Mercurial Mercurial > hg / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: prevent CRIME
authorGregory Szorc <gregory.szorc@gmail.com>
Thu, 14 Jul 2016 20:07:10 -0700
changeset 29558 a935cd7d51a6
parent 29557 53de8255ec4e
child 29559 7dec5e441bf7
sslutil: prevent CRIME ssl.create_default_context() disables compression on the TLS channel in order to prevent CRIME. I think we should follow CPython's lead and attempt to disable channel compression in order to help prevent information leakage. Sadly, I don't think there is anything we can do on Python versions that don't have an SSLContext, as there is no way to set channel options with the limited ssl API.
mercurial/sslutil.py file | annotate | diff | comparison | revisions 
--- a/mercurial/sslutil.py	Thu Jul 14 19:56:39 2016 -0700
+++ b/mercurial/sslutil.py	Thu Jul 14 20:07:10 2016 -0700
@@ -155,6 +155,10 @@
     # is available. Be careful when adding flags!
     s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
 
+    # Prevent CRIME.
+    # There is no guarantee this attribute is defined on the module.
+    s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+
     # Look for fingerprints in [hostsecurity] section. Value is a list
     # of <alg>:<fingerprint> strings.
     fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
Mercurial