Mercurial > hg
changeset 29558:a935cd7d51a6
sslutil: prevent CRIME
ssl.create_default_context() disables compression on the TLS channel
in order to prevent CRIME. I think we should follow CPython's lead
and attempt to disable channel compression in order to help prevent
information leakage.
Sadly, I don't think there is anything we can do on Python versions
that don't have an SSLContext, as there is no way to set channel
options with the limited ssl API.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Thu, 14 Jul 2016 20:07:10 -0700 |
parents | 53de8255ec4e |
children | 7dec5e441bf7 |
files | mercurial/sslutil.py |
diffstat | 1 files changed, 4 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Thu Jul 14 19:56:39 2016 -0700 +++ b/mercurial/sslutil.py Thu Jul 14 20:07:10 2016 -0700 @@ -155,6 +155,10 @@ # is available. Be careful when adding flags! s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3 + # Prevent CRIME. + # There is no guarantee this attribute is defined on the module. + s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0) + # Look for fingerprints in [hostsecurity] section. Value is a list # of <alg>:<fingerprint> strings. fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,