[PATCH 2 of 2 ?] hgweb: disable SSLv3 serving

Gregory Szorc gregory.szorc at gmail.com
Tue Oct 21 17:32:52 CDT 2014


On 10/21/14 3:18 PM, Brendan Cully wrote:
> On Tuesday, 21 October 2014 at 15:13, Gregory Szorc wrote:
>> On 10/21/14 2:17 PM, Augie Fackler wrote:
>>> # HG changeset patch
>>> # User Augie Fackler <raf at durin42.com>
>>> # Date 1413925777 14400
>>> #      Tue Oct 21 17:09:37 2014 -0400
>>> # Branch stable
>>> # Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
>>> # Parent  27430ddc25a17a93b72245a406e8667eafcf43f0
>>> hgweb: disable SSLv3 serving
>>>
>>> Because of recent attacks[0] on SSLv3, let's just drop support entirely.
>>>
>>> 0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>>
>> I want to support this patch series because security. But there are still
>> people who insist on running SSLv3 because they can't control what their
>> clients have.
>>
>> I could imagine people thinking "my exposure to Poodle is negligible since
>> everything is behind my corp firewall / VPN; it's a lot of work to upgrade
>> all the legacy clients stuck on SSLv3; I'll just not upgrade Mercurial
>> because that's easiest."
>>
>> As much as I would like to force everyone into a more secure future, I think
>> we should consider a config option to enable server operators to continue
>> serving SSLv3 so people can get modern HG without having to worry about
>> compatibility. server.allow_insecure_legacy_crypto=true or something
>> attention-grabbing.
>
> How about allowing plain http? :)

That's still backwards incompatible. People want the upgrade to "just 
work" [with minimal effort]. Modifying existing clients - even a simple 
change to switch from https:// to http:// - could be too costly and may 
prevent them from upgrading.



More information about the Mercurial-devel mailing list