Message188860
Thank you for pointing this out. I am frankly shocked that IIS would defaut to SSLv2 (an obsolete and insecure version of the protocol), while Python's (and certainly Mercurial's) default settings allow for higher protocol versions.
> If you are interested in why Python 2.7.3 broke this, look at
> http://bugs.python.org/issue13885 for the explanation (it is
> security-related).
Indeed, it is a security fix. I have no desire to undo this change, which means things may get a bit painful with IIS apparently.
One way to deal with it may be to detect IIS after the first wrap_socket() (through an HTTP header in the response?) and then re-issue a wrap_socket() with IIS-specific parameters.
(forcing SSLv3 as the client protocol isn't terrific, since TLSv1 is AFAIR supposed to have improved security) |
|
Date |
User |
Action |
Args |
2013-05-10 18:19:44 | pitrou | set | recipients:
+ pitrou, jesusvpct, James.O'Cull |
2013-05-10 18:19:44 | pitrou | set | messageid: <1368209984.56.0.108494236963.issue17948@psf.upfronthosting.co.za> |
2013-05-10 18:19:44 | pitrou | link | issue17948 messages |
2013-05-10 18:19:44 | pitrou | create | |
|