Comments
Patch
@@ -24,16 +24,23 @@ from . import (
# all exposed via the "ssl" module.
#
# Depending on the version of Python being used, SSL/TLS support is either
# modern/secure or legacy/insecure. Many operations in this module have
# separate code paths depending on support in Python.
hassni = getattr(ssl, 'HAS_SNI', False)
+try:
+ OP_NO_SSLv2 = ssl.OP_NO_SSLv2
+ OP_NO_SSLv3 = ssl.OP_NO_SSLv3
+except AttributeError:
+ OP_NO_SSLv2 = 0x1000000
+ OP_NO_SSLv3 = 0x2000000
+
_canloaddefaultcerts = False
try:
# ssl.SSLContext was added in 2.7.9 and presence indicates modern
# SSL/TLS features are available.
ssl_context = ssl.SSLContext
_canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs')
def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
@@ -43,17 +50,17 @@ try:
# newer standards (like TLSv1_2), so this is the right way
# to do this. Note that in the future it'd be better to
# support using ssl.create_default_context(), which sets
# up a bunch of things in smart ways (strong ciphers,
# protocol versions, etc) and is upgraded by Python
# maintainers for us, but that breaks too many things to
# do it in a hurry.
sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
- sslcontext.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+ sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
if certfile is not None:
def password():
f = keyfile or certfile
return ui.getpass(_('passphrase for %s: ') % f, '')
sslcontext.load_cert_chain(certfile, keyfile, password)
sslcontext.verify_mode = cert_reqs
if ca_certs is not None:
sslcontext.load_verify_locations(cafile=ca_certs)