work in progress

netcache.py

@@ -459,30 +459,35 @@ def _fetch_gemini(url):
     context = ssl.SSLContext(protocol)
 
         # Use CAs or TOFU
-        if self.options["tls_mode"] == "ca":
+        #TODO : should we care about this options?
-            context.verify_mode = ssl.CERT_REQUIRED
+        #if self.options["tls_mode"] == "ca":
-            context.check_hostname = True
+        #    context.verify_mode = ssl.CERT_REQUIRED
-            context.load_default_certs()
+        #    context.check_hostname = True
-        else:
+        #    context.load_default_certs()
-            context.check_hostname = False
+        #else:
-            context.verify_mode = ssl.CERT_NONE
+        #    context.check_hostname = False
-        # Impose minimum TLS version
+        #    context.verify_mode = ssl.CERT_NONE
-        ## In 3.7 and above, this is easy...
+    context.check_hostname=False
-        if sys.version_info.minor >= 7:
+    context.verify_mode = ssl.CERT_NONE
-            context.minimum_version = ssl.TLSVersion.TLSv1_2
+    # Impose minimum TLS version
-        ## Otherwise, it seems very hard...
+    ## In 3.7 and above, this is easy...
-        ## The below is less strict than it ought to be, but trying to disable
+    if sys.version_info.minor >= 7:
-        ## TLS v1.1 here using ssl.OP_NO_TLSv1_1 produces unexpected failures
+        context.minimum_version = ssl.TLSVersion.TLSv1_2
-        ## with recent versions of OpenSSL.  What a mess...
+    ## Otherwise, it seems very hard...
-        else:
+    ## The below is less strict than it ought to be, but trying to disable
-            context.options |= ssl.OP_NO_SSLv3
+    ## TLS v1.1 here using ssl.OP_NO_TLSv1_1 produces unexpected failures
-            context.options |= ssl.OP_NO_SSLv2
+    ## with recent versions of OpenSSL.  What a mess...
-        # Try to enforce sensible ciphers
+    else:
-        try:
+        context.options |= ssl.OP_NO_SSLv3
-            context.set_ciphers("AESGCM+ECDHE:AESGCM+DHE:CHACHA20+ECDHE:CHACHA20+DHE:!DSS:!SHA1:!MD5:@STRENGTH")
+        context.options |= ssl.OP_NO_SSLv2
-        except ssl.SSLError:
+    # Try to enforce sensible ciphers
-            # Rely on the server to only support sensible things, I guess...
+    try:
-            pass
+        context.set_ciphers("AESGCM+ECDHE:AESGCM+DHE:CHACHA20+ECDHE:CHACHA20+DHE:!DSS:!SHA1:!MD5:@STRENGTH")
+    except ssl.SSLError:
+        # Rely on the server to only support sensible things, I guess...
+        pass
+
+    #TODO: I’m here in the refactor
         # Load client certificate if needed
         if self.client_certs["active"]:
             certfile, keyfile = self.client_certs["active"]