Patchwork [15,of,15] sslutil: remove fallback for `ssl` attributes that we can assume to be present

login
register
mail settings
Submitter Manuel Jacob
Date May 30, 2020, 5:52 a.m.
Message ID <c9b1893bc6f9e9359918.1590817947@tmp>
Download mbox | patch
Permalink /patch/46409/
State New
Headers show

Comments

Manuel Jacob - May 30, 2020, 5:52 a.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590806514 -7200
#      Sat May 30 04:41:54 2020 +0200
# Node ID c9b1893bc6f9e93599187d3f38c5fce282b045b8
# Parent  115c95a26b530486ebf9000ad5b7dc6a0c188e7a
# EXP-Topic require_modern_ssl
sslutil: remove fallback for `ssl` attributes that we can assume to be present

Two requirements need to be satisfied for this to work.

1) The Python version must support these attributes. I checked that this is
the case for Python 2.7.9 (which added `ssl.SSLContext) and the version that
backported `ssl.SSLContext` to RHEL7.

2) The OpenSSL version Python is compiled against must support them. I checked
that OpenSSL 1.0.1, which we require for TLS 1.1 and TLS 1.2 support, support
them.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -42,7 +42,7 @@  configprotocols = {
     b'tls1.2',
 }
 
-hassni = getattr(ssl, 'HAS_SNI', False)
+hassni = ssl.HAS_SNI
 
 # TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on 2012-03-14.
 # OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that
@@ -262,8 +262,7 @@  def protocolsettings(protocol):
         raise error.Abort(_(b'this should not happen'))
 
     # Prevent CRIME.
-    # There is no guarantee this attribute is defined on the module.
-    options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+    options |= ssl.OP_NO_COMPRESSION
 
     return ssl.PROTOCOL_SSLv23, options, protocol
 
@@ -504,13 +503,12 @@  def wrapserversocket(
     sslcontext.options |= options
 
     # Improve forward secrecy.
-    sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
-    sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
+    sslcontext.options |= ssl.OP_SINGLE_DH_USE
+    sslcontext.options |= ssl.OP_SINGLE_ECDH_USE
 
-    # Use the list of more secure ciphers if found in the ssl module.
-    if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
-        sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
-        sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
+    # Use the list of more secure ciphers.
+    sslcontext.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
+    sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
 
     if requireclientcert:
         sslcontext.verify_mode = ssl.CERT_REQUIRED