Mercurial > hg-stable

changeset 23070:c289fb3624b8 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: disable SSLv3 serving (BC) Because of recent attacks[0] on SSLv3, let's just drop support entirely. 0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
author Augie Fackler <raf@durin42.com>
date Tue, 21 Oct 2014 17:09:37 -0400
parents 22db405536be
children 652ab726ba93
files mercurial/hgweb/server.py
diffstat 1 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/hgweb/server.py	Tue Oct 21 17:01:23 2014 -0400
+++ b/mercurial/hgweb/server.py	Tue Oct 21 17:09:37 2014 -0400
@@ -208,7 +208,7 @@
             OpenSSL.SSL.Context
         except ImportError:
             raise util.Abort(_("SSL support is unavailable"))
-        ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
+        ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
         ctx.use_privatekey_file(ssl_cert)
         ctx.use_certificate_file(ssl_cert)
         sock = socket.socket(httpserver.address_family, httpserver.socket_type)
@@ -249,8 +249,9 @@
             ssl.wrap_socket
         except ImportError:
             raise util.Abort(_("SSL support is unavailable"))
-        httpserver.socket = ssl.wrap_socket(httpserver.socket, server_side=True,
-            certfile=ssl_cert, ssl_version=ssl.PROTOCOL_SSLv23)
+        httpserver.socket = ssl.wrap_socket(
+            httpserver.socket, server_side=True,
+            certfile=ssl_cert, ssl_version=ssl.PROTOCOL_TLSv1)
 
     def setup(self):
         self.connection = self.request