# HG changeset patch # User Manuel Jacob <m...@manueljacob.de> # Date 1590874939 -7200 # Sat May 30 23:42:19 2020 +0200 # Node ID 0b80baeded449c19f89d4b6cec2a00eec4d286a7 # Parent 61cdc8137d5326ed075b982693469a2134365ff5 # EXP-Topic require_modern_ssl setup: require that Python has TLS 1.1 or TLS 1.2
This increases the minimum security baseline of Mercurial (up from TLS 1.0) and enables us to remove compatibility code that downgrades security if these features are not available. It is reasonable to expect that distributions having Python 2.7.9+ or having backported modern features to the ssl module (which we require) have a OpenSSL version supporting TLS 1.1 or TLS 1.2, as this is the main reason why distributions would want to backport these features. TLS 1.1 and TLS 1.2 are often either both enabled or both not enabled. However, both can be disabled independently, at least on current Python / OpenSSL versions. ssl.HAS_TLSv1_1 / ssl.HAS_TLSv1_2 are preferred to check support but they were added in Python 3.7. ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 were deprecated in Python 3.6, but checking their presence is good enough for older Python versions. diff --git a/relnotes/next b/relnotes/next --- a/relnotes/next +++ b/relnotes/next @@ -7,7 +7,9 @@ == Backwards Compatibility Changes == * Mercurial now requires at least Python 2.7.9 or a Python version that - backported modern SSL/TLS features (as defined in PEP 466). + backported modern SSL/TLS features (as defined in PEP 466), and that Python + was compiled against a OpenSSL version supporting TLS 1.1 or TLS 1.2 + (likely this requires the OpenSSL version to be at least 1.0.1). == Internal API Changes == diff --git a/setup.py b/setup.py --- a/setup.py +++ b/setup.py @@ -98,6 +98,23 @@ features. printf(error, file=sys.stderr) sys.exit(1) +_notset = object() +has_tlsv1_1 = getattr(ssl, 'HAS_TLSv1_1', _notset) +if has_tlsv1_1 is _notset: + has_tlsv1_1 = getattr(ssl, 'PROTOCOL_TLSv1_1', _notset) is not _notset +has_tlsv1_2 = getattr(ssl, 'HAS_TLSv1_2', _notset) +if has_tlsv1_2 is _notset: + has_tlsv1_2 = getattr(ssl, 'PROTOCOL_TLSv1_2', _notset) is not _notset +if not (has_tlsv1_1 or has_tlsv1_2): + error = """ +The `ssl` module does not advertise support for TLS 1.1 or TLS 1.2. +Please make sure that your Python installation was compiled against an OpenSSL +version enabling these features (likely this requires the OpenSSL version to +be at least 1.0.1). +""" + printf(error, file=sys.stderr) + sys.exit(1) + if sys.version_info[0] >= 3: DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX'] else: _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel