        def wrapsocket(sock, keyfile, certfile, ui,
-                       cert_reqs=ssl.CERT_NONE,
-                       ca_certs=None, serverhostname=None):
-            sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
-                                        cert_reqs=cert_reqs, ca_certs=ca_certs,
-                                        ssl_version=ssl.PROTOCOL_TLSv1)
-            # check if wrap_socket failed silently because socket had been
-            # closed
-            # - see http://bugs.python.org/issue13721
-            if not sslsocket.cipher():
-                raise util.Abort(_('ssl connection failed'))
-            return sslsocket
-except ImportError:
-    raise
+        sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
+        # check if wrap_socket failed silently because socket had been
+        # closed
+        # - see http://bugs.python.org/issue13721
+        if not sslsocket.cipher():
+            raise util.Abort(_('ssl connection failed'))
+        return sslsocket
+except AttributeError:
+    def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
+                   ca_certs=None, serverhostname=None):
+        sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
+                                    cert_reqs=cert_reqs, ca_certs=ca_certs,
+                                    ssl_version=ssl.PROTOCOL_TLSv1)
+        # check if wrap_socket failed silently because socket had been
+        # closed
+        # - see http://bugs.python.org/issue13721
+        if not sslsocket.cipher():
+            raise util.Abort(_('ssl connection failed'))
+        return sslsocket
 
 def _verifycert(cert, hostname):
     '''Verify that cert (in socket.getpeercert() format) matches hostname.