[issue2407] mercurial fails to verify ssl validity in https connections
dave b
bugs at mercurial.selenic.com
Wed Sep 29 15:03:37 UTC 2010
New submission from dave b <db.pub.mail at gmail.com>:
This is bad because the https implementation you are using (even wrapped
using ssl) is broken as per bug http://bugs.python.org/issue1589
as mercurial seems not to verify the common name.
So your application is vulnerable, as long as I have a certificate signed by
ca in the ca store, I can MITM it.
----------
messages: 13781
nosy: db
priority: critical
status: unread
title: mercurial fails to verify ssl validity in https connections
____________________________________________________
Mercurial issue tracker <bugs at mercurial.selenic.com>
<http://mercurial.selenic.com/bts/issue2407>
____________________________________________________
More information about the Mercurial-devel
mailing list