sslutil: capture string string representation of protocol

This will be used in a subsequent patch to improve messaging.
2024-10-09 00:14:35 +03:00 · 2016-07-19 20:30:29 -07:00 · 2016-07-19 20:30:29 -07:00 · 9541a78df4
commit 9541a78df4
parent 866f60c870
1 changed files with 13 additions and 5 deletions
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@ -139,6 +139,9 @@ def _hostsettings(ui, hostname):
        'legacyfingerprint': False,
        # PROTOCOL_* constant to use for SSLContext.__init__.
        'protocol': None,
+        # String representation of minimum protocol to be used for UI
+        # presentation.
+        'protocolui': None,
        # ssl.CERT_* constant used by SSLContext.verify_mode.
        'verifymode': None,
        # Defines extra ssl.OP* bitwise options to set.
@ -187,7 +190,7 @@ def _hostsettings(ui, hostname):
    if ui.insecureconnections:
        protocol = 'tls1.0'

-    s['protocol'], s['ctxoptions'] = protocolsettings(protocol)
+    s['protocol'], s['ctxoptions'], s['protocolui'] = protocolsettings(protocol)

    ciphers = ui.config('hostsecurity', 'ciphers')
    ciphers = ui.config('hostsecurity', '%s:ciphers' % hostname, ciphers)
@ -285,7 +288,12 @@ def _hostsettings(ui, hostname):
    return s

 def protocolsettings(protocol):
-    """Resolve the protocol and context options for a config value."""
+    """Resolve the protocol for a config value.
+
+    Returns a 3-tuple of (protocol, options, ui value) where the first
+    2 items are values used by SSLContext and the last is a string value
+    of the ``minimumprotocol`` config option equivalent.
+    """
    if protocol not in configprotocols:
        raise ValueError('protocol value not supported: %s' % protocol)

@ -307,7 +315,7 @@ def protocolsettings(protocol):
                              hint=_('upgrade Python or disable setting since '
                                     'only TLS 1.0 is supported'))

-        return ssl.PROTOCOL_TLSv1, 0
+        return ssl.PROTOCOL_TLSv1, 0, 'tls1.0'

    # WARNING: returned options don't work unless the modern ssl module
    # is available. Be careful when adding options here.
@ -329,7 +337,7 @@ def protocolsettings(protocol):
    # There is no guarantee this attribute is defined on the module.
    options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)

-    return ssl.PROTOCOL_SSLv23, options
+    return ssl.PROTOCOL_SSLv23, options, protocol

 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
    """Add SSL/TLS to a socket.
@ -445,7 +453,7 @@ def wrapserversocket(sock, ui, certfile=None, keyfile=None, cafile=None,

    Typically ``cafile`` is only defined if ``requireclientcert`` is true.
    """
-    protocol, options = protocolsettings('tls1.0')
+    protocol, options, _protocolui = protocolsettings('tls1.0')

    # This config option is intended for use in tests only. It is a giant
    # footgun to kill security. Don't define it.