[PATCH 05 of 11 V4] sslutil: implement wrapserversocket()

Gregory Szorc gregory.szorc at gmail.com
Fri Jul 15 13:07:47 EDT 2016


On Fri, Jul 15, 2016 at 10:01 AM, Gregory Szorc <gregory.szorc at gmail.com>
wrote:

> On Fri, Jul 15, 2016 at 6:09 AM, Yuya Nishihara <yuya at tcha.org> wrote:
>
>> On Thu, 14 Jul 2016 21:09:06 -0700, Gregory Szorc wrote:
>> > # HG changeset patch
>> > # User Gregory Szorc <gregory.szorc at gmail.com>
>> > # Date 1468552459 25200
>> > #      Thu Jul 14 20:14:19 2016 -0700
>> > # Node ID e0c8977678cca5a1ceb8174ecd347810482f6656
>> > # Parent  99d9188b9d45039a06c65fa7dda36a12d08369c2
>> > sslutil: implement wrapserversocket()
>> >
>> > wrapsocket() is heavily tailored towards client use. In preparation
>> > for converting the built-in server to use sslutil (as opposed to
>> > the ssl module directly), we add wrapserversocket() for wrapping
>> > a socket to be used on servers.
>> >
>> > Again, we can't use ssl.create_default_context() because of CA control
>> > concerns. So we basically implement it inline.
>>
>> I think create_default_context() can be used here because the purpose is
>> CLIENT_AUTH, which doesn't set CERT_REQUIRED, and the system CA certs are
>> not loaded automatically.
>>
>
> You are correct: create_default_context() is usable for server sockets.
> I'll send a V5 series.
>

... except in a subsequent patch where we need to configure an explicit
protocol version we can't use create_default_context(). At that point we
have 3 code paths for creating the context - 2 for modern ssl and 1 for
legacy. I'm tempted to leave this implementation for now and follow-up to
use create_default_context(). But I can tweak the comment. So I'll still
send a V5.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20160715/8e033839/attachment.html>


More information about the Mercurial-devel mailing list