Show More
| @@ -126,10 +126,28 b' def _hostsettings(ui, hostname):' | |||
|
|
126 | 126 | 'disablecertverification': False, |
|
|
127 | 127 | # Whether the legacy [hostfingerprints] section has data for this host. |
|
|
128 | 128 | 'legacyfingerprint': False, |
|
|
129 | # PROTOCOL_* constant to use for SSLContext.__init__. | |
|
|
130 | 'protocol': None, | |
|
|
129 | 131 | # ssl.CERT_* constant used by SSLContext.verify_mode. |
|
|
130 | 132 | 'verifymode': None, |
|
|
131 | 133 | } |
|
|
132 | 134 | |
|
|
135 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol | |
|
|
136 | # that both ends support, including TLS protocols. On legacy stacks, | |
|
|
137 | # the highest it likely goes in TLS 1.0. On modern stacks, it can | |
|
|
138 | # support TLS 1.2. | |
|
|
139 | # | |
|
|
140 | # The PROTOCOL_TLSv* constants select a specific TLS version | |
|
|
141 | # only (as opposed to multiple versions). So the method for | |
|
|
142 | # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and | |
|
|
143 | # disable protocols via SSLContext.options and OP_NO_* constants. | |
|
|
144 | # However, SSLContext.options doesn't work unless we have the | |
|
|
145 | # full/real SSLContext available to us. | |
|
|
146 | if modernssl: | |
|
|
147 | s['protocol'] = ssl.PROTOCOL_SSLv23 | |
|
|
148 | else: | |
|
|
149 | s['protocol'] = ssl.PROTOCOL_TLSv1 | |
|
|
150 | ||
|
|
133 | 151 | # Look for fingerprints in [hostsecurity] section. Value is a list |
|
|
134 | 152 | # of <alg>:<fingerprint> strings. |
|
|
135 | 153 | fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, |
| @@ -215,6 +233,7 b' def _hostsettings(ui, hostname):' | |||
|
|
215 | 233 | # user). |
|
|
216 | 234 | s['verifymode'] = ssl.CERT_NONE |
|
|
217 | 235 | |
|
|
236 | assert s['protocol'] is not None | |
|
|
218 | 237 | assert s['verifymode'] is not None |
|
|
219 | 238 | |
|
|
220 | 239 | return s |
| @@ -237,27 +256,10 b' def wrapsocket(sock, keyfile, certfile, ' | |||
|
|
237 | 256 | |
|
|
238 | 257 | settings = _hostsettings(ui, serverhostname) |
|
|
239 | 258 | |
|
|
240 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol | |
|
|
241 | # that both ends support, including TLS protocols. On legacy stacks, | |
|
|
242 | # the highest it likely goes in TLS 1.0. On modern stacks, it can | |
|
|
243 | # support TLS 1.2. | |
|
|
244 | # | |
|
|
245 | # The PROTOCOL_TLSv* constants select a specific TLS version | |
|
|
246 | # only (as opposed to multiple versions). So the method for | |
|
|
247 | # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and | |
|
|
248 | # disable protocols via SSLContext.options and OP_NO_* constants. | |
|
|
249 | # However, SSLContext.options doesn't work unless we have the | |
|
|
250 | # full/real SSLContext available to us. | |
|
|
251 | # | |
|
|
259 | # TODO use ssl.create_default_context() on modernssl. | |
|
|
260 | sslcontext = SSLContext(settings['protocol']) | |
|
|
261 | ||
|
|
252 | 262 | # SSLv2 and SSLv3 are broken. We ban them outright. |
|
|
253 | if modernssl: | |
|
|
254 | protocol = ssl.PROTOCOL_SSLv23 | |
|
|
255 | else: | |
|
|
256 | protocol = ssl.PROTOCOL_TLSv1 | |
|
|
257 | ||
|
|
258 | # TODO use ssl.create_default_context() on modernssl. | |
|
|
259 | sslcontext = SSLContext(protocol) | |
|
|
260 | ||
|
|
261 | 263 | # This is a no-op on old Python. |
|
|
262 | 264 | sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3 |
|
|
263 | 265 | |
General Comments 0
You need to be logged in to leave comments.
Login now