Mercurial failing on TLSv1.2 repos, but I wrote a patch

Warren Melnick wmelnick at millenniumweb.com
Thu Jul 23 08:37:07 CDT 2015 

TLS 1.0 is an automatic fail in a PCI scan, as a result I, and many others am not allowed to use it.  That is the weakness with which I am concerned — I will fail my next audit when the scanners are deployed.
-- 
Warren Melnick
Director of IT & Security


Millennium Communications 
6900 Jericho Tpke., Suite 100LL
Syosset, NY  11791 
Tel:      516-682-8080 x258
Fax:     516-682-9090 
Web:    www.millenniumweb.com <http://www.millenniumweb.com/>
Email:  wmelnick at millenniumweb.com

This electronic message transmission contains information from Millennium Communications, Inc. that may be confidential or privileged. The information is intended to be for the use of only the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify the sender by replying to this e-mail and immediately deleting this email and any attachments from your system along with any copies you may have made, electronic or otherwise.
 










On 7/23/15, 9:32 AM, "Matt Mackall" <mpm at selenic.com> wrote:

>On Thu, 2015-07-23 at 12:14 +0000, Warren Melnick wrote:
>> Asking people to enable 1.0 is not an optimal solution.  Both TLS 1.0
>> and 1.1 have known vulnerabilities, and the ones for 1.0 are pretty
>> severe.
>
>Again, all the known TLS 1.0 weaknesses have effective mitigations that
>are widely deployed. This is why TLS 1.0 has not been shot in the head
>by all the browser vendors but SSL3 has. Please tell me which weaknesses
>you're concerned about and I will point you to their mitigations.
>
>>   If there is to be a single standard, it should probably be TLSv1.2.
>
>Agreed. But it's not a realistic option. The options are these:
>
>- re-enable SSL3, which has unfixable problems
>- write substantial new code to allow using a third-party SSL module
>- encourage the 1% of people who don't have TLS1.0 to enable it or
>upgrade their Python
>
>> Additionally, RHEL 6 and its variants (CentOS, Scientific), all use python 2.6 and it is nearly impossible to upgrade without destroying the system.  MacOS in its latest variant (10.10.4) is Python 2.7.6.
>
>FYI, our RPM build scripts can build a private copy of modern Python:
>
>$ contrib/buildrpm --withpython
>
>This is what allows us to continue supporting Centos/RHEL 5.
>
>-- 
>Mathematics is the supreme nostalgia of our time.
>

More information about the Mercurial-devel mailing list