Re: [PATCH] add support for specifying an SSL cipher list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Lars Kellogg-Stedman <lars@xxxxxxxxxx> writes:

> [Apologies for the dupe; this should have been cc'd to the list]
>
>> It is not clear to me what definition of "override" this sentence
>> uses.
>
> I was using it in what I thought was the common sense of "git will use
> the value in the environment variable if it exists rather than any
> value in the git configuration".  I apologize if this wasn't clear;
> can you suggest how I might rephrase that?

I was hinting that the usual "override" that needs to specify
the list to be used exactly would not be very useful, in that
people often want to say one of the three things:

 - allow this to be used in addition to what you usually use; or

 - what you usually use is fine, but never use this one as it was
   recently discovered to be insecure; or

 - I have something nonstandard configured but ignore that
   configuration for this invocation only and reset to the default
   behaviour.

If you are changing the behaviour in your reroll, I suspect you
wouldn't be doing the common "override".  If you are going to do the
'reset on empty', then 'You can set the environment variable to an
empty string to reset to the default cipher list used by libcURL.'
may be a natural way to describe it.

I briefly wondered if lack of the other two ("allow this too",
"forbid this") might become an issue not just for the environment,
but also for the configuration variable.  It is probably not a huge
issue because you can say "http.<url>.sslCipherList" to limit the
scope of the affected site [*1*].

CURLOPT_SSL_CIPHER_LIST appeared in cURL 7.9 which is relatively
ancient, so it should be safe to use (please write that down in your
commit log message).

Thanks.


[Footnote]

*1* And it is a bad idea to address "allow this too" and "forbid
    this" at our level---the semantics of CURLOPT_SSL_CIPHER_LIST
    given by libcURL itself depends on the crypto backend (when
    using OpenSSL and GnuTLS, you can say !, +, - to tweak; when
    using NSS, you can only say "use these and nothing else").

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]