Patchwork [2,of,3] sslutil: stop storing protocol and options for SSLContext in settings dict

login
register
mail settings
Submitter Manuel Jacob
Date June 1, 2020, 12:43 p.m.
Message ID <cc29486022ffe6525fc2.1591015391@tmp>
Download mbox | patch
Permalink /patch/46448/
State Accepted
Headers show

Comments

Manuel Jacob - June 1, 2020, 12:43 p.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1591014013 -7200
#      Mon Jun 01 14:20:13 2020 +0200
# Node ID cc29486022ffe6525fc242fa395ea5236db538eb
# Parent  776bb7e68bba72e8f37d81737df46e63e2565b2a
# EXP-Topic sslutil-cleanup
sslutil: stop storing protocol and options for SSLContext in settings dict

Call protocolsettings() where its return values are needed.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -77,15 +77,11 @@  def _hostsettings(ui, hostname):
         b'disablecertverification': False,
         # Whether the legacy [hostfingerprints] section has data for this host.
         b'legacyfingerprint': False,
-        # PROTOCOL_* constant to use for SSLContext.__init__.
-        b'protocol': None,
         # String representation of minimum protocol to be used for UI
         # presentation.
         b'minimumprotocol': None,
         # ssl.CERT_* constant used by SSLContext.verify_mode.
         b'verifymode': None,
-        # Defines extra ssl.OP* bitwise options to set.
-        b'ctxoptions': None,
         # OpenSSL Cipher List to use (instead of default).
         b'ciphers': None,
     }
@@ -124,7 +120,6 @@  def _hostsettings(ui, hostname):
         minimumprotocol = b'tls1.0'
 
     s[b'minimumprotocol'] = minimumprotocol
-    s[b'protocol'], s[b'ctxoptions'] = protocolsettings(minimumprotocol)
 
     ciphers = ui.config(b'hostsecurity', b'ciphers')
     ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
@@ -226,8 +221,6 @@  def _hostsettings(ui, hostname):
             # user).
             s[b'verifymode'] = ssl.CERT_NONE
 
-    assert s[b'protocol'] is not None
-    assert s[b'ctxoptions'] is not None
     assert s[b'verifymode'] is not None
 
     return s
@@ -321,8 +314,9 @@  def wrapsocket(sock, keyfile, certfile, 
     # bundle with a specific CA cert removed. If the system/default CA bundle
     # is loaded and contains that removed CA, you've just undone the user's
     # choice.
-    sslcontext = ssl.SSLContext(settings[b'protocol'])
-    sslcontext.options |= settings[b'ctxoptions']
+    protocol, options = protocolsettings(settings[b'minimumprotocol'])
+    sslcontext = ssl.SSLContext(protocol)
+    sslcontext.options |= options
     sslcontext.verify_mode = settings[b'verifymode']
 
     if settings[b'ciphers']: