Patchwork [10,of,10,v2] sslutil: remove fallback for `ssl` attributes that we can assume to be present

login
register
mail settings
Submitter Manuel Jacob
Date May 30, 2020, 10:37 p.m.
Message ID <15f8f319b5a41dbf68b2.1590878243@tmp>
Download mbox | patch
Permalink /patch/46429/
State New
Headers show

Comments

Manuel Jacob - May 30, 2020, 10:37 p.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590806514 -7200
#      Sat May 30 04:41:54 2020 +0200
# Node ID 15f8f319b5a41dbf68b2dfc308503128c37c61ab
# Parent  727c3b95f5ace64398c262b1093427d6d8a03815
# EXP-Topic require_modern_ssl
sslutil: remove fallback for `ssl` attributes that we can assume to be present

Two requirements need to be satisfied for this to work.

1) The Python version must support these attributes. I checked that this is
the case for Python 2.7.9 (which added `ssl.SSLContext) and the version that
backported `ssl.SSLContext` to RHEL7.

2) The OpenSSL version Python is compiled against must support them. I checked
that OpenSSL 1.0.1, which we require for TLS 1.1 and TLS 1.2 support, support
them.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -15,7 +15,6 @@  import re
 import ssl
 
 from .i18n import _
-from .pycompat import getattr
 from . import (
     encoding,
     error,
@@ -42,7 +41,7 @@  configprotocols = {
     b'tls1.2',
 }
 
-hassni = getattr(ssl, 'HAS_SNI', False)
+hassni = ssl.HAS_SNI
 
 supportedprotocols = {
     b'tls1.0',
@@ -260,8 +259,7 @@  def protocolsettings(protocol):
         raise error.Abort(_(b'this should not happen'))
 
     # Prevent CRIME.
-    # There is no guarantee this attribute is defined on the module.
-    options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+    options |= ssl.OP_NO_COMPRESSION
 
     return ssl.PROTOCOL_SSLv23, options, protocol
 
@@ -502,13 +500,12 @@  def wrapserversocket(
     sslcontext.options |= options
 
     # Improve forward secrecy.
-    sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
-    sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
+    sslcontext.options |= ssl.OP_SINGLE_DH_USE
+    sslcontext.options |= ssl.OP_SINGLE_ECDH_USE
 
-    # Use the list of more secure ciphers if found in the ssl module.
-    if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
-        sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
-        sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
+    # Use the list of more secure ciphers.
+    sslcontext.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
+    sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
 
     if requireclientcert:
         sslcontext.verify_mode = ssl.CERT_REQUIRED