Patchwork [2,of,3,ssl-followups] sslutil: use saner TLS settings on Python 2.7.9

login
register
mail settings
Submitter Augie Fackler
Date Jan. 14, 2015, 8:53 p.m.
Message ID <dc0d263e6931670d64e4.1421268806@arthedain.pit.corp.google.com>
Download mbox | patch
Permalink /patch/7454/
State Accepted
Commit e1931f7cd97769eec5f8cbc7d8052bc61d77d4e5
Headers show

Comments

Augie Fackler - Jan. 14, 2015, 8:53 p.m.
# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1421268360 18000
#      Wed Jan 14 15:46:00 2015 -0500
# Node ID dc0d263e6931670d64e4df89bacd53fdaca2fed1
# Parent  46f317f81963553a3a8280c0085560b708baad64
sslutil: use saner TLS settings on Python 2.7.9

Asking for TLSv1 locks us out of TLSv1_2 etc. This is at least less
bad. Ideally we'd use ssl.create_default_context(), but that causes
more mayhem in the testsuite than I really want to deal with right
now.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -20,7 +20,17 @@  try:
 
         def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
                             ca_certs=None, serverhostname=None):
-            sslcontext = ssl.SSLContext(PROTOCOL_TLSv1)
+            # Allow any version of SSL starting with TLSv1 and
+            # up. Note that specifying TLSv1 here prohibits use of
+            # newer standards (like TLSv1_2), so this is the right way
+            # to do this. Note that in the future it'd be better to
+            # support using ssl.create_default_context(), which sets
+            # up a bunch of things in smart ways (strong ciphers,
+            # protocol versions, etc) and is upgraded by Python
+            # maintainers for us, but that breaks too many things to
+            # do it in a hurry.
+            sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
             if certfile is not None:
                 sslcontext.load_cert_chain(certfile, keyfile)
             sslcontext.verify_mode = cert_reqs