[PATCH] https: support tls sni (server name indication) for https urls (issue3090)
Antoine Pitrou
solipsis at pitrou.net
Tue Jan 13 11:36:22 CST 2015
On Tue, 13 Jan 2015 10:09:14 -0700
Alex Orange <crazycasta at gmail.com> wrote:
> Could you expand a little more on why create_default_context would be
> any better? I'm looking to make a minimal change to the existing code,
> which it looks like create_default_context would not be (having to
> determine purpose for instance). Also, it sounds like the default
> protocol version (PROTOCOL_SSLv23) is lower then what we want anyways.
create_default_context() sets up-to-date security settings for ciphers
and the like, so you don't have to choose them yourself. Going forward,
it should be the preferred API to create client contexts, unless you
have very special needs.
As for PROTOCOL_SSLv23, it is a misunderstanding (or a misnaming :-)):
PROTOCOL_SSLv23 will actually allow TLS 1.1 and 1.2, while
PROTOCOL_TLSv1 doesn't.
As for the purpose, it is documented:
Purpose.SERVER_AUTH
Option for create_default_context() and
SSLContext.load_default_certs(). This value indicates that the
context may be used to authenticate Web servers (therefore, it will
be used to create client-side sockets).
Regards
Antoine.
More information about the Mercurial-devel
mailing list