[PATCH 2 of 2 ?] hgweb: disable SSLv3 serving

Mike Hommey mh at glandium.org
Tue Oct 21 22:36:17 CDT 2014


On Tue, Oct 21, 2014 at 03:13:44PM -0700, Gregory Szorc wrote:
> On 10/21/14 2:17 PM, Augie Fackler wrote:
> ># HG changeset patch
> ># User Augie Fackler <raf at durin42.com>
> ># Date 1413925777 14400
> >#      Tue Oct 21 17:09:37 2014 -0400
> ># Branch stable
> ># Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
> ># Parent  27430ddc25a17a93b72245a406e8667eafcf43f0
> >hgweb: disable SSLv3 serving
> >
> >Because of recent attacks[0] on SSLv3, let's just drop support entirely.
> >
> >0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
> 
> I want to support this patch series because security. But there are still
> people who insist on running SSLv3 because they can't control what their
> clients have.
> 
> I could imagine people thinking "my exposure to Poodle is negligible since
> everything is behind my corp firewall / VPN; it's a lot of work to upgrade
> all the legacy clients stuck on SSLv3; I'll just not upgrade Mercurial
> because that's easiest."

Are there actually versions of python 2.4 that would not come with a
version of openssl that is less than 15 years old? Because that's what
it would take for a client to not support TLSv1: using an openssl
version that's more than 15 years old. I can understand that there would
be environments where only SSLv3 is supported, but does that actually
apply to python >= 2.4, which is the prerequisite for mercurial?

Mike


More information about the Mercurial-devel mailing list