# HG changeset patch # User Manuel Jacob <m...@manueljacob.de> # Date 1590970587 -7200 # Mon Jun 01 02:16:27 2020 +0200 # Node ID 64807e560eedc6c2571d34ffb7bd2f7e356dd606 # Parent 7576507bfe5ea28ab6d496d532bb9b453998ca35 # EXP-Topic require_modern_ssl sslutil: propagate return value ssl.PROTOCOL_SSLv23 from protocolsettings()
Also, protocolsettings() was renamed to ssloptions() to reflect that only the options are returned. Also, the now unused 'protocol' entry of the config dict was removed. diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -79,8 +79,6 @@ def _hostsettings(ui, hostname): b'disablecertverification': False, # Whether the legacy [hostfingerprints] section has data for this host. b'legacyfingerprint': False, - # PROTOCOL_* constant to use for SSLContext.__init__. - b'protocol': None, # String representation of minimum protocol to be used for UI # presentation. b'minimumprotocolui': None, @@ -126,7 +124,7 @@ def _hostsettings(ui, hostname): minimumprotocol = b'tls1.0' s[b'minimumprotocolui'] = minimumprotocol - s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol) + s[b'ctxoptions'] = ssloptions(minimumprotocol) ciphers = ui.config(b'hostsecurity', b'ciphers') ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) @@ -228,14 +226,13 @@ def _hostsettings(ui, hostname): # user). s[b'verifymode'] = ssl.CERT_NONE - assert s[b'protocol'] is not None assert s[b'ctxoptions'] is not None assert s[b'verifymode'] is not None return s -def protocolsettings(minimumprotocol): +def ssloptions(minimumprotocol): """Resolve the protocol for a config value. Returns a tuple of (protocol, options) which are values used by SSLContext. @@ -268,7 +265,7 @@ def protocolsettings(minimumprotocol): # There is no guarantee this attribute is defined on the module. options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) - return ssl.PROTOCOL_SSLv23, options + return options def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): @@ -323,7 +320,7 @@ def wrapsocket(sock, keyfile, certfile, # bundle with a specific CA cert removed. If the system/default CA bundle # is loaded and contains that removed CA, you've just undone the user's # choice. - sslcontext = ssl.SSLContext(settings[b'protocol']) + sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) sslcontext.options |= settings[b'ctxoptions'] sslcontext.verify_mode = settings[b'verifymode'] @@ -520,7 +517,8 @@ def wrapserversocket( _(b'referenced certificate file (%s) does not exist') % f ) - protocol, options = protocolsettings(b'tls1.0') + protocol = ssl.PROTOCOL_SSLv23 + options = ssloptions(b'tls1.0') # This config option is intended for use in tests only. It is a giant # footgun to kill security. Don't define it. _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel