[PATCH 1 of 3] sslutil: use create_default_context()

Gregory Szorc gregory.szorc at gmail.com
Tue Jul 12 18:32:25 EDT 2016


# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1468359157 25200
#      Tue Jul 12 14:32:37 2016 -0700
# Node ID 7f26f442cd1db34d72e26a9125e5b4216a71f7f8
# Parent  e5b4d79a9140c3d90e9b6aa22070351b73ef2d4c
sslutil: use create_default_context()

ssl.create_default_context() creates a SSLContext with reasonable
default options. In addition to what we were doing before, it
disables compression to prevent CRIME and sets a reasonable default
cipher list, which Python distributions should keep up to date to
something reasonably secure.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -259,18 +259,23 @@ def wrapsocket(sock, keyfile, certfile, 
       server (and client) support SNI, this tells the server which certificate
       to use.
     """
     if not serverhostname:
         raise error.Abort(_('serverhostname argument is required'))
 
     settings = _hostsettings(ui, serverhostname)
 
-    # TODO use ssl.create_default_context() on modernssl.
-    sslcontext = SSLContext(settings['protocol'])
+    if modernssl:
+        assert settings['protocol'] == ssl.PROTOCOL_SSLv23
+        sslcontext = ssl.create_default_context()
+        # We have our own hostname verification code.
+        sslcontext.check_hostname = False
+    else:
+        sslcontext = SSLContext(settings['protocol'])
 
     # This is a no-op unless using modern ssl.
     sslcontext.options |= settings['ctxoptions']
 
     # This still works on our fake SSLContext.
     sslcontext.verify_mode = settings['verifymode']
 
     if certfile is not None:


More information about the Mercurial-devel mailing list