Specify cipher list?

Fri Sep 20 15:10:00 CDT 2013

On Sep 20, 2013, at 4:08 PM, Matt Mackall <mpm at selenic.com> wrote:

> On Fri, 2013-09-20 at 10:58 -0400, Augie Fackler wrote:
> 
>> He says forcing TLS is reasonable at this point, and should be fine
> 
> This is where I'm leaning too. Insofar as SSLv2 and v3 are widely
> acknowledged to be insecure and TLSv1 is quite widely deployed, I think
> we can break our backwards-compatibility rules to drop support for them.

I figured. See my related series on the list.

> 
>> (long-term, he recommended SSL_CLIENT_CONTEXT_TLS_V1_2 and options |=
>> SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3, but we don't have that much control
>> yet thanks to not enough exposed in bindings).
> 
> Perhaps we can provide optional support for GnuTLS.

I'm planning on hacking together an extension that replaces sslutil.ssl_wrap_socket with something from python-gnutls or something to see how easily it'll work. That might be a path to SNI support too.

> 
> -- 
> Mathematics is the supreme nostalgia of our time.
> 
> 