# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 2016-04-10 17:59:45
# Node ID e330db205b20ff811d3efc088f4aa67cba23eca7
# Parent  3e576fe6671563e70b82ae43c21607c0eb73d627

sslutil: move and document verify_mode assignment

Consolidating all the SSLContext options setting makes the code a
bit easier to read.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -144,12 +144,15 @@ def wrapsocket(sock, keyfile, certfile, 
     # This is a no-op on old Python.
     sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
 
+    # This still works on our fake SSLContext.
+    sslcontext.verify_mode = cert_reqs
+
     if certfile is not None:
         def password():
             f = keyfile or certfile
             return ui.getpass(_('passphrase for %s: ') % f, '')
         sslcontext.load_cert_chain(certfile, keyfile, password)
-    sslcontext.verify_mode = cert_reqs
+
     if ca_certs is not None:
         sslcontext.load_verify_locations(cafile=ca_certs)
     else: