Show More
@@ -130,6 +130,8 b' def _hostsettings(ui, hostname):' | |||||
130 | 'protocol': None, |
|
130 | 'protocol': None, | |
131 | # ssl.CERT_* constant used by SSLContext.verify_mode. |
|
131 | # ssl.CERT_* constant used by SSLContext.verify_mode. | |
132 | 'verifymode': None, |
|
132 | 'verifymode': None, | |
|
133 | # Defines extra ssl.OP* bitwise options to set. | |||
|
134 | 'ctxoptions': None, | |||
133 | } |
|
135 | } | |
134 |
|
136 | |||
135 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
|
137 | # Despite its name, PROTOCOL_SSLv23 selects the highest protocol | |
@@ -148,6 +150,11 b' def _hostsettings(ui, hostname):' | |||||
148 | else: |
|
150 | else: | |
149 | s['protocol'] = ssl.PROTOCOL_TLSv1 |
|
151 | s['protocol'] = ssl.PROTOCOL_TLSv1 | |
150 |
|
152 | |||
|
153 | # SSLv2 and SSLv3 are broken. We ban them outright. | |||
|
154 | # WARNING: ctxoptions doesn't have an effect unless the modern ssl module | |||
|
155 | # is available. Be careful when adding flags! | |||
|
156 | s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3 | |||
|
157 | ||||
151 | # Look for fingerprints in [hostsecurity] section. Value is a list |
|
158 | # Look for fingerprints in [hostsecurity] section. Value is a list | |
152 | # of <alg>:<fingerprint> strings. |
|
159 | # of <alg>:<fingerprint> strings. | |
153 | fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, |
|
160 | fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, | |
@@ -234,6 +241,7 b' def _hostsettings(ui, hostname):' | |||||
234 | s['verifymode'] = ssl.CERT_NONE |
|
241 | s['verifymode'] = ssl.CERT_NONE | |
235 |
|
242 | |||
236 | assert s['protocol'] is not None |
|
243 | assert s['protocol'] is not None | |
|
244 | assert s['ctxoptions'] is not None | |||
237 | assert s['verifymode'] is not None |
|
245 | assert s['verifymode'] is not None | |
238 |
|
246 | |||
239 | return s |
|
247 | return s | |
@@ -259,9 +267,8 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
259 | # TODO use ssl.create_default_context() on modernssl. |
|
267 | # TODO use ssl.create_default_context() on modernssl. | |
260 | sslcontext = SSLContext(settings['protocol']) |
|
268 | sslcontext = SSLContext(settings['protocol']) | |
261 |
|
269 | |||
262 | # SSLv2 and SSLv3 are broken. We ban them outright. |
|
270 | # This is a no-op unless using modern ssl. | |
263 | # This is a no-op on old Python. |
|
271 | sslcontext.options |= settings['ctxoptions'] | |
264 | sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3 |
|
|||
265 |
|
272 | |||
266 | # This still works on our fake SSLContext. |
|
273 | # This still works on our fake SSLContext. | |
267 | sslcontext.verify_mode = settings['verifymode'] |
|
274 | sslcontext.verify_mode = settings['verifymode'] |
General Comments 0
You need to be logged in to leave comments.
Login now