Mercurial > hg
comparison mercurial/helptext/config.txt @ 52292:085cc409847d
sslutil: bump the default minimum TLS version of the client to 1.2 (BC)
TLS v1.0 and v1.1 are deprecated by RFC8996[1]:
These versions lack support for current and recommended cryptographic
algorithms and mechanisms, and various government and industry profiles of
applications using TLS now mandate avoiding these old TLS versions.
TLS version 1.2 became the recommended version for IETF protocols in
2008 (subsequently being obsoleted by TLS version 1.3 in 2018)...
Various browsers have disabled or removed it[2][3][4], as have various internet
services, and Windows 11 has it disabled by default[5]. We should move on too.
(We should also bump it on the server side, as this config only affects clients
not allowing a server to negotiate down. But the only server-side config is a
`devel` option to pick exactly one protocol version and is commented as a
footgun, so I'm hesitant to touch that. See 7dec5e441bf7 for details, which
states that using `hg serve` directly isn't expected for a web service.)
I'm not knowledgeable enough in this area to know if we should follow up with
disabling certain ciphers too. But this should provide better security on its
own.
[1] https://datatracker.ietf.org/doc/rfc8996/
[2] https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#sslversionmin
[3] https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/
[4] https://security.googleblog.com/2018/10/modernizing-transport-security.html
[5] https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947
author | Matt Harbison <matt_harbison@yahoo.com> |
---|---|
date | Mon, 11 Nov 2024 21:25:03 -0500 |
parents | b65085c6d6ff |
children |
comparison
equal
deleted
inserted
replaced
52291:b65085c6d6ff | 52292:085cc409847d |
---|---|
1536 Depending on the version of Python being used, not all of these values may | 1536 Depending on the version of Python being used, not all of these values may |
1537 be available. See ``hg debuginstall`` for the values supported by the | 1537 be available. See ``hg debuginstall`` for the values supported by the |
1538 current installation. | 1538 current installation. |
1539 | 1539 |
1540 When running a Python that supports modern TLS versions, the default is | 1540 When running a Python that supports modern TLS versions, the default is |
1541 ``tls1.1``. ``tls1.0`` can still be used to allow TLS 1.0. However, this | 1541 ``tls1.2``. ``tls1.0`` and ``tls1.1`` can still be used to allow TLS 1.0 |
1542 weakens security and should only be used as a feature of last resort if | 1542 or TLS 1.1 respectively, if supported by Python. However, this weakens |
1543 a server does not support TLS 1.1+. | 1543 security and should only be used as a feature of last resort if a server |
1544 does not support TLS 1.2+. | |
1544 | 1545 |
1545 Options in the ``[hostsecurity]`` section can have the form | 1546 Options in the ``[hostsecurity]`` section can have the form |
1546 ``hostname``:``setting``. This allows multiple settings to be defined on a | 1547 ``hostname``:``setting``. This allows multiple settings to be defined on a |
1547 per-host basis. | 1548 per-host basis. |
1548 | 1549 |