Specify cipher list?
Augie Fackler
raf at durin42.com
Fri Sep 20 09:58:48 CDT 2013
I asked Adam Langley about specifying cipher lists, and he suggested we
could specify '!aNULL:!ADH:!eNull:!LOW:!EXP:HIGH:MEDIUM' for our cipher
list[0]. Should we try making that the default cipher list?
To see what that means, run:
$ openssl ciphers -v '!aNULL:!ADH:!eNull:!LOW:!EXP:HIGH:MEDIUM'
He says forcing TLS is reasonable at this point, and should be fine
(long-term, he recommended SSL_CLIENT_CONTEXT_TLS_V1_2 and options |=
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3, but we don't have that much control yet
thanks to not enough exposed in bindings).
AF
0: He also noted that since we're not doing things that give attackers as
much control, RC4 is probably still okay for us, and that most servers
ignore the client's list anyway. Whee.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://selenic.com/pipermail/mercurial-devel/attachments/20130920/fbaa2dce/attachment.html>
More information about the Mercurial-devel
mailing list