Mercurial > hg

changeset 29558:a935cd7d51a6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: prevent CRIME ssl.create_default_context() disables compression on the TLS channel in order to prevent CRIME. I think we should follow CPython's lead and attempt to disable channel compression in order to help prevent information leakage. Sadly, I don't think there is anything we can do on Python versions that don't have an SSLContext, as there is no way to set channel options with the limited ssl API.
author Gregory Szorc <gregory.szorc@gmail.com>
date Thu, 14 Jul 2016 20:07:10 -0700
parents 53de8255ec4e
children 7dec5e441bf7
files mercurial/sslutil.py
diffstat 1 files changed, 4 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Thu Jul 14 19:56:39 2016 -0700
+++ b/mercurial/sslutil.py	Thu Jul 14 20:07:10 2016 -0700
@@ -155,6 +155,10 @@
     # is available. Be careful when adding flags!
     s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
 
+    # Prevent CRIME.
+    # There is no guarantee this attribute is defined on the module.
+    s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+
     # Look for fingerprints in [hostsecurity] section. Value is a list
     # of <alg>:<fingerprint> strings.
     fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,