Mercurial failing on TLSv1.2 repos, but I wrote a patch

Matt Mackall mpm at selenic.com
Thu Jul 23 08:32:16 CDT 2015


On Thu, 2015-07-23 at 12:14 +0000, Warren Melnick wrote:
> Asking people to enable 1.0 is not an optimal solution.  Both TLS 1.0
> and 1.1 have known vulnerabilities, and the ones for 1.0 are pretty
> severe.

Again, all the known TLS 1.0 weaknesses have effective mitigations that
are widely deployed. This is why TLS 1.0 has not been shot in the head
by all the browser vendors but SSL3 has. Please tell me which weaknesses
you're concerned about and I will point you to their mitigations.

>   If there is to be a single standard, it should probably be TLSv1.2.

Agreed. But it's not a realistic option. The options are these:

- re-enable SSL3, which has unfixable problems
- write substantial new code to allow using a third-party SSL module
- encourage the 1% of people who don't have TLS1.0 to enable it or
upgrade their Python

> Additionally, RHEL 6 and its variants (CentOS, Scientific), all use python 2.6 and it is nearly impossible to upgrade without destroying the system.  MacOS in its latest variant (10.10.4) is Python 2.7.6.

FYI, our RPM build scripts can build a private copy of modern Python:

$ contrib/buildrpm --withpython

This is what allows us to continue supporting Centos/RHEL 5.

-- 
Mathematics is the supreme nostalgia of our time.



More information about the Mercurial-devel mailing list