[issue2407] mercurial fails to verify ssl validity in https connections

dave b bugs at mercurial.selenic.com
Wed Sep 29 10:03:37 CDT 2010


New submission from dave b <db.pub.mail at gmail.com>:

This is bad because the https implementation you are using (even wrapped
using ssl) is broken as per bug http://bugs.python.org/issue1589
as mercurial seems not to verify the common name.
So your application is vulnerable, as long as I have a certificate signed by
ca in the ca store, I can MITM it.

----------
messages: 13781
nosy: db
priority: critical
status: unread
title: mercurial fails to verify ssl validity in https connections

____________________________________________________
Mercurial issue tracker <bugs at mercurial.selenic.com>
<http://mercurial.selenic.com/bts/issue2407>
____________________________________________________


More information about the Mercurial-devel mailing list