[PATCH 3 of 5] sslutil: move comment about protocol constants

Sun Jul 17 14:28:26 EDT 2016

# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1468778588 25200
#      Sun Jul 17 11:03:08 2016 -0700
# Node ID 418f9f9b31c31e53bd233047be49e3993ceccfc1
# Parent  2ab6b647fc1e4ee3cb5960ec9411a4f5d76c6693
sslutil: move comment about protocol constants

protocolsettings() is the appropriate place for this comment.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -134,28 +134,16 @@ def _hostsettings(ui, hostname):
         # ssl.CERT_* constant used by SSLContext.verify_mode.
         'verifymode': None,
         # Defines extra ssl.OP* bitwise options to set.
         'ctxoptions': None,
         # OpenSSL Cipher List to use (instead of default).
         'ciphers': None,
     }
 
-    # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
-    # that both ends support, including TLS protocols. On legacy stacks,
-    # the highest it likely goes is TLS 1.0. On modern stacks, it can
-    # support TLS 1.2.
-    #
-    # The PROTOCOL_TLSv* constants select a specific TLS version
-    # only (as opposed to multiple versions). So the method for
-    # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
-    # disable protocols via SSLContext.options and OP_NO_* constants.
-    # However, SSLContext.options doesn't work unless we have the
-    # full/real SSLContext available to us.
-
     # Allow minimum TLS protocol to be specified in the config.
     def validateprotocol(protocol, key):
         if protocol not in configprotocols:
             raise error.Abort(
                 _('unsupported protocol from hostsecurity.%s: %s') %
                 (key, protocol),
                 hint=_('valid protocols: %s') %
                      ' '.join(sorted(configprotocols)))
@@ -284,20 +272,27 @@ def _hostsettings(ui, hostname):
 
     return s
 
 def protocolsettings(protocol):
     """Resolve the protocol and context options for a config value."""
     if protocol not in configprotocols:
         raise ValueError('protocol value not supported: %s' % protocol)
 
-    # Legacy ssl module only supports up to TLS 1.0. Ideally we'd use
-    # PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However,
-    # SSLContext.options doesn't work in our implementation since we use
-    # a fake SSLContext on these Python versions.
+    # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
+    # that both ends support, including TLS protocols. On legacy stacks,
+    # the highest it likely goes is TLS 1.0. On modern stacks, it can
+    # support TLS 1.2.
+    #
+    # The PROTOCOL_TLSv* constants select a specific TLS version
+    # only (as opposed to multiple versions). So the method for
+    # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
+    # disable protocols via SSLContext.options and OP_NO_* constants.
+    # However, SSLContext.options doesn't work unless we have the
+    # full/real SSLContext available to us.
     if not modernssl:
         if protocol != 'tls1.0':
             raise error.Abort(_('current Python does not support protocol '
                                 'setting %s') % protocol,
                               hint=_('upgrade Python or disable setting since '
                                      'only TLS 1.0 is supported'))
 
         return ssl.PROTOCOL_TLSv1, 0
