[PATCH 2 of 2 🐩] hgweb: disable SSLv3 serving
Augie Fackler
raf at durin42.com
Tue Oct 21 21:17:50 UTC 2014
# HG changeset patch
# User Augie Fackler <raf at durin42.com>
# Date 1413925777 14400
# Tue Oct 21 17:09:37 2014 -0400
# Branch stable
# Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
# Parent 27430ddc25a17a93b72245a406e8667eafcf43f0
hgweb: disable SSLv3 serving
Because of recent attacks[0] on SSLv3, let's just drop support entirely.
0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
diff --git a/mercurial/hgweb/server.py b/mercurial/hgweb/server.py
--- a/mercurial/hgweb/server.py
+++ b/mercurial/hgweb/server.py
@@ -208,7 +208,7 @@ class _httprequesthandleropenssl(_httpre
OpenSSL.SSL.Context
except ImportError:
raise util.Abort(_("SSL support is unavailable"))
- ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
+ ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
ctx.use_privatekey_file(ssl_cert)
ctx.use_certificate_file(ssl_cert)
sock = socket.socket(httpserver.address_family, httpserver.socket_type)
@@ -249,8 +249,9 @@ class _httprequesthandlerssl(_httpreques
ssl.wrap_socket
except ImportError:
raise util.Abort(_("SSL support is unavailable"))
- httpserver.socket = ssl.wrap_socket(httpserver.socket, server_side=True,
- certfile=ssl_cert, ssl_version=ssl.PROTOCOL_SSLv23)
+ httpserver.socket = ssl.wrap_socket(
+ httpserver.socket, server_side=True,
+ certfile=ssl_cert, ssl_version=ssl.PROTOCOL_TLSv1)
def setup(self):
self.connection = self.request
More information about the Mercurial-devel
mailing list