[PATCH 2 of 6 V2] sslutil: use create_default_context()
Gregory Szorc
gregory.szorc at gmail.com
Wed Jul 13 03:18:08 EDT 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1468390821 25200
# Tue Jul 12 23:20:21 2016 -0700
# Node ID 8fc44e26c415d33b15ed9ba9dd1e29522eafb251
# Parent 2f6559dcc8b8036aaafe6c679913efff8f25455a
sslutil: use create_default_context()
ssl.create_default_context() creates a SSLContext with reasonable
default options. In addition to what we were doing before, it
disables compression to prevent CRIME and sets a reasonable default
cipher list, which Python distributions should keep up to date to
something reasonably secure.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -259,18 +259,24 @@ def wrapsocket(sock, keyfile, certfile,
server (and client) support SNI, this tells the server which certificate
to use.
"""
if not serverhostname:
raise error.Abort(_('serverhostname argument is required'))
settings = _hostsettings(ui, serverhostname)
- # TODO use ssl.create_default_context() on modernssl.
- sslcontext = SSLContext(settings['protocol'])
+ if modernssl:
+ assert settings['protocol'] == ssl.PROTOCOL_SSLv23
+ sslcontext = ssl.create_default_context()
+ sslcontext.protocol = settings['protocol']
+ # We have our own hostname verification code.
+ sslcontext.check_hostname = False
+ else:
+ sslcontext = SSLContext(settings['protocol'])
# This is a no-op unless using modern ssl.
sslcontext.options |= settings['ctxoptions']
# This still works on our fake SSLContext.
sslcontext.verify_mode = settings['verifymode']
if certfile is not None:
More information about the Mercurial-devel
mailing list