Mercurial > public > mercurial-scm > hg-stable
diff mercurial/help/config.txt @ 29577:9654ef41f7cc
sslutil: support defining cipher list
Python 2.7 supports specifying a custom cipher list to TLS sockets.
Advanced users may wish to specify a custom cipher list to increase
security. Or in some cases they may wish to prefer weaker ciphers
in order to increase performance (e.g. when doing stream clones
of very large repositories).
This patch introduces a [hostsecurity] config option for defining
the cipher list. The help documentation states that it is for
advanced users only.
Honestly, I'm a bit on the fence about providing this because
it is a footgun and can be used to decrease security. However,
there are legitimate use cases for it, so I think support should
be provided.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sun, 17 Jul 2016 10:59:32 -0700 |
| parents | 303e9300772a |
| children | 94c5273c7d5d |
line wrap: on
line diff
--- a/mercurial/help/config.txt Sun Jul 17 10:50:51 2016 -0700 +++ b/mercurial/help/config.txt Sun Jul 17 10:59:32 2016 -0700 @@ -1005,6 +1005,18 @@ The following options control default behavior for all hosts. +``ciphers`` + Defines the cryptographic ciphers to use for connections. + + Value must be a valid OpenSSL Cipher List Format as documented at + https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-LIST-FORMAT. + + This setting is for advanced users only. Setting to incorrect values + can significantly lower connection security or decrease performance. + You have been warned. + + This option requires Python 2.7. + ``minimumprotocol`` Defines the minimum channel encryption protocol to use. @@ -1027,6 +1039,10 @@ The following per-host settings can be defined. +``ciphers`` + This behaves like ``ciphers`` as described above except it only applies + to the host on which it is defined. + ``fingerprints`` A list of hashes of the DER encoded peer/remote certificate. Values have the form ``algorithm``:``fingerprint``. e.g.