Specify cipher list?

Matt Mackall mpm at selenic.com
Fri Sep 20 15:08:46 CDT 2013

On Fri, 2013-09-20 at 10:58 -0400, Augie Fackler wrote:

> He says forcing TLS is reasonable at this point, and should be fine

This is where I'm leaning too. Insofar as SSLv2 and v3 are widely
acknowledged to be insecure and TLSv1 is quite widely deployed, I think
we can break our backwards-compatibility rules to drop support for them.

>  (long-term, he recommended SSL_CLIENT_CONTEXT_TLS_V1_2 and options |=
> SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3, but we don't have that much control
> yet thanks to not enough exposed in bindings).

Perhaps we can provide optional support for GnuTLS.

Mathematics is the supreme nostalgia of our time.

More information about the Mercurial-devel mailing list