[PATCH 3 of 5 V3] sslutil: require TLS 1.1+ when supported

Augie Fackler raf at durin42.com
Fri Jul 15 13:21:03 EDT 2016


On Thu, Jul 14, 2016 at 07:47:48PM -0700, Gregory Szorc wrote:
> On Thu, Jul 14, 2016 at 6:18 PM, Pierre-Yves David <
> pierre-yves.david at ens-lyon.org> wrote:
>
> >
> >
> > On 07/14/2016 06:50 AM, Gregory Szorc wrote:
> > > # HG changeset patch
> > > # User Gregory Szorc <gregory.szorc at gmail.com>
> > > # Date 1468470954 25200
> > > #      Wed Jul 13 21:35:54 2016 -0700
> > > # Node ID b4527c8cec88824c15936f64e7d5ea59c5d54bee
> > > # Parent  6a6d56e1391ff7e1468ef1b44b7e4c5cbe406f7b
> > > sslutil: require TLS 1.1+ when supported
> >
> > This change is scary (as in, a large base of our user will probably
> > explode) but I think I agree we should do it.
> > However, I would probably advocate to actually change the default at the
> > beginning of the 4.0 cycle to have a longer period to test it.
> >
> > If other agree, I would be happy to take a V2, were the default is
> > unchanged but the documentation recommend tls1.1 for newer python. The
> > rest of the series looks fine to me.
> >
>
> I recognize that this and the patch after it (a warning when only TLS 1.0
> is available) are scary. I would like to hear another opinion before I drop
> them. I plan on sending a revised series in an hour or two. I'll hold the
> course with dropping default compatibility with TLS 1.0 until someone else
> says otherwise.

Per the discussion we had on the RFC round of this
(http://thread.gmane.org/gmane.comp.version-control.mercurial.devel/95932/focus=96079),
I'm still a big fan of pushing for TLS 1.1 with a hint on how to
enable TLS 1.0.

> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel


More information about the Mercurial-devel mailing list