[PATCH 2 of 2 ?] hgweb: disable SSLv3 serving
Augie Fackler
raf at durin42.com
Tue Oct 21 21:30:50 CDT 2014
On Tue, Oct 21, 2014 at 03:18:26PM -0700, Brendan Cully wrote:
> On Tuesday, 21 October 2014 at 15:13, Gregory Szorc wrote:
> > On 10/21/14 2:17 PM, Augie Fackler wrote:
> > ># HG changeset patch
> > ># User Augie Fackler <raf at durin42.com>
> > ># Date 1413925777 14400
> > ># Tue Oct 21 17:09:37 2014 -0400
> > ># Branch stable
> > ># Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
> > ># Parent 27430ddc25a17a93b72245a406e8667eafcf43f0
> > >hgweb: disable SSLv3 serving
> > >
> > >Because of recent attacks[0] on SSLv3, let's just drop support entirely.
> > >
> > >0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
> >
> > I want to support this patch series because security. But there are still
> > people who insist on running SSLv3 because they can't control what their
> > clients have.
> >
> > I could imagine people thinking "my exposure to Poodle is negligible since
> > everything is behind my corp firewall / VPN; it's a lot of work to upgrade
> > all the legacy clients stuck on SSLv3; I'll just not upgrade Mercurial
> > because that's easiest."
> >
> > As much as I would like to force everyone into a more secure future, I think
> > we should consider a config option to enable server operators to continue
> > serving SSLv3 so people can get modern HG without having to worry about
> > compatibility. server.allow_insecure_legacy_crypto=true or something
> > attention-grabbing.
>
> How about allowing plain http? :)
I have to admit, I dithered about this patch. In the end, I decided to
send it because if you're using SSLv3 at this point, you're not
actually *getting* real security, so I think it's better overall to
just cut SSLv3 support entirely.
I'd be open-ish to a version of this that had a flag like `[server]
insecure_enable_sslv3 = yes` or something similar. Would that ease
your concerns?
More information about the Mercurial-devel
mailing list