[PATCH] httpconnection: force SSLv3 if the ssl module is available
Matt Mackall
mpm at selenic.com
Wed May 15 15:30:48 CDT 2013
On Wed, 2013-05-15 at 21:48 +0200, Antoine Pitrou wrote:
> On Wed, 15 May 2013 15:32:07 -0400
> Augie Fackler <raf at durin42.com> wrote:
> > # HG changeset patch
> > # User Augie Fackler <raf at durin42.com>
> > # Date 1368646190 14400
> > # Wed May 15 15:29:50 2013 -0400
> > # Branch stable
> > # Node ID 900ab7c23f9ed458a8fc58ad3db239de8568f87b
> > # Parent 278057693a1ddb93f95fa641e30e7a966ac98434
> > httpconnection: force SSLv3 if the ssl module is available
>
> Why SSLv3? Is it so that SSLv2 is disabled?
Yes. Most web browsers disabled v2 quite some time ago, so this should
be pretty safe. IE7 did so in 2006, for instance.
> Note that recent 2.7 versions disable SSLv2 ciphers:
> http://hg.python.org/cpython/file/149340b3004a/Lib/ssl.py#l95
I've cc:ed you on:
http://bz.selenic.com/show_bug.cgi?id=3905
See this comment in particular:
http://bz.selenic.com/show_bug.cgi?id=3905#c22
Also note that we'll probably have users on Python < 2.7 for a number of
years yet.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list