# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1468552030 25200
# Node ID a935cd7d51a6fda1b6e7edfd12396bd11c12b483
# Parent  53de8255ec4e33ba1ef783e737c6c18449afa5f0
sslutil: prevent CRIME

ssl.create_default_context() disables compression on the TLS channel
in order to prevent CRIME. I think we should follow CPython's lead
and attempt to disable channel compression in order to help prevent
information leakage.

Sadly, I don't think there is anything we can do on Python versions
that don't have an SSLContext, as there is no way to set channel
options with the limited ssl API.

diff -r 53de8255ec4e -r a935cd7d51a6 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Thu Jul 14 19:56:39 2016 -0700
+++ b/mercurial/sslutil.py	Thu Jul 14 20:07:10 2016 -0700
@@ -155,6 +155,10 @@
     # is available. Be careful when adding flags!
     s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
 
+    # Prevent CRIME.
+    # There is no guarantee this attribute is defined on the module.
+    s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+
     # Look for fingerprints in [hostsecurity] section. Value is a list
     # of <alg>:<fingerprint> strings.
     fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,