# HG changeset patch # User Gregory Szorc # Date 2016-07-07 05:53:22 # Node ID d65ec41b63840159c1cc73007bc7da4ea5ea6fec # Parent 97dcdcf75f4f863709a42950456fc57982fd3a7b sslutil: move context options flags to _hostsettings Again, moving configuration determination to a single location. diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -130,6 +130,8 @@ def _hostsettings(ui, hostname): 'protocol': None, # ssl.CERT_* constant used by SSLContext.verify_mode. 'verifymode': None, + # Defines extra ssl.OP* bitwise options to set. + 'ctxoptions': None, } # Despite its name, PROTOCOL_SSLv23 selects the highest protocol @@ -148,6 +150,11 @@ def _hostsettings(ui, hostname): else: s['protocol'] = ssl.PROTOCOL_TLSv1 + # SSLv2 and SSLv3 are broken. We ban them outright. + # WARNING: ctxoptions doesn't have an effect unless the modern ssl module + # is available. Be careful when adding flags! + s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3 + # Look for fingerprints in [hostsecurity] section. Value is a list # of : strings. fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, @@ -234,6 +241,7 @@ def _hostsettings(ui, hostname): s['verifymode'] = ssl.CERT_NONE assert s['protocol'] is not None + assert s['ctxoptions'] is not None assert s['verifymode'] is not None return s @@ -259,9 +267,8 @@ def wrapsocket(sock, keyfile, certfile, # TODO use ssl.create_default_context() on modernssl. sslcontext = SSLContext(settings['protocol']) - # SSLv2 and SSLv3 are broken. We ban them outright. - # This is a no-op on old Python. - sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3 + # This is a no-op unless using modern ssl. + sslcontext.options |= settings['ctxoptions'] # This still works on our fake SSLContext. sslcontext.verify_mode = settings['verifymode']