[PATCH 2 of 6 V2] sslutil: use create_default_context()
Yuya Nishihara
yuya at tcha.org
Thu Jul 14 09:36:51 EDT 2016
On Wed, 13 Jul 2016 00:18:08 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1468390821 25200
> # Tue Jul 12 23:20:21 2016 -0700
> # Node ID 8fc44e26c415d33b15ed9ba9dd1e29522eafb251
> # Parent 2f6559dcc8b8036aaafe6c679913efff8f25455a
> sslutil: use create_default_context()
>
> ssl.create_default_context() creates a SSLContext with reasonable
> default options. In addition to what we were doing before, it
> disables compression to prevent CRIME and sets a reasonable default
> cipher list, which Python distributions should keep up to date to
> something reasonably secure.
>
> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
> @@ -259,18 +259,24 @@ def wrapsocket(sock, keyfile, certfile,
> server (and client) support SNI, this tells the server which certificate
> to use.
> """
> if not serverhostname:
> raise error.Abort(_('serverhostname argument is required'))
>
> settings = _hostsettings(ui, serverhostname)
>
> - # TODO use ssl.create_default_context() on modernssl.
> - sslcontext = SSLContext(settings['protocol'])
> + if modernssl:
> + assert settings['protocol'] == ssl.PROTOCOL_SSLv23
> + sslcontext = ssl.create_default_context()
create_default_context() loads CA certificates from the system store, which
means you can no longer replace the system CA certs by web.cacerts.
https://docs.python.org/2.7/library/ssl.html#ssl.create_default_context
More information about the Mercurial-devel
mailing list