Re: [PATCH] add support for specifying an SSL cipher list

[Junio C Hamano <gitster@pobox.com>]

Lars Kellogg-Stedman <lars@redhat.com> writes:

> [Apologies for the dupe; this should have been cc'd to the list]
>
>> It is not clear to me what definition of "override" this sentence
>> uses.
>
> I was using it in what I thought was the common sense of "git will use
> the value in the environment variable if it exists rather than any
> value in the git configuration".  I apologize if this wasn't clear;
> can you suggest how I might rephrase that?

I was hinting that the usual "override" that needs to specify
the list to be used exactly would not be very useful, in that
people often want to say one of the three things:

 - allow this to be used in addition to what you usually use; or

 - what you usually use is fine, but never use this one as it was
   recently discovered to be insecure; or

 - I have something nonstandard configured but ignore that
   configuration for this invocation only and reset to the default
   behaviour.

If you are changing the behaviour in your reroll, I suspect you
wouldn't be doing the common "override".  If you are going to do the
'reset on empty', then 'You can set the environment variable to an
empty string to reset to the default cipher list used by libcURL.'
may be a natural way to describe it.

I briefly wondered if lack of the other two ("allow this too",
"forbid this") might become an issue not just for the environment,
but also for the configuration variable.  It is probably not a huge
issue because you can say "http.<url>.sslCipherList" to limit the
scope of the affected site [*1*].

CURLOPT_SSL_CIPHER_LIST appeared in cURL 7.9 which is relatively
ancient, so it should be safe to use (please write that down in your
commit log message).

Thanks.


[Footnote]

*1* And it is a bad idea to address "allow this too" and "forbid
    this" at our level---the semantics of CURLOPT_SSL_CIPHER_LIST
    given by libcURL itself depends on the crypto backend (when
    using OpenSSL and GnuTLS, you can say !, +, - to tweak; when
    using NSS, you can only say "use these and nothing else").