Patchwork httpconnection: force SSLv3 if the ssl module is available

login
register
mail settings
Submitter Augie Fackler
Date May 15, 2013, 7:32 p.m.
Message ID <900ab7c23f9ed458a8fc.1368646327@arthedain.pit.corp.google.com>
Download mbox | patch
Permalink /patch/1654/
State Rejected, archived
Headers show

Comments

Augie Fackler - May 15, 2013, 7:32 p.m.
# HG changeset patch
# User Augie Fackler <raf@durin42.com>
# Date 1368646190 14400
#      Wed May 15 15:29:50 2013 -0400
# Branch stable
# Node ID 900ab7c23f9ed458a8fc58ad3db239de8568f87b
# Parent  278057693a1ddb93f95fa641e30e7a966ac98434
httpconnection: force SSLv3 if the ssl module is available
Augie Fackler - May 15, 2013, 7:37 p.m.
Note that I didn't test this on 2.4.

On Wed, May 15, 2013 at 3:32 PM, Augie Fackler <raf@durin42.com> wrote:
> # HG changeset patch
> # User Augie Fackler <raf@durin42.com>
> # Date 1368646190 14400
> #      Wed May 15 15:29:50 2013 -0400
> # Branch stable
> # Node ID 900ab7c23f9ed458a8fc58ad3db239de8568f87b
> # Parent  278057693a1ddb93f95fa641e30e7a966ac98434
> httpconnection: force SSLv3 if the ssl module is available
>
> diff --git a/mercurial/httpconnection.py b/mercurial/httpconnection.py
> --- a/mercurial/httpconnection.py
> +++ b/mercurial/httpconnection.py
> @@ -279,6 +279,13 @@
>              kwargs['keyfile'] = keyfile
>          if certfile:
>              kwargs['certfile'] = certfile
> +        try:
> +            import ssl
> +            kwargs['ssl_version'] = ssl.PROTOCOL_SSLv3
> +        except ImportError:
> +            # Python < 2.6 won't have an ssl module, so we can't force SSLv3.
> +            pass
> +
>
>          kwargs.update(sslutil.sslkwargs(self.ui, host))
>
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel@selenic.com
> http://selenic.com/mailman/listinfo/mercurial-devel
Antoine Pitrou - May 15, 2013, 7:48 p.m.
On Wed, 15 May 2013 15:32:07 -0400
Augie Fackler <raf@durin42.com> wrote:
> # HG changeset patch
> # User Augie Fackler <raf@durin42.com>
> # Date 1368646190 14400
> #      Wed May 15 15:29:50 2013 -0400
> # Branch stable
> # Node ID 900ab7c23f9ed458a8fc58ad3db239de8568f87b
> # Parent  278057693a1ddb93f95fa641e30e7a966ac98434
> httpconnection: force SSLv3 if the ssl module is available

Why SSLv3? Is it so that SSLv2 is disabled?

Note that recent 2.7 versions disable SSLv2 ciphers:
http://hg.python.org/cpython/file/149340b3004a/Lib/ssl.py#l95

Regards

Antoine.
Matt Mackall - May 15, 2013, 8:30 p.m.
On Wed, 2013-05-15 at 21:48 +0200, Antoine Pitrou wrote:
> On Wed, 15 May 2013 15:32:07 -0400
> Augie Fackler <raf@durin42.com> wrote:
> > # HG changeset patch
> > # User Augie Fackler <raf@durin42.com>
> > # Date 1368646190 14400
> > #      Wed May 15 15:29:50 2013 -0400
> > # Branch stable
> > # Node ID 900ab7c23f9ed458a8fc58ad3db239de8568f87b
> > # Parent  278057693a1ddb93f95fa641e30e7a966ac98434
> > httpconnection: force SSLv3 if the ssl module is available
> 
> Why SSLv3? Is it so that SSLv2 is disabled?

Yes. Most web browsers disabled v2 quite some time ago, so this should
be pretty safe. IE7 did so in 2006, for instance.

> Note that recent 2.7 versions disable SSLv2 ciphers:
> http://hg.python.org/cpython/file/149340b3004a/Lib/ssl.py#l95

I've cc:ed you on:

http://bz.selenic.com/show_bug.cgi?id=3905

See this comment in particular:

http://bz.selenic.com/show_bug.cgi?id=3905#c22

Also note that we'll probably have users on Python < 2.7 for a number of
years yet.

Patch

diff --git a/mercurial/httpconnection.py b/mercurial/httpconnection.py
--- a/mercurial/httpconnection.py
+++ b/mercurial/httpconnection.py
@@ -279,6 +279,13 @@ 
             kwargs['keyfile'] = keyfile
         if certfile:
             kwargs['certfile'] = certfile
+        try:
+            import ssl
+            kwargs['ssl_version'] = ssl.PROTOCOL_SSLv3
+        except ImportError:
+            # Python < 2.6 won't have an ssl module, so we can't force SSLv3.
+            pass
+
 
         kwargs.update(sslutil.sslkwargs(self.ui, host))