upstream/mercurial-mirror Commit - r29508:d65ec41b

130

'protocol': None,

130

'protocol': None,

131

# ssl.CERT_* constant used by SSLContext.verify_mode.

131

# ssl.CERT_* constant used by SSLContext.verify_mode.

132

'verifymode': None,

132

'verifymode': None,

133

# Defines extra ssl.OP* bitwise options to set.

134

'ctxoptions': None,

133

}

135

}

134

136

135

# Despite its name, PROTOCOL_SSLv23 selects the highest protocol

137

# Despite its name, PROTOCOL_SSLv23 selects the highest protocol

148

else:

150

else:

149

s['protocol'] = ssl.PROTOCOL_TLSv1

151

s['protocol'] = ssl.PROTOCOL_TLSv1

150

152

153

# SSLv2 and SSLv3 are broken. We ban them outright.

154

# WARNING: ctxoptions doesn't have an effect unless the modern ssl module

155

# is available. Be careful when adding flags!

156

s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3

157

151

# Look for fingerprints in [hostsecurity] section. Value is a list

158

# Look for fingerprints in [hostsecurity] section. Value is a list

152

# of <alg>:<fingerprint> strings.

159

# of <alg>:<fingerprint> strings.

153

fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,

160

fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,

234

s['verifymode'] = ssl.CERT_NONE

241

s['verifymode'] = ssl.CERT_NONE

235

242

236

assert s['protocol'] is not None

243

assert s['protocol'] is not None

244

assert s['ctxoptions'] is not None

237

assert s['verifymode'] is not None

245

assert s['verifymode'] is not None

238

246

239

return s

247

return s

259

# TODO use ssl.create_default_context() on modernssl.

267

# TODO use ssl.create_default_context() on modernssl.

260

sslcontext = SSLContext(settings['protocol'])

268

sslcontext = SSLContext(settings['protocol'])

261

269

262

# SSLv2 and SSLv3 are broken. We ban them outright.

270

# This is a no-op unless using modern ssl.

263

# This is a no-op on old Python.

271

sslcontext.options |= settings['ctxoptions']

264

sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3

265

272

266

# This still works on our fake SSLContext.

273

# This still works on our fake SSLContext.

267

sslcontext.verify_mode = settings['verifymode']

274

sslcontext.verify_mode = settings['verifymode']

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

                     'protocol': None,
                     # ssl.CERT_* constant used by SSLContext.verify_mode.
                     'verifymode': None,
+                    # Defines extra ssl.OP* bitwise options to set.
+                    'ctxoptions': None,
                 }
                 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
                 else:
                     s['protocol'] = ssl.PROTOCOL_TLSv1
+                # SSLv2 and SSLv3 are broken. We ban them outright.
+                # WARNING: ctxoptions doesn't have an effect unless the modern ssl module
+                # is available. Be careful when adding flags!
+                s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
                 # Look for fingerprints in [hostsecurity] section. Value is a list
                 # of <alg>:<fingerprint> strings.
                 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
                         s['verifymode'] = ssl.CERT_NONE
                 assert s['protocol'] is not None
+                assert s['ctxoptions'] is not None
                 assert s['verifymode'] is not None
                 return s
                 # TODO use ssl.create_default_context() on modernssl.
                 sslcontext = SSLContext(settings['protocol'])
-                # SSLv2 and SSLv3 are broken. We ban them outright.
+                # This is a no-op unless using modern ssl.
-                # This is a no-op on old Python.
+                sslcontext.options |= settings['ctxoptions']
-                sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
                 # This still works on our fake SSLContext.
                 sslcontext.verify_mode = settings['verifymode']