# HG changeset patch # User Augie Fackler # Date 1413925283 14400 # Node ID 22db405536beca6cbfbb7e397816b244ea9da101 # Parent fb3e63c603e8f6c19d6c1f6a56e9b1b21e7ee348 sslutil: only support TLS (BC) In light of the POODLE[0] attack on SSLv3, let's just drop the ability to use anything older than TLSv1 entirely. This only fixes the client side. Another commit will fix the server side. There are still a few SSLv[23] constants hiding in httpclient, but I'll fix those separately upstream and import them when we're not in a code freeze. 0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html diff -r fb3e63c603e8 -r 22db405536be mercurial/sslutil.py --- a/mercurial/sslutil.py Wed Oct 22 16:10:23 2014 +0200 +++ b/mercurial/sslutil.py Tue Oct 21 17:01:23 2014 -0400 @@ -14,7 +14,6 @@ # avoid using deprecated/broken FakeSocket in python 2.6 import ssl CERT_REQUIRED = ssl.CERT_REQUIRED - PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, cert_reqs=ssl.CERT_NONE, ca_certs=None): @@ -29,7 +28,6 @@ except ImportError: CERT_REQUIRED = 2 - PROTOCOL_SSLv23 = 2 PROTOCOL_TLSv1 = 3 import socket, httplib @@ -103,12 +101,7 @@ exe.startswith('/system/library/frameworks/python.framework/')) def sslkwargs(ui, host): - forcetls = ui.configbool('ui', 'tls', default=True) - if forcetls: - ssl_version = PROTOCOL_TLSv1 - else: - ssl_version = PROTOCOL_SSLv23 - kws = {'ssl_version': ssl_version, + kws = {'ssl_version': PROTOCOL_TLSv1, } hostfingerprint = ui.config('hostfingerprints', host) if hostfingerprint: