Patchwork [7,of,7] sslutil: add docstring to wrapsocket()

login
register
mail settings
Submitter Gregory Szorc
Date March 28, 2016, 4:28 a.m.
Message ID <36c21f6ed25641681e7c.1459139316@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/14098/
State Accepted
Headers show

Comments

Gregory Szorc - March 28, 2016, 4:28 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1459109599 25200
#      Sun Mar 27 13:13:19 2016 -0700
# Node ID 36c21f6ed25641681e7c586ba2196a9d50939aff
# Parent  6804722830cd256bdc898069c41059edd07f18a0
sslutil: add docstring to wrapsocket()

Security should not be opaque.
Pierre-Yves David - March 28, 2016, 4:50 a.m.
On 03/27/2016 09:28 PM, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc@gmail.com>
> # Date 1459109599 25200
> #      Sun Mar 27 13:13:19 2016 -0700
> # Node ID 36c21f6ed25641681e7c586ba2196a9d50939aff
> # Parent  6804722830cd256bdc898069c41059edd07f18a0
> sslutil: add docstring to wrapsocket()

Very nice cleanup, Thanks for making this security sensitive code clearer.

I ran all ssl related test with 2.7.8 and 2.7.9

Pushed

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -103,16 +103,28 @@  except AttributeError:
 
             if self._supportsciphers:
                 args['ciphers'] = self._ciphers
 
             return ssl.wrap_socket(socket, **args)
 
 def wrapsocket(sock, keyfile, certfile, ui, cert_reqs=ssl.CERT_NONE,
                ca_certs=None, serverhostname=None):
+    """Add SSL/TLS to a socket.
+
+    This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
+    choices based on what security options are available.
+
+    In addition to the arguments supported by ``ssl.wrap_socket``, we allow
+    the following additional arguments:
+
+    * serverhostname - The expected hostname of the remote server. If the
+      server (and client) support SNI, this tells the server which certificate
+      to use.
+    """
     # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
     # that both ends support, including TLS protocols. On legacy stacks,
     # the highest it likely goes in TLS 1.0. On modern stacks, it can
     # support TLS 1.2.
     #
     # The PROTOCOL_TLSv* constants select a specific TLS version
     # only (as opposed to multiple versions). So the method for
     # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and