sslutil: force SSLv3 on Python 2.6 and later (issue3905)
We can't (easily) force SSL version on older Pythons, but on 2.6 and
later we can force SSLv3, which is safer and widely supported. This
also appears to work around a bug in IIS detailed in issue 3905.
--- a/mercurial/sslutil.py Wed Jul 24 14:45:29 2013 -0400
+++ b/mercurial/sslutil.py Wed Jul 24 14:51:13 2013 -0400
@@ -17,7 +17,8 @@
def ssl_wrap_socket(sock, keyfile, certfile,
cert_reqs=ssl.CERT_NONE, ca_certs=None):
sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
- cert_reqs=cert_reqs, ca_certs=ca_certs)
+ cert_reqs=cert_reqs, ca_certs=ca_certs,
+ ssl_version=ssl.PROTOCOL_SSLv3)
# check if wrap_socket failed silently because socket had been closed
# - see http://bugs.python.org/issue13721
if not sslsocket.cipher():