[PATCH 2 of 2 ?] hgweb: disable SSLv3 serving

Sean Farley sean.michael.farley at gmail.com
Tue Oct 21 23:11:37 CDT 2014


Mike Hommey writes:

> On Tue, Oct 21, 2014 at 03:13:44PM -0700, Gregory Szorc wrote:
>> On 10/21/14 2:17 PM, Augie Fackler wrote:
>> ># HG changeset patch
>> ># User Augie Fackler <raf at durin42.com>
>> ># Date 1413925777 14400
>> >#      Tue Oct 21 17:09:37 2014 -0400
>> ># Branch stable
>> ># Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
>> ># Parent  27430ddc25a17a93b72245a406e8667eafcf43f0
>> >hgweb: disable SSLv3 serving
>> >
>> >Because of recent attacks[0] on SSLv3, let's just drop support entirely.
>> >
>> >0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>> 
>> I want to support this patch series because security. But there are still
>> people who insist on running SSLv3 because they can't control what their
>> clients have.
>> 
>> I could imagine people thinking "my exposure to Poodle is negligible since
>> everything is behind my corp firewall / VPN; it's a lot of work to upgrade
>> all the legacy clients stuck on SSLv3; I'll just not upgrade Mercurial
>> because that's easiest."
>
> Are there actually versions of python 2.4 that would not come with a
> version of openssl that is less than 15 years old? Because that's what
> it would take for a client to not support TLSv1: using an openssl
> version that's more than 15 years old. I can understand that there would
> be environments where only SSLv3 is supported, but does that actually
> apply to python >= 2.4, which is the prerequisite for mercurial?

To further agree, I'll point out: it's trivial to add a config switch
later (such as when a bug report is filed). Much harder to gauge whether
we can remove said config switch.


More information about the Mercurial-devel mailing list