[PATCH 3 of 3 stable] sslutil: force SSLv3 on Python 2.6 and later (issue3905)

Augie Fackler raf at durin42.com
Wed Jul 24 16:07:29 CDT 2013


# HG changeset patch
# User Augie Fackler <raf at durin42.com>
# Date 1374691873 14400
#      Wed Jul 24 14:51:13 2013 -0400
# Branch stable
# Node ID 58f0ee4a5e6f8de1336dbb9d90dce28a6d9c7b4d
# Parent  5ce42b0831fd08e1d2a5508b29b6d35fb3aa4526
sslutil: force SSLv3 on Python 2.6 and later (issue3905)

We can't (easily) force SSL version on older Pythons, but on 2.6 and
later we can force SSLv3, which is safer and widely supported. This
also appears to work around a bug in IIS detailed in issue 3905.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -17,7 +17,8 @@
     def ssl_wrap_socket(sock, keyfile, certfile,
                 cert_reqs=ssl.CERT_NONE, ca_certs=None):
         sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
-                cert_reqs=cert_reqs, ca_certs=ca_certs)
+                cert_reqs=cert_reqs, ca_certs=ca_certs,
+                ssl_version=ssl.PROTOCOL_SSLv3)
         # check if wrap_socket failed silently because socket had been closed
         # - see http://bugs.python.org/issue13721
         if not sslsocket.cipher():


More information about the Mercurial-devel mailing list