| Submitter | Augie Fackler |
|---|---|
| Date | May 15, 2013, 7:32 p.m. |
| Message ID | <900ab7c23f9ed458a8fc.1368646327@arthedain.pit.corp.google.com> |
| Download | mbox | patch |
| Permalink | /patch/1654/ |
| State | Rejected, archived |
| Headers | show |
Comments
Note that I didn't test this on 2.4. On Wed, May 15, 2013 at 3:32 PM, Augie Fackler <raf@durin42.com> wrote: > # HG changeset patch > # User Augie Fackler <raf@durin42.com> > # Date 1368646190 14400 > # Wed May 15 15:29:50 2013 -0400 > # Branch stable > # Node ID 900ab7c23f9ed458a8fc58ad3db239de8568f87b > # Parent 278057693a1ddb93f95fa641e30e7a966ac98434 > httpconnection: force SSLv3 if the ssl module is available > > diff --git a/mercurial/httpconnection.py b/mercurial/httpconnection.py > --- a/mercurial/httpconnection.py > +++ b/mercurial/httpconnection.py > @@ -279,6 +279,13 @@ > kwargs['keyfile'] = keyfile > if certfile: > kwargs['certfile'] = certfile > + try: > + import ssl > + kwargs['ssl_version'] = ssl.PROTOCOL_SSLv3 > + except ImportError: > + # Python < 2.6 won't have an ssl module, so we can't force SSLv3. > + pass > + > > kwargs.update(sslutil.sslkwargs(self.ui, host)) > > _______________________________________________ > Mercurial-devel mailing list > Mercurial-devel@selenic.com > http://selenic.com/mailman/listinfo/mercurial-devel
On Wed, 15 May 2013 15:32:07 -0400 Augie Fackler <raf@durin42.com> wrote: > # HG changeset patch > # User Augie Fackler <raf@durin42.com> > # Date 1368646190 14400 > # Wed May 15 15:29:50 2013 -0400 > # Branch stable > # Node ID 900ab7c23f9ed458a8fc58ad3db239de8568f87b > # Parent 278057693a1ddb93f95fa641e30e7a966ac98434 > httpconnection: force SSLv3 if the ssl module is available Why SSLv3? Is it so that SSLv2 is disabled? Note that recent 2.7 versions disable SSLv2 ciphers: http://hg.python.org/cpython/file/149340b3004a/Lib/ssl.py#l95 Regards Antoine.
On Wed, 2013-05-15 at 21:48 +0200, Antoine Pitrou wrote: > On Wed, 15 May 2013 15:32:07 -0400 > Augie Fackler <raf@durin42.com> wrote: > > # HG changeset patch > > # User Augie Fackler <raf@durin42.com> > > # Date 1368646190 14400 > > # Wed May 15 15:29:50 2013 -0400 > > # Branch stable > > # Node ID 900ab7c23f9ed458a8fc58ad3db239de8568f87b > > # Parent 278057693a1ddb93f95fa641e30e7a966ac98434 > > httpconnection: force SSLv3 if the ssl module is available > > Why SSLv3? Is it so that SSLv2 is disabled? Yes. Most web browsers disabled v2 quite some time ago, so this should be pretty safe. IE7 did so in 2006, for instance. > Note that recent 2.7 versions disable SSLv2 ciphers: > http://hg.python.org/cpython/file/149340b3004a/Lib/ssl.py#l95 I've cc:ed you on: http://bz.selenic.com/show_bug.cgi?id=3905 See this comment in particular: http://bz.selenic.com/show_bug.cgi?id=3905#c22 Also note that we'll probably have users on Python < 2.7 for a number of years yet.
Patch
diff --git a/mercurial/httpconnection.py b/mercurial/httpconnection.py --- a/mercurial/httpconnection.py +++ b/mercurial/httpconnection.py @@ -279,6 +279,13 @@ kwargs['keyfile'] = keyfile if certfile: kwargs['certfile'] = certfile + try: + import ssl + kwargs['ssl_version'] = ssl.PROTOCOL_SSLv3 + except ImportError: + # Python < 2.6 won't have an ssl module, so we can't force SSLv3. + pass + kwargs.update(sslutil.sslkwargs(self.ui, host))