[PATCH 02 of 10 v2] setup: require that Python supports TLS 1.1 and TLS 1.2

Sat, 30 May 2020 16:01:56 -0700 

# HG changeset patch
# User Manuel Jacob <m...@manueljacob.de>
# Date 1590874939 -7200
#      Sat May 30 23:42:19 2020 +0200
# Node ID b33cc1f796e9c3aa6df1e51d36f0b3c061dfee9e
# Parent  d5441892eb22aa451bb479919e95f671e99857eb
# EXP-Topic require_modern_ssl
setup: require that Python supports TLS 1.1 and TLS 1.2

This increases the minimum security baseline of Mercurial and enables us to
remove compatibility code that downgrades security if these features are not
available.

It is reasonable to expect that distributions having Python 2.7.9+ or having
backported modern features to the ssl module (which we require) have a OpenSSL
version supporting TLS 1.1 and TLS 1.2, as this is the main reason why
distributions would want to backport these features.

diff --git a/relnotes/next b/relnotes/next
--- a/relnotes/next
+++ b/relnotes/next
@@ -7,7 +7,9 @@
 == Backwards Compatibility Changes ==
 
 * Mercurial now requires at least Python 2.7.9 or a Python version that
-  backported modern SSL/TLS features (as defined in PEP 466).
+  backported modern SSL/TLS features (as defined in PEP 466), and that Python
+  was compiled against a OpenSSL version supporting TLS 1.1 and TLS 1.2
+  (likely this requires the OpenSSL version to be at least 1.0.1).
 
 
 == Internal API Changes ==
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -98,6 +98,19 @@ features.
     printf(error, file=sys.stderr)
     sys.exit(1)
 
+try:
+    ssl.PROTOCOL_TLSv1_1
+    ssl.PROTOCOL_TLSv1_2
+except AttributeError:
+    error = """
+The `ssl` module does not advertise support for TLS 1.1 and TLS 1.2.
+Please make sure that your Python installation was compiled against an OpenSSL
+version enabling these features (likely this requires the OpenSSL version to
+be at least 1.0.1).
+"""
+    printf(error, file=sys.stderr)
+    sys.exit(1)
+
 if sys.version_info[0] >= 3:
     DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX']
 else:

_______________________________________________
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

Reply via email to