Mercurial > hg
changeset 29508:d65ec41b6384
sslutil: move context options flags to _hostsettings
Again, moving configuration determination to a single location.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Wed, 06 Jul 2016 22:53:22 -0700 |
| parents | 97dcdcf75f4f |
| children | 945b4c14c570 |
| files | mercurial/sslutil.py |
| diffstat | 1 files changed, 10 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Wed Jul 06 22:47:24 2016 -0700 +++ b/mercurial/sslutil.py Wed Jul 06 22:53:22 2016 -0700 @@ -130,6 +130,8 @@ 'protocol': None, # ssl.CERT_* constant used by SSLContext.verify_mode. 'verifymode': None, + # Defines extra ssl.OP* bitwise options to set. + 'ctxoptions': None, } # Despite its name, PROTOCOL_SSLv23 selects the highest protocol @@ -148,6 +150,11 @@ else: s['protocol'] = ssl.PROTOCOL_TLSv1 + # SSLv2 and SSLv3 are broken. We ban them outright. + # WARNING: ctxoptions doesn't have an effect unless the modern ssl module + # is available. Be careful when adding flags! + s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3 + # Look for fingerprints in [hostsecurity] section. Value is a list # of <alg>:<fingerprint> strings. fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, @@ -234,6 +241,7 @@ s['verifymode'] = ssl.CERT_NONE assert s['protocol'] is not None + assert s['ctxoptions'] is not None assert s['verifymode'] is not None return s @@ -259,9 +267,8 @@ # TODO use ssl.create_default_context() on modernssl. sslcontext = SSLContext(settings['protocol']) - # SSLv2 and SSLv3 are broken. We ban them outright. - # This is a no-op on old Python. - sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3 + # This is a no-op unless using modern ssl. + sslcontext.options |= settings['ctxoptions'] # This still works on our fake SSLContext. sslcontext.verify_mode = settings['verifymode']