Specify cipher list?
Augie Fackler
raf at durin42.com
Fri Sep 20 20:10:00 UTC 2013
On Sep 20, 2013, at 4:08 PM, Matt Mackall <mpm at selenic.com> wrote:
> On Fri, 2013-09-20 at 10:58 -0400, Augie Fackler wrote:
>
>> He says forcing TLS is reasonable at this point, and should be fine
>
> This is where I'm leaning too. Insofar as SSLv2 and v3 are widely
> acknowledged to be insecure and TLSv1 is quite widely deployed, I think
> we can break our backwards-compatibility rules to drop support for them.
I figured. See my related series on the list.
>
>> (long-term, he recommended SSL_CLIENT_CONTEXT_TLS_V1_2 and options |=
>> SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3, but we don't have that much control
>> yet thanks to not enough exposed in bindings).
>
> Perhaps we can provide optional support for GnuTLS.
I'm planning on hacking together an extension that replaces sslutil.ssl_wrap_socket with something from python-gnutls or something to see how easily it'll work. That might be a path to SNI support too.
>
> --
> Mathematics is the supreme nostalgia of our time.
>
>
More information about the Mercurial-devel
mailing list