[PATCH 3 of 5] sslutil: move comment about protocol constants
Gregory Szorc
gregory.szorc at gmail.com
Sun Jul 17 14:28:26 EDT 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1468778588 25200
# Sun Jul 17 11:03:08 2016 -0700
# Node ID 418f9f9b31c31e53bd233047be49e3993ceccfc1
# Parent 2ab6b647fc1e4ee3cb5960ec9411a4f5d76c6693
sslutil: move comment about protocol constants
protocolsettings() is the appropriate place for this comment.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -134,28 +134,16 @@ def _hostsettings(ui, hostname):
# ssl.CERT_* constant used by SSLContext.verify_mode.
'verifymode': None,
# Defines extra ssl.OP* bitwise options to set.
'ctxoptions': None,
# OpenSSL Cipher List to use (instead of default).
'ciphers': None,
}
- # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
- # that both ends support, including TLS protocols. On legacy stacks,
- # the highest it likely goes is TLS 1.0. On modern stacks, it can
- # support TLS 1.2.
- #
- # The PROTOCOL_TLSv* constants select a specific TLS version
- # only (as opposed to multiple versions). So the method for
- # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
- # disable protocols via SSLContext.options and OP_NO_* constants.
- # However, SSLContext.options doesn't work unless we have the
- # full/real SSLContext available to us.
-
# Allow minimum TLS protocol to be specified in the config.
def validateprotocol(protocol, key):
if protocol not in configprotocols:
raise error.Abort(
_('unsupported protocol from hostsecurity.%s: %s') %
(key, protocol),
hint=_('valid protocols: %s') %
' '.join(sorted(configprotocols)))
@@ -284,20 +272,27 @@ def _hostsettings(ui, hostname):
return s
def protocolsettings(protocol):
"""Resolve the protocol and context options for a config value."""
if protocol not in configprotocols:
raise ValueError('protocol value not supported: %s' % protocol)
- # Legacy ssl module only supports up to TLS 1.0. Ideally we'd use
- # PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However,
- # SSLContext.options doesn't work in our implementation since we use
- # a fake SSLContext on these Python versions.
+ # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
+ # that both ends support, including TLS protocols. On legacy stacks,
+ # the highest it likely goes is TLS 1.0. On modern stacks, it can
+ # support TLS 1.2.
+ #
+ # The PROTOCOL_TLSv* constants select a specific TLS version
+ # only (as opposed to multiple versions). So the method for
+ # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
+ # disable protocols via SSLContext.options and OP_NO_* constants.
+ # However, SSLContext.options doesn't work unless we have the
+ # full/real SSLContext available to us.
if not modernssl:
if protocol != 'tls1.0':
raise error.Abort(_('current Python does not support protocol '
'setting %s') % protocol,
hint=_('upgrade Python or disable setting since '
'only TLS 1.0 is supported'))
return ssl.PROTOCOL_TLSv1, 0
More information about the Mercurial-devel
mailing list