Specify cipher list?

Matt Mackall mpm at selenic.com
Fri Sep 20 14:58:16 CDT 2013


On Fri, 2013-09-20 at 19:40 +0200, Antoine Pitrou wrote:
> On Fri, 20 Sep 2013 10:58:48 -0400
> Augie Fackler <raf at durin42.com> wrote:
> > I asked Adam Langley about specifying cipher lists, and he suggested we
> > could specify  '!aNULL:!ADH:!eNull:!LOW:!EXP:HIGH:MEDIUM' for our cipher
> > list[0]. Should we try making that the default cipher list?
> 
> Python already sets a default cipher list, since circa 2.7.3:
> http://hg.python.org/cpython/rev/f9122975fd80/

That's only a small subset of our users, so it makes sense for us to do
this too, where possible. But not all the Python versions we support
have a ciphers parameter for SSL wrapping.

Earlier I mentioned trying to match what Mozilla did. One particular
reason for that is that we don't want to fail where a standard web
browser succeeds, as that will cause much hair-pulling. But at the same
time, we don't want to be significantly more lax than a standard web
browser either.

One problem here of course is that Mozilla has its own SSL layer, so we
can't directly compare cipher lists.

It also bears noting that we use SSL for SMTP.. which gets a lot less
attention. I suspect SMTP SSL implementations are, if anything, more
modern on average.

-- 
Mathematics is the supreme nostalgia of our time.




More information about the Mercurial-devel mailing list