Patchwork [3,of,3,stable] sslutil: force SSLv3 on Python 2.6 and later (issue3905)

login
register
mail settings
Submitter Augie Fackler
Date July 24, 2013, 9:07 p.m.
Message ID <58f0ee4a5e6f8de1336d.1374700049@augie-macbookair>
Download mbox | patch
Permalink /patch/1950/
State Accepted
Commit 074bd02352c04fe33f8989de38a40aea73754293
Headers show

Comments

Augie Fackler - July 24, 2013, 9:07 p.m.
# HG changeset patch
# User Augie Fackler <raf@durin42.com>
# Date 1374691873 14400
#      Wed Jul 24 14:51:13 2013 -0400
# Branch stable
# Node ID 58f0ee4a5e6f8de1336dbb9d90dce28a6d9c7b4d
# Parent  5ce42b0831fd08e1d2a5508b29b6d35fb3aa4526
sslutil: force SSLv3 on Python 2.6 and later (issue3905)

We can't (easily) force SSL version on older Pythons, but on 2.6 and
later we can force SSLv3, which is safer and widely supported. This
also appears to work around a bug in IIS detailed in issue 3905.
Matt Mackall - July 25, 2013, 5:51 a.m.
On Wed, 2013-07-24 at 17:07 -0400, Augie Fackler wrote:
> # HG changeset patch
> # User Augie Fackler <raf@durin42.com>
> # Date 1374691873 14400
> #      Wed Jul 24 14:51:13 2013 -0400
> # Branch stable
> # Node ID 58f0ee4a5e6f8de1336dbb9d90dce28a6d9c7b4d
> # Parent  5ce42b0831fd08e1d2a5508b29b6d35fb3aa4526
> sslutil: force SSLv3 on Python 2.6 and later (issue3905)
> 
> We can't (easily) force SSL version on older Pythons, but on 2.6 and
> later we can force SSLv3, which is safer and widely supported. This
> also appears to work around a bug in IIS detailed in issue 3905.

These are queued for stable, thanks. Hopefully we can get someone to
test them before release.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -17,7 +17,8 @@ 
     def ssl_wrap_socket(sock, keyfile, certfile,
                 cert_reqs=ssl.CERT_NONE, ca_certs=None):
         sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
-                cert_reqs=cert_reqs, ca_certs=ca_certs)
+                cert_reqs=cert_reqs, ca_certs=ca_certs,
+                ssl_version=ssl.PROTOCOL_SSLv3)
         # check if wrap_socket failed silently because socket had been closed
         # - see http://bugs.python.org/issue13721
         if not sslsocket.cipher():