sslutil: prevent CRIME
ssl.create_default_context() disables compression on the TLS channel
in order to prevent CRIME. I think we should follow CPython's lead
and attempt to disable channel compression in order to help prevent
information leakage.
Sadly, I don't think there is anything we can do on Python versions
that don't have an SSLContext, as there is no way to set channel
options with the limited ssl API.
--- a/mercurial/sslutil.py Thu Jul 14 19:56:39 2016 -0700
+++ b/mercurial/sslutil.py Thu Jul 14 20:07:10 2016 -0700
@@ -155,6 +155,10 @@
# is available. Be careful when adding flags!
s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
+ # Prevent CRIME.
+ # There is no guarantee this attribute is defined on the module.
+ s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+
# Look for fingerprints in [hostsecurity] section. Value is a list
# of <alg>:<fingerprint> strings.
fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,