[PATCH 2 of 2 ?] hgweb: disable SSLv3 serving
Brendan Cully
brendan at kublai.com
Tue Oct 21 17:18:26 CDT 2014
On Tuesday, 21 October 2014 at 15:13, Gregory Szorc wrote:
> On 10/21/14 2:17 PM, Augie Fackler wrote:
> ># HG changeset patch
> ># User Augie Fackler <raf at durin42.com>
> ># Date 1413925777 14400
> ># Tue Oct 21 17:09:37 2014 -0400
> ># Branch stable
> ># Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
> ># Parent 27430ddc25a17a93b72245a406e8667eafcf43f0
> >hgweb: disable SSLv3 serving
> >
> >Because of recent attacks[0] on SSLv3, let's just drop support entirely.
> >
> >0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>
> I want to support this patch series because security. But there are still
> people who insist on running SSLv3 because they can't control what their
> clients have.
>
> I could imagine people thinking "my exposure to Poodle is negligible since
> everything is behind my corp firewall / VPN; it's a lot of work to upgrade
> all the legacy clients stuck on SSLv3; I'll just not upgrade Mercurial
> because that's easiest."
>
> As much as I would like to force everyone into a more secure future, I think
> we should consider a config option to enable server operators to continue
> serving SSLv3 so people can get modern HG without having to worry about
> compatibility. server.allow_insecure_legacy_crypto=true or something
> attention-grabbing.
How about allowing plain http? :)
More information about the Mercurial-devel
mailing list