Mercurial > hg
comparison mercurial/sslutil.py @ 29558:a935cd7d51a6
sslutil: prevent CRIME
ssl.create_default_context() disables compression on the TLS channel
in order to prevent CRIME. I think we should follow CPython's lead
and attempt to disable channel compression in order to help prevent
information leakage.
Sadly, I don't think there is anything we can do on Python versions
that don't have an SSLContext, as there is no way to set channel
options with the limited ssl API.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Thu, 14 Jul 2016 20:07:10 -0700 |
| parents | 53de8255ec4e |
| children | 7dec5e441bf7 |
comparison
equal
deleted
inserted
replaced
| 29557:53de8255ec4e | 29558:a935cd7d51a6 |
|---|---|
| 153 # SSLv2 and SSLv3 are broken. We ban them outright. | 153 # SSLv2 and SSLv3 are broken. We ban them outright. |
| 154 # WARNING: ctxoptions doesn't have an effect unless the modern ssl module | 154 # WARNING: ctxoptions doesn't have an effect unless the modern ssl module |
| 155 # is available. Be careful when adding flags! | 155 # is available. Be careful when adding flags! |
| 156 s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3 | 156 s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3 |
| 157 | 157 |
| 158 # Prevent CRIME. | |
| 159 # There is no guarantee this attribute is defined on the module. | |
| 160 s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0) | |
| 161 | |
| 158 # Look for fingerprints in [hostsecurity] section. Value is a list | 162 # Look for fingerprints in [hostsecurity] section. Value is a list |
| 159 # of <alg>:<fingerprint> strings. | 163 # of <alg>:<fingerprint> strings. |
| 160 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, | 164 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname, |
| 161 []) | 165 []) |
| 162 for fingerprint in fingerprints: | 166 for fingerprint in fingerprints: |