Rename parameter to be easier to understand

urllib3 · Dec 31, 2020 · 0d5030c · 0d5030c
1 parent f5fcded
commit 0d5030c
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 15 deletions.
diff --git a/src/urllib3/contrib/pyopenssl.py b/src/urllib3/contrib/pyopenssl.py
@@ -74,7 +74,7 @@ class UnsupportedExtension(Exception):
 HAS_SNI = True
 
 # Use system TLS ciphers on OpenSSL 1.1.1+
-USE_SYSTEM_SSL_CIPHERS = util.ssl_._is_ge_openssl_v1_1_1(
+USE_DEFAULT_SSLCONTEXT_CIPHERS = util.ssl_._is_ge_openssl_v1_1_1(
     openssl_backend.openssl_version_text(), openssl_backend.openssl_version_number()
 )
 
@@ -107,7 +107,7 @@ class UnsupportedExtension(Exception):
 
 orig_util_HAS_SNI = util.HAS_SNI
 orig_util_SSLContext = util.ssl_.SSLContext
-orig_util_USE_SYSTEM_SSL_CIPHERS = util.ssl_.USE_SYSTEM_SSL_CIPHERS
+orig_util_USE_SYSTEM_SSL_CIPHERS = util.ssl_.USE_DEFAULT_SSLCONTEXT_CIPHERS
 
 
 log = logging.getLogger(__name__)
@@ -124,7 +124,7 @@ def inject_into_urllib3():
     util.ssl_.HAS_SNI = HAS_SNI
     util.IS_PYOPENSSL = True
     util.ssl_.IS_PYOPENSSL = True
-    util.ssl_.USE_SYSTEM_SSL_CIPHERS = USE_SYSTEM_SSL_CIPHERS
+    util.ssl_.USE_DEFAULT_SSLCONTEXT_CIPHERS = USE_DEFAULT_SSLCONTEXT_CIPHERS
 
 
 def extract_from_urllib3():
@@ -136,7 +136,7 @@ def extract_from_urllib3():
     util.ssl_.HAS_SNI = orig_util_HAS_SNI
     util.IS_PYOPENSSL = False
     util.ssl_.IS_PYOPENSSL = False
-    util.ssl_.USE_SYSTEM_SSL_CIPHERS = orig_util_USE_SYSTEM_SSL_CIPHERS
+    util.ssl_.USE_DEFAULT_SSLCONTEXT_CIPHERS = orig_util_USE_SYSTEM_SSL_CIPHERS
 
 
 def _validate_dependencies_met():

diff --git a/src/urllib3/contrib/securetransport.py b/src/urllib3/contrib/securetransport.py
@@ -82,7 +82,7 @@
 
 orig_util_HAS_SNI = util.HAS_SNI
 orig_util_SSLContext = util.ssl_.SSLContext
-orig_util_USE_SYSTEM_SSL_CIPHERS = util.ssl_.USE_SYSTEM_SSL_CIPHERS
+orig_util_USE_SYSTEM_SSL_CIPHERS = util.ssl_.USE_DEFAULT_SSLCONTEXT_CIPHERS
 
 # This dictionary is used by the read callback to obtain a handle to the
 # calling wrapped socket. This is a pretty silly approach, but for now it'll
@@ -151,7 +151,7 @@ def inject_into_urllib3():
     util.ssl_.HAS_SNI = HAS_SNI
     util.IS_SECURETRANSPORT = True
     util.ssl_.IS_SECURETRANSPORT = True
-    util.ssl_.USE_SYSTEM_SSL_CIPHERS = True
+    util.ssl_.USE_DEFAULT_SSLCONTEXT_CIPHERS = True
 
 
 def extract_from_urllib3():
@@ -164,7 +164,7 @@ def extract_from_urllib3():
     util.ssl_.HAS_SNI = orig_util_HAS_SNI
     util.IS_SECURETRANSPORT = False
     util.ssl_.IS_SECURETRANSPORT = False
-    util.ssl_.USE_SYSTEM_SSL_CIPHERS = orig_util_USE_SYSTEM_SSL_CIPHERS
+    util.ssl_.USE_DEFAULT_SSLCONTEXT_CIPHERS = orig_util_USE_SYSTEM_SSL_CIPHERS
 
 
 def _read_callback(connection_id, data_buffer, data_length_pointer):

diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
@@ -14,7 +14,7 @@
 IS_PYOPENSSL = False
 IS_SECURETRANSPORT = False
 ALPN_PROTOCOLS = ["http/1.1"]
-USE_SYSTEM_SSL_CIPHERS = False
+USE_DEFAULT_SSLCONTEXT_CIPHERS = False
 
 # Maps the length of a digest to a possible hash function producing this digest
 HASHFUNC_MAP = {32: md5, 40: sha1, 64: sha256}
@@ -48,7 +48,7 @@ def _is_ge_openssl_v1_1_1(
         SSLContext,
     )
 
-    USE_SYSTEM_SSL_CIPHERS = _is_ge_openssl_v1_1_1(
+    USE_DEFAULT_SSLCONTEXT_CIPHERS = _is_ge_openssl_v1_1_1(
         OPENSSL_VERSION, OPENSSL_VERSION_NUMBER
     )
     PROTOCOL_SSLv23 = PROTOCOL_TLS
@@ -88,10 +88,13 @@ def _is_ge_openssl_v1_1_1(
         "DH+AESGCM",
         "ECDH+AES",
         "DH+AES",
+        "RSA+AESGCM",
+        "RSA+AES",
         "!aNULL",
         "!eNULL",
         "!MD5",
         "!DSS",
+        "!AESCCM",
     ]
 )
 
@@ -203,7 +206,7 @@ def create_urllib3_context(
 
     # Unless we're given ciphers defer to either system ciphers in
     # the case of OpenSSL 1.1.1+ or use our own secure default ciphers.
-    if ciphers is not None or not USE_SYSTEM_SSL_CIPHERS:
+    if ciphers is not None or not USE_DEFAULT_SSLCONTEXT_CIPHERS:
         context.set_ciphers(ciphers or DEFAULT_CIPHERS)
 
     # Setting the default here, as we may have no ssl module on import

diff --git a/test/test_ssl.py b/test/test_ssl.py
@@ -117,7 +117,7 @@ def test_create_urllib3_context_set_ciphers(
 
         assert ssl_.create_urllib3_context(ciphers=ciphers) is context
 
-        if ciphers is None and ssl_.USE_SYSTEM_SSL_CIPHERS:
+        if ciphers is None and ssl_.USE_DEFAULT_SSLCONTEXT_CIPHERS:
             assert context.set_ciphers.call_count == 0
         else:
             assert context.set_ciphers.call_count == 1
@@ -171,19 +171,21 @@ def test_create_urllib3_context_pha(self, monkeypatch, pha, expected_pha):
 
         assert context.post_handshake_auth == expected_pha
 
-    @pytest.mark.parametrize("use_system_ssl_ciphers", [True, False])
+    @pytest.mark.parametrize("use_default_sslcontext_ciphers", [True, False])
     def test_create_urllib3_context_default_ciphers(
-        self, monkeypatch, use_system_ssl_ciphers
+        self, monkeypatch, use_default_sslcontext_ciphers
     ):
         context = mock.create_autospec(ssl_.SSLContext)
         context.set_ciphers = mock.Mock()
         context.options = 0
         monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
-        monkeypatch.setattr(ssl_, "USE_SYSTEM_SSL_CIPHERS", use_system_ssl_ciphers)
+        monkeypatch.setattr(
+            ssl_, "USE_DEFAULT_SSLCONTEXT_CIPHERS", use_default_sslcontext_ciphers
+        )
 
         ssl_.create_urllib3_context()
 
-        if use_system_ssl_ciphers:
+        if use_default_sslcontext_ciphers:
             context.set_ciphers.assert_not_called()
         else:
             context.set_ciphers.assert_called_with(ssl_.DEFAULT_CIPHERS)