sslutil: move context options flags to _hostsettings
Again, moving configuration determination to a single location.
--- a/mercurial/sslutil.py Wed Jul 06 22:47:24 2016 -0700
+++ b/mercurial/sslutil.py Wed Jul 06 22:53:22 2016 -0700
@@ -130,6 +130,8 @@
'protocol': None,
# ssl.CERT_* constant used by SSLContext.verify_mode.
'verifymode': None,
+ # Defines extra ssl.OP* bitwise options to set.
+ 'ctxoptions': None,
}
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol
@@ -148,6 +150,11 @@
else:
s['protocol'] = ssl.PROTOCOL_TLSv1
+ # SSLv2 and SSLv3 are broken. We ban them outright.
+ # WARNING: ctxoptions doesn't have an effect unless the modern ssl module
+ # is available. Be careful when adding flags!
+ s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
+
# Look for fingerprints in [hostsecurity] section. Value is a list
# of <alg>:<fingerprint> strings.
fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
@@ -234,6 +241,7 @@
s['verifymode'] = ssl.CERT_NONE
assert s['protocol'] is not None
+ assert s['ctxoptions'] is not None
assert s['verifymode'] is not None
return s
@@ -259,9 +267,8 @@
# TODO use ssl.create_default_context() on modernssl.
sslcontext = SSLContext(settings['protocol'])
- # SSLv2 and SSLv3 are broken. We ban them outright.
- # This is a no-op on old Python.
- sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
+ # This is a no-op unless using modern ssl.
+ sslcontext.options |= settings['ctxoptions']
# This still works on our fake SSLContext.
sslcontext.verify_mode = settings['verifymode']