[PATCH 3 of 5] sslutil: move and document verify_mode assignment

[Gregory Szorc]

# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1460311185 25200
#      Sun Apr 10 10:59:45 2016 -0700
# Node ID a0c629f58c3ed8acfa008a12415c172f315c70d3
# Parent  0e44249b53aea25d2c85693790653ea3d7a21391
sslutil: move and document verify_mode assignment

Consolidating all the SSLContext options setting makes the code a
bit easier to read.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -139,22 +139,25 @@ def wrapsocket(sock, keyfile, certfile, 
         protocol = ssl.PROTOCOL_TLSv1
 
     # TODO use ssl.create_default_context() on modernssl.
     sslcontext = SSLContext(protocol)
 
     # This is a no-op on old Python.
     sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
 
+    # This still works on our fake SSLContext.
+    sslcontext.verify_mode = cert_reqs
+
     if certfile is not None:
         def password():
             f = keyfile or certfile
             return ui.getpass(_('passphrase for %s: ') % f, '')
         sslcontext.load_cert_chain(certfile, keyfile, password)
-    sslcontext.verify_mode = cert_reqs
+
     if ca_certs is not None:
         sslcontext.load_verify_locations(cafile=ca_certs)
     else:
         # This is a no-op on old Python.
         sslcontext.load_default_certs()
 
     sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
     # check if wrap_socket failed silently because socket had been