Patchwork [1,of,3,ssl-followups] sslutil: drop support for clients of sslutil specifying a TLS version

login
register
mail settings
Submitter Augie Fackler
Date Jan. 14, 2015, 8:53 p.m.
Message ID <46f317f81963553a3a82.1421268805@arthedain.pit.corp.google.com>
Download mbox | patch
Permalink /patch/7453/
State Accepted
Commit 58080815f667ab61332b3f225add2d8f43b64cdd
Headers show

Comments

Augie Fackler - Jan. 14, 2015, 8:53 p.m.
# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1421267476 18000
#      Wed Jan 14 15:31:16 2015 -0500
# Node ID 46f317f81963553a3a8280c0085560b708baad64
# Parent  40d582ff434f3fdca4f78655503bb177388dda66
sslutil: drop support for clients of sslutil specifying a TLS version

We really just want to support the newest thing possible, so we may as
well consolidate that knowledge into this module. Right now this
doesn't change any behavior, but a future change will fix the defaults
for Python 2.7.9 so we can use slightly better defaults there (which
is the only place it's possible at the moment.)

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -18,10 +18,9 @@  try:
     try:
         ssl_context = ssl.SSLContext
 
-        def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
-                            cert_reqs=ssl.CERT_NONE, ca_certs=None,
-                            serverhostname=None):
-            sslcontext = ssl.SSLContext(ssl_version)
+        def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
+                            ca_certs=None, serverhostname=None):
+            sslcontext = ssl.SSLContext(PROTOCOL_TLSv1)
             if certfile is not None:
                 sslcontext.load_cert_chain(certfile, keyfile)
             sslcontext.verify_mode = cert_reqs
@@ -37,12 +36,11 @@  try:
                 raise util.Abort(_('ssl connection failed'))
             return sslsocket
     except AttributeError:
-        def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
-                            cert_reqs=ssl.CERT_NONE, ca_certs=None,
-                            serverhostname=None):
+        def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
+                            ca_certs=None, serverhostname=None):
             sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
                                         cert_reqs=cert_reqs, ca_certs=ca_certs,
-                                        ssl_version=ssl_version)
+                                        ssl_version=PROTOCOL_TLSv1)
             # check if wrap_socket failed silently because socket had been
             # closed
             # - see http://bugs.python.org/issue13721
@@ -56,9 +54,8 @@  except ImportError:
 
     import socket, httplib
 
-    def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
-                        cert_reqs=CERT_REQUIRED, ca_certs=None,
-                        serverhostname=None):
+    def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=CERT_REQUIRED,
+                        ca_certs=None, serverhostname=None):
         if not util.safehasattr(socket, 'ssl'):
             raise util.Abort(_('Python SSL support not found'))
         if ca_certs:
@@ -126,8 +123,7 @@  def _plainapplepython():
             exe.startswith('/system/library/frameworks/python.framework/'))
 
 def sslkwargs(ui, host):
-    kws = {'ssl_version': PROTOCOL_TLSv1,
-           }
+    kws = {}
     hostfingerprint = ui.config('hostfingerprints', host)
     if hostfingerprint:
         return kws