# HG changeset patch # User Manuel Jacob <m...@manueljacob.de> # Date 1590874939 -7200 # Sat May 30 23:42:19 2020 +0200 # Node ID b33cc1f796e9c3aa6df1e51d36f0b3c061dfee9e # Parent d5441892eb22aa451bb479919e95f671e99857eb # EXP-Topic require_modern_ssl setup: require that Python supports TLS 1.1 and TLS 1.2
This increases the minimum security baseline of Mercurial and enables us to remove compatibility code that downgrades security if these features are not available. It is reasonable to expect that distributions having Python 2.7.9+ or having backported modern features to the ssl module (which we require) have a OpenSSL version supporting TLS 1.1 and TLS 1.2, as this is the main reason why distributions would want to backport these features. diff --git a/relnotes/next b/relnotes/next --- a/relnotes/next +++ b/relnotes/next @@ -7,7 +7,9 @@ == Backwards Compatibility Changes == * Mercurial now requires at least Python 2.7.9 or a Python version that - backported modern SSL/TLS features (as defined in PEP 466). + backported modern SSL/TLS features (as defined in PEP 466), and that Python + was compiled against a OpenSSL version supporting TLS 1.1 and TLS 1.2 + (likely this requires the OpenSSL version to be at least 1.0.1). == Internal API Changes == diff --git a/setup.py b/setup.py --- a/setup.py +++ b/setup.py @@ -98,6 +98,19 @@ features. printf(error, file=sys.stderr) sys.exit(1) +try: + ssl.PROTOCOL_TLSv1_1 + ssl.PROTOCOL_TLSv1_2 +except AttributeError: + error = """ +The `ssl` module does not advertise support for TLS 1.1 and TLS 1.2. +Please make sure that your Python installation was compiled against an OpenSSL +version enabling these features (likely this requires the OpenSSL version to +be at least 1.0.1). +""" + printf(error, file=sys.stderr) + sys.exit(1) + if sys.version_info[0] >= 3: DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX'] else: _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel