Mercurial Mercurial > hg / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
README
author Gregory Szorc <gregory.szorc@gmail.com>
Wed, 13 Jul 2016 21:35:54 -0700
changeset 29560 303e9300772a
parent 26421 4b0fc75f9403
child 33618 76b171209151
permissions -rw-r--r--
sslutil: require TLS 1.1+ when supported Currently, Mercurial will use TLS 1.0 or newer when connecting to remote servers, selecting the highest TLS version supported by both peers. On older Pythons, only TLS 1.0 is available. On newer Pythons, TLS 1.1 and 1.2 should be available. Security professionals recommend avoiding TLS 1.0 if possible. PCI DSS 3.1 "strongly encourages" the use of TLS 1.2. Known attacks like BEAST and POODLE exist against TLS 1.0 (although mitigations are available and properly configured servers aren't vulnerable). I asked Eric Rescorla - Mozilla's resident crypto expert - whether Mercurial should drop support for TLS 1.0. His response was "if you can get away with it." Essentially, a number of servers on the Internet don't support TLS 1.1+. This is why web browsers continue to support TLS 1.0 despite desires from security experts. This patch changes Mercurial's default behavior on modern Python versions to require TLS 1.1+, thus avoiding known security issues with TLS 1.0 and making Mercurial more secure by default. Rather than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be used if configured. This is a compromise solution - ideally we'd disallow TLS 1.0. However, since we're not sure how many Mercurial servers don't support TLS 1.1+ and we're not sure how much user inconvenience this change will bring, I think it is prudent to ship an escape hatch that still allows usage of TLS 1.0. In the default case our users get better security. In the worst case, they are no worse off than before this patch. This patch has no effect when running on Python versions that don't support TLS 1.1+. As the added test shows, connecting to a server that doesn't support TLS 1.1+ will display a warning message with a link to our wiki, where we can guide people to configure their client to allow less secure connections.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
12857
a9f91c844a3b README: add small introduction
Martin Geisler <mg@lazybytes.net>
parents: 12856
diff changeset 
     1
 
Mercurial
a9f91c844a3b README: add small introduction
Martin Geisler <mg@lazybytes.net>
parents: 12856
diff changeset 
     2
 
=========
a9f91c844a3b README: add small introduction
Martin Geisler <mg@lazybytes.net>
parents: 12856
diff changeset 
     3
 












a9f91c844a3b
README: add small introduction



Martin Geisler <mg@lazybytes.net>


parents: 
12856

diff
changeset




     4


Mercurial is a fast, easy to use, distributed revision control tool













a9f91c844a3b
README: add small introduction



Martin Geisler <mg@lazybytes.net>


parents: 
12856

diff
changeset




     5


for software developers.













a9f91c844a3b
README: add small introduction



Martin Geisler <mg@lazybytes.net>


parents: 
12856

diff
changeset




     6









3935






1158d7018052
Move README info to wiki



Matt Mackall <mpm@selenic.com>


parents: 
3847

diff
changeset




     7


Basic install:








0






9117c6561b0b
Add back links from file revisions to changeset revisions



mpm@selenic.com


parents: 

diff
changeset




     8









3935






1158d7018052
Move README info to wiki



Matt Mackall <mpm@selenic.com>


parents: 
3847

diff
changeset




     9


 $ make            # see install targets













1158d7018052
Move README info to wiki



Matt Mackall <mpm@selenic.com>


parents: 
3847

diff
changeset




    10


 $ make install    # do a system-wide install













1158d7018052
Move README info to wiki



Matt Mackall <mpm@selenic.com>


parents: 
3847

diff
changeset




    11


 $ hg debuginstall # sanity-check setup













1158d7018052
Move README info to wiki



Matt Mackall <mpm@selenic.com>


parents: 
3847

diff
changeset




    12


 $ hg              # see help








205






d255d99a7cbd
README: integrate some changes from Kevin Smith



mpm@selenic.com


parents: 
204

diff
changeset




    13









16217






df5ecb813426
readme: mention how to run in-place



Ross Lagerwall <rosslagerwall@gmail.com>


parents: 
12857

diff
changeset




    14


Running without installing:













df5ecb813426
readme: mention how to run in-place



Ross Lagerwall <rosslagerwall@gmail.com>


parents: 
12857

diff
changeset




    15














df5ecb813426
readme: mention how to run in-place



Ross Lagerwall <rosslagerwall@gmail.com>


parents: 
12857

diff
changeset




    16


 $ make local      # build for inplace usage













df5ecb813426
readme: mention how to run in-place



Ross Lagerwall <rosslagerwall@gmail.com>


parents: 
12857

diff
changeset




    17


 $ ./hg --version  # should show the latest version













df5ecb813426
readme: mention how to run in-place



Ross Lagerwall <rosslagerwall@gmail.com>


parents: 
12857

diff
changeset




    18









26421






4b0fc75f9403
urls: bulk-change primary website URLs



Matt Mackall <mpm@selenic.com>


parents: 
16217

diff
changeset




    19


See https://mercurial-scm.org/ for detailed installation








3935






1158d7018052
Move README info to wiki



Matt Mackall <mpm@selenic.com>


parents: 
3847

diff
changeset




    20


instructions, platform-specific notes, and Mercurial user information.















Mercurial