Mercurial > hg
changeset 23069:22db405536be stable
sslutil: only support TLS (BC)
In light of the POODLE[0] attack on SSLv3, let's just drop the ability to
use anything older than TLSv1 entirely.
This only fixes the client side. Another commit will fix the server
side. There are still a few SSLv[23] constants hiding in httpclient,
but I'll fix those separately upstream and import them when we're not
in a code freeze.
0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
author | Augie Fackler <raf@durin42.com> |
---|---|
date | Tue, 21 Oct 2014 17:01:23 -0400 |
parents | fb3e63c603e8 |
children | c289fb3624b8 |
files | mercurial/sslutil.py |
diffstat | 1 files changed, 1 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Wed Oct 22 16:10:23 2014 +0200 +++ b/mercurial/sslutil.py Tue Oct 21 17:01:23 2014 -0400 @@ -14,7 +14,6 @@ # avoid using deprecated/broken FakeSocket in python 2.6 import ssl CERT_REQUIRED = ssl.CERT_REQUIRED - PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, cert_reqs=ssl.CERT_NONE, ca_certs=None): @@ -29,7 +28,6 @@ except ImportError: CERT_REQUIRED = 2 - PROTOCOL_SSLv23 = 2 PROTOCOL_TLSv1 = 3 import socket, httplib @@ -103,12 +101,7 @@ exe.startswith('/system/library/frameworks/python.framework/')) def sslkwargs(ui, host): - forcetls = ui.configbool('ui', 'tls', default=True) - if forcetls: - ssl_version = PROTOCOL_TLSv1 - else: - ssl_version = PROTOCOL_SSLv23 - kws = {'ssl_version': ssl_version, + kws = {'ssl_version': PROTOCOL_TLSv1, } hostfingerprint = ui.config('hostfingerprints', host) if hostfingerprint: