[PATCH 4 of 5] sslutil: more robustly detect protocol support
Yuya Nishihara
yuya at tcha.org
Mon Jul 18 05:42:27 EDT 2016
On Sun, 17 Jul 2016 11:28:27 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1468779391 25200
> # Sun Jul 17 11:16:31 2016 -0700
> # Node ID 306645544688957bf8729e1b03301e5240b0b8ed
> # Parent 418f9f9b31c31e53bd233047be49e3993ceccfc1
> sslutil: more robustly detect protocol support
Queued 1-3 and 5, thanks.
> +# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
> +# against don't support them.
> +supportedprotocols = set(['tls1.0'])
> +if getattr(ssl, 'PROTOCOL_TLSv1_1', 0):
> + supportedprotocols.add('tls1.1')
> +if getattr(ssl, 'PROTOCOL_TLSv1_2', 0):
> + supportedprotocols.add('tls1.2')
I might be too strict, but PROTOCOL_* constants aren't bit flags, so 0 is
valid value. Can we use safehasattr() instead?
> - if not modernssl:
> + if supportedprotocols == set(['tls1.0']):
> if protocol != 'tls1.0':
> raise error.Abort(_('current Python does not support protocol '
> 'setting %s') % protocol,
> hint=_('upgrade Python or disable setting since '
> 'only TLS 1.0 is supported'))
>
> return ssl.PROTOCOL_TLSv1, 0
Confirmed that legacy ssl module doesn't support tls1.1+. If it did, SSL2 and 3
would be enabled since options were noop.
More information about the Mercurial-devel
mailing list