# HG changeset patch
# User Augie Fackler <raf@durin42.com>
# Date 2013-07-24 18:51:13
# Node ID 074bd02352c04fe33f8989de38a40aea73754293
# Parent  42fcb2f7787db7bb007f2e26ea804d35411b7c55

sslutil: force SSLv3 on Python 2.6 and later (issue3905)

We can't (easily) force SSL version on older Pythons, but on 2.6 and
later we can force SSLv3, which is safer and widely supported. This
also appears to work around a bug in IIS detailed in issue 3905.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -17,7 +17,8 @@ try:
     def ssl_wrap_socket(sock, keyfile, certfile,
                 cert_reqs=ssl.CERT_NONE, ca_certs=None):
         sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
-                cert_reqs=cert_reqs, ca_certs=ca_certs)
+                cert_reqs=cert_reqs, ca_certs=ca_certs,
+                ssl_version=ssl.PROTOCOL_SSLv3)
         # check if wrap_socket failed silently because socket had been closed
         # - see http://bugs.python.org/issue13721
         if not sslsocket.cipher():