[PATCH 2 of 2 ?] hgweb: disable SSLv3 serving

Gregory Szorc gregory.szorc at gmail.com
Tue Oct 21 23:23:36 CDT 2014


On 10/21/14 8:36 PM, Mike Hommey wrote:
> On Tue, Oct 21, 2014 at 03:13:44PM -0700, Gregory Szorc wrote:
>> On 10/21/14 2:17 PM, Augie Fackler wrote:
>>> # HG changeset patch
>>> # User Augie Fackler <raf at durin42.com>
>>> # Date 1413925777 14400
>>> #      Tue Oct 21 17:09:37 2014 -0400
>>> # Branch stable
>>> # Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
>>> # Parent  27430ddc25a17a93b72245a406e8667eafcf43f0
>>> hgweb: disable SSLv3 serving
>>>
>>> Because of recent attacks[0] on SSLv3, let's just drop support entirely.
>>>
>>> 0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>>
>> I want to support this patch series because security. But there are still
>> people who insist on running SSLv3 because they can't control what their
>> clients have.
>>
>> I could imagine people thinking "my exposure to Poodle is negligible since
>> everything is behind my corp firewall / VPN; it's a lot of work to upgrade
>> all the legacy clients stuck on SSLv3; I'll just not upgrade Mercurial
>> because that's easiest."
>
> Are there actually versions of python 2.4 that would not come with a
> version of openssl that is less than 15 years old? Because that's what
> it would take for a client to not support TLSv1: using an openssl
> version that's more than 15 years old. I can understand that there would
> be environments where only SSLv3 is supported, but does that actually
> apply to python >= 2.4, which is the prerequisite for mercurial?

Also, what are the chances someone is terminating SSL with Mercurial 
itself? From my experience, there is almost always an intermediary HTTP 
agent doing TLS termination. I reckon that hosting solution is 
sufficient workaround if people still wish to support SSLv3. Little more 
work, but it's probably better for them anyway.


More information about the Mercurial-devel mailing list