Patchwork [2,of,7] sslutil: store OP_NO_SSL* constants in module scope

login
register
mail settings
Submitter Gregory Szorc
Date March 28, 2016, 4:28 a.m.
Message ID <29af463b9e5e61d06095.1459139311@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/14093/
State Accepted
Headers show

Comments

Gregory Szorc - March 28, 2016, 4:28 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1459100844 25200
#      Sun Mar 27 10:47:24 2016 -0700
# Node ID 29af463b9e5e61d0609587c37b5059ecb80a4f85
# Parent  df8f913a95870ed5262e96d8bd68221bf7aef3cd
sslutil: store OP_NO_SSL* constants in module scope

An upcoming patch will introduce a global SSLContext type so we
have a single function used to wrap sockets. Prepare for that by
introducing module level constants for disabling SSLv2 and SSLv3.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -24,16 +24,23 @@  from . import (
 # all exposed via the "ssl" module.
 #
 # Depending on the version of Python being used, SSL/TLS support is either
 # modern/secure or legacy/insecure. Many operations in this module have
 # separate code paths depending on support in Python.
 
 hassni = getattr(ssl, 'HAS_SNI', False)
 
+try:
+    OP_NO_SSLv2 = ssl.OP_NO_SSLv2
+    OP_NO_SSLv3 = ssl.OP_NO_SSLv3
+except AttributeError:
+    OP_NO_SSLv2 = 0x1000000
+    OP_NO_SSLv3 = 0x2000000
+
 _canloaddefaultcerts = False
 try:
     # ssl.SSLContext was added in 2.7.9 and presence indicates modern
     # SSL/TLS features are available.
     ssl_context = ssl.SSLContext
     _canloaddefaultcerts = util.safehasattr(ssl_context, 'load_default_certs')
 
     def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
@@ -43,17 +50,17 @@  try:
         # newer standards (like TLSv1_2), so this is the right way
         # to do this. Note that in the future it'd be better to
         # support using ssl.create_default_context(), which sets
         # up a bunch of things in smart ways (strong ciphers,
         # protocol versions, etc) and is upgraded by Python
         # maintainers for us, but that breaks too many things to
         # do it in a hurry.
         sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-        sslcontext.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+        sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
         if certfile is not None:
             def password():
                 f = keyfile or certfile
                 return ui.getpass(_('passphrase for %s: ') % f, '')
             sslcontext.load_cert_chain(certfile, keyfile, password)
         sslcontext.verify_mode = cert_reqs
         if ca_certs is not None:
             sslcontext.load_verify_locations(cafile=ca_certs)