upstream/mercurial-mirror Commit - r19806:47ff9d1a

sslutil: add a config knob to support TLS (default) or SSLv23 (bc) (issue4038)...

Augie Fackler -

r19806:47ff9d1a default

parent child

mercurial/sslutil.py

0 +19 -6

                 # avoid using deprecated/broken FakeSocket in python 2.6
                 import ssl
                 CERT_REQUIRED = ssl.CERT_REQUIRED
-                def ssl_wrap_socket(sock, keyfile, certfile,
+                PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23
+                PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1
+                def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
                             cert_reqs=ssl.CERT_NONE, ca_certs=None):
                     sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
-                            cert_reqs=cert_reqs, ca_certs=ca_certs)
+                                                cert_reqs=cert_reqs, ca_certs=ca_certs,
+                                                ssl_version=ssl_version)
                     # check if wrap_socket failed silently because socket had been closed
                     # - see http://bugs.python.org/issue13721
                     if not sslsocket.cipher():
             except ImportError:
                 CERT_REQUIRED = 2
+                PROTOCOL_SSLv23 = 2
+                PROTOCOL_TLSv1 = 3
                 import socket, httplib
-                def ssl_wrap_socket(sock, key_file, cert_file,
+                def ssl_wrap_socket(sock, key_file, cert_file, ssl_version=PROTOCOL_TLSv1,
                                     cert_reqs=CERT_REQUIRED, ca_certs=None):
                     if not util.safehasattr(socket, 'ssl'):
                         raise util.Abort(_('Python SSL support not found'))
             def sslkwargs(ui, host):
                 cacerts = ui.config('web', 'cacerts')
+                forcetls = ui.configbool('ui', 'tls', default=True)
+                if forcetls:
+                    ssl_version = PROTOCOL_TLSv1
+                else:
+                    ssl_version = PROTOCOL_SSLv23
                 hostfingerprint = ui.config('hostfingerprints', host)
+                kws = {'ssl_version': ssl_version,
+                       }
                 if cacerts and not hostfingerprint:
                     cacerts = util.expandpath(cacerts)
                     if not os.path.exists(cacerts):
                         raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
-                    return {'ca_certs': cacerts,
+                    kws.update({'ca_certs': cacerts,
                                 'cert_reqs': CERT_REQUIRED,
+                                })
-                return {}
+                return kws
             class validator(object):
                 def __init__(self, ui, host):

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages