[PATCH 2 of 2 🐩] hgweb: disable SSLv3 serving

Gregory Szorc gregory.szorc at gmail.com
Tue Oct 21 17:13:37 CDT 2014


On 10/21/14 2:17 PM, Augie Fackler wrote:
> # HG changeset patch
> # User Augie Fackler <raf at durin42.com>
> # Date 1413925777 14400
> #      Tue Oct 21 17:09:37 2014 -0400
> # Branch stable
> # Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
> # Parent  27430ddc25a17a93b72245a406e8667eafcf43f0
> hgweb: disable SSLv3 serving
>
> Because of recent attacks[0] on SSLv3, let's just drop support entirely.
>
> 0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

I want to support this patch series because security. But there are 
still people who insist on running SSLv3 because they can't control what 
their clients have.

I could imagine people thinking "my exposure to Poodle is negligible 
since everything is behind my corp firewall / VPN; it's a lot of work to 
upgrade all the legacy clients stuck on SSLv3; I'll just not upgrade 
Mercurial because that's easiest."

As much as I would like to force everyone into a more secure future, I 
think we should consider a config option to enable server operators to 
continue serving SSLv3 so people can get modern HG without having to 
worry about compatibility. server.allow_insecure_legacy_crypto=true or 
something attention-grabbing.


More information about the Mercurial-devel mailing list