[PATCH 2 of 7] sslutil: store OP_NO_SSL* constants in module scope
Gregory Szorc
gregory.szorc at gmail.com
Mon Mar 28 00:28:31 EDT 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1459100844 25200
# Sun Mar 27 10:47:24 2016 -0700
# Node ID 29af463b9e5e61d0609587c37b5059ecb80a4f85
# Parent df8f913a95870ed5262e96d8bd68221bf7aef3cd
sslutil: store OP_NO_SSL* constants in module scope
An upcoming patch will introduce a global SSLContext type so we
have a single function used to wrap sockets. Prepare for that by
introducing module level constants for disabling SSLv2 and SSLv3.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -24,16 +24,23 @@ from . import (
# all exposed via the "ssl" module.
#
# Depending on the version of Python being used, SSL/TLS support is either
# modern/secure or legacy/insecure. Many operations in this module have
# separate code paths depending on support in Python.
hassni = getattr(ssl, 'HAS_SNI', False)
+try:
+ OP_NO_SSLv2 = ssl.OP_NO_SSLv2
+ OP_NO_SSLv3 = ssl.OP_NO_SSLv3
+except AttributeError:
+ OP_NO_SSLv2 = 0x1000000
+ OP_NO_SSLv3 = 0x2000000
+
_canloaddefaultcerts = False
try:
# ssl.SSLContext was added in 2.7.9 and presence indicates modern
# SSL/TLS features are available.
ssl_context = ssl.SSLContext
_canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs')
def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
@@ -43,17 +50,17 @@ try:
# newer standards (like TLSv1_2), so this is the right way
# to do this. Note that in the future it'd be better to
# support using ssl.create_default_context(), which sets
# up a bunch of things in smart ways (strong ciphers,
# protocol versions, etc) and is upgraded by Python
# maintainers for us, but that breaks too many things to
# do it in a hurry.
sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
- sslcontext.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+ sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
if certfile is not None:
def password():
f = keyfile or certfile
return ui.getpass(_('passphrase for %s: ') % f, '')
sslcontext.load_cert_chain(certfile, keyfile, password)
sslcontext.verify_mode = cert_reqs
if ca_certs is not None:
sslcontext.load_verify_locations(cafile=ca_certs)
More information about the Mercurial-devel
mailing list