[PATCH 2 of 2 🐩] hgweb: disable SSLv3 serving
mpm at selenic.com
Wed Oct 22 17:36:38 CDT 2014
On Tue, 2014-10-21 at 15:13 -0700, Gregory Szorc wrote:
> On 10/21/14 2:17 PM, Augie Fackler wrote:
> > # HG changeset patch
> > # User Augie Fackler <raf at durin42.com>
> > # Date 1413925777 14400
> > # Tue Oct 21 17:09:37 2014 -0400
> > # Branch stable
> > # Node ID 32ad565e579cf5d38f0150afa5a20cecb5ae17f1
> > # Parent 27430ddc25a17a93b72245a406e8667eafcf43f0
> > hgweb: disable SSLv3 serving
> > Because of recent attacks on SSLv3, let's just drop support entirely.
> > 0: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
> I want to support this patch series because security. But there are
> still people who insist on running SSLv3 because they can't control what
> their clients have.
> I could imagine people thinking "my exposure to Poodle is negligible
> since everything is behind my corp firewall / VPN; it's a lot of work to
> upgrade all the legacy clients stuck on SSLv3; I'll just not upgrade
> Mercurial because that's easiest."
We actually have a steady trickle of bug reports from these people
already. Apparently there are still some old IIS servers out there which
have crypto broken in such a way that it mysteriously aborts in the
middle of large-ish HTTPS transfers (presumably due to bugs in handling
of padding in MACs).
So while I might normally be inclined to not break people's internal
setups by dropping SSLv3, the current state of "supporting" SSLv3 is
already broken and annoying.
(Also, keep in mind that SSLv3 has been obsolete for the entirety of the
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel