[PATCH 3 of 3] [RFC] sslutil: config option to specify TLS protocol version
Augie Fackler
raf at durin42.com
Tue Jul 12 21:54:15 EDT 2016
> On Jul 12, 2016, at 5:44 PM, Gregory Szorc <gregory.szorc at gmail.com> wrote:
>
>> > * Should we stop using TLS 1.0 if TLS 1.1+ is available by default?
>>
>> I don't know that I'd go this far yet.
>
> I just asked Eric Rescorla "should Mercurial drop TLS 1.0 support" and his response was "if you can get away with it." Basically a large portion of the Internet still doesn't run TLS 1.1+ and dropping TLS 1.0 would make that Internet unavailable. Just how many Mercurial servers don't run TLS 1.1+, I have no idea and there is no easy way to find out.
>
> I'll throw out an idea. We could make TLS 1.1+ the default (on modern Python versions since legacy Python only supports TLS 1.0) and provide an option to allow TLS 1.0+. When connecting to a server that doesn't support TLS 1.1+, we can suggest users try the legacy config. When TLS 1.0 is insecure, we can drop the config option to allow it. There is also a related discussion about whether we should print warnings on legacy Pythons that don't support TLS 1.1+.
Works for me. Make it so in the resend?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20160712/26b4e00f/attachment.sig>
More information about the Mercurial-devel
mailing list