[PATCH 00 of 15] require modern SSL/TLS implementation
___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 05 of 15] hgweb: avoid using `sslutil.modernssl`
# HG changeset patch # User Manuel Jacob # Date 1590807553 -7200 # Sat May 30 04:59:13 2020 +0200 # Node ID f8ae379a8dcfebbec6cf6570d8d38fa1e3b6bcea # Parent fa4460229a8d1a392564d0cbe78216760154822c # EXP-Topic require_modern_ssl hgweb: avoid using `sslutil.modernssl` `sslutil.modernssl` is going to be removed. Since the point of using this attribute was to check the importability of the `sslutil`, a different attribute can be used. `sslutil.wrapserversocket` is used because it’s anyway used a few lines below. diff --git a/mercurial/hgweb/server.py b/mercurial/hgweb/server.py --- a/mercurial/hgweb/server.py +++ b/mercurial/hgweb/server.py @@ -313,7 +313,7 @@ class _httprequesthandlerssl(_httpreques try: from .. import sslutil -sslutil.modernssl +sslutil.wrapserversocket except ImportError: raise error.Abort(_(b"SSL support is unavailable")) ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 09 of 15] tests: remove "sslcontext" check
# HG changeset patch
# User Manuel Jacob
# Date 1590809273 -7200
# Sat May 30 05:27:53 2020 +0200
# Node ID 13922e383d20ca51752a2c3bd16429a5b0e30397
# Parent 9ae0e1b1a499dfce1807e3c9ec5c03714c6f154a
# EXP-Topic require_modern_ssl
tests: remove "sslcontext" check
Now that we require the presence of ssl.SSLContext in setup.py, the check
would always return `True`.
diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -645,25 +645,11 @@ def has_ssl():
return False
-@check("sslcontext", "python >= 2.7.9 ssl")
-def has_sslcontext():
-try:
-import ssl
-
-ssl.SSLContext
-return True
-except (ImportError, AttributeError):
-return False
-
-
@check("defaultcacertsloaded", "detected presence of loaded system CA certs")
def has_defaultcacertsloaded():
import ssl
from mercurial import sslutil, ui as uimod
-if not has_sslcontext():
-return False
-
ui = uimod.ui.load()
cafile = sslutil._defaultcacerts(ui)
ctx = ssl.create_default_context()
diff --git a/tests/test-clonebundles.t b/tests/test-clonebundles.t
--- a/tests/test-clonebundles.t
+++ b/tests/test-clonebundles.t
@@ -255,7 +255,8 @@ Automatic fallback when all entries are
added 2 changesets with 2 changes to 2 files
new changesets 53245c60e682:aaff8d2ffbbf
-URLs requiring SNI are filtered in Python <2.7.9
+We require a Python version that supports SNI. Therefore, URLs requiring SNI
+are not filtered.
$ cp full.hg sni.hg
$ cat > server/.hg/clonebundles.manifest << EOF
@@ -263,9 +264,6 @@ URLs requiring SNI are filtered in Pytho
> http://localhost:$HGPORT1/full.hg
> EOF
-#if sslcontext
-Python 2.7.9+ support SNI
-
$ hg clone -U http://localhost:$HGPORT sni-supported
applying clone bundle from http://localhost:$HGPORT1/sni.hg
adding changesets
@@ -276,20 +274,6 @@ Python 2.7.9+ support SNI
searching for changes
no changes found
2 local changesets published
-#else
-Python <2.7.9 will filter SNI URLs
-
- $ hg clone -U http://localhost:$HGPORT sni-unsupported
- applying clone bundle from http://localhost:$HGPORT1/full.hg
- adding changesets
- adding manifests
- adding file changes
- added 2 changesets with 2 changes to 2 files
- finished applying clone bundle
- searching for changes
- no changes found
- 2 local changesets published
-#endif
Stream clone bundles are supported
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -49,38 +49,13 @@ Test server address cannot be reused
Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
-#if sslcontext no-defaultcacertsloaded
+#if no-defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
(an attempt was made to load CA certificates but none were loaded; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this error)
abort: error: *certificate verify failed* (glob)
[255]
#endif
-#if no-sslcontext
- $ hg clone https://localhost:$HGPORT/ copy-pull
- warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
- (using CA certificates from *; if you see this message, your Mercurial
install is not properly configured; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this message) (glob) (?)
- abort: error: *certificate verify failed* (glob)
- [255]
-#endif
-
-#if no-sslcontext windows
- $ hg clone https://localhost:$HGPORT/ copy-pull
- warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info
- (unable to load Windows CA certificates; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this message)
- abort: error: *certificate verify failed* (glob)
- [255]
-#endif
-
-#if no-sslcontext osx
- $ hg clone https://localhost:$HGPORT/ copy-pull
- warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info
- (unable to load CA certificates; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this message)
- abort: localhost certificate error: no certificate received
- (set
hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
config setting or use --insecure to connect insecurely)
- [255]
-#endif
-
#if defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
@@ -101,35 +76,21 @@ C:/path/to/msysroot will print
Re: [PATCH 09 of 15] tests: remove "sslcontext" check
On Sat, 30 May 2020 07:52:21 +0200, Manuel Jacob wrote: > # HG changeset patch > # User Manuel Jacob > # Date 1590809273 -7200 > # Sat May 30 05:27:53 2020 +0200 > # Node ID 13922e383d20ca51752a2c3bd16429a5b0e30397 > # Parent 9ae0e1b1a499dfce1807e3c9ec5c03714c6f154a > # EXP-Topic require_modern_ssl > tests: remove "sslcontext" check Queued up to this patch, thanks. ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 14 of 15] tests: remove "tls1.2" check
# HG changeset patch
# User Manuel Jacob
# Date 1590816692 -7200
# Sat May 30 07:31:32 2020 +0200
# Node ID 115c95a26b530486ebf9000ad5b7dc6a0c188e7a
# Parent e42ce24c506a9336dd6ecc8b4f83889580d8af6b
# EXP-Topic require_modern_ssl
tests: remove "tls1.2" check
Now that we require that the underlying Python version supports TLS 1.2, the
check would always return `True`.
diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -661,13 +661,6 @@ def has_defaultcacertsloaded():
return len(ctx.get_ca_certs()) > 0
-@check("tls1.2", "TLS 1.2 protocol support")
-def has_tls1_2():
-from mercurial import sslutil
-
-return b'tls1.2' in sslutil.supportedprotocols
-
-
@check("windows", "Windows")
def has_windows():
return os.name == 'nt'
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -387,7 +387,6 @@ Ports used by next test. Kill servers.
$ killdaemons.py hg1.pid
$ killdaemons.py hg2.pid
-#if tls1.2
Start servers running supported TLS versions
$ cd test
@@ -478,7 +477,6 @@ The per-host config option by itself wor
$ killdaemons.py hg0.pid
$ killdaemons.py hg1.pid
$ killdaemons.py hg2.pid
-#endif
Prepare for connecting through proxy
diff --git a/tests/test-wireproto-content-redirects.t
b/tests/test-wireproto-content-redirects.t
--- a/tests/test-wireproto-content-redirects.t
+++ b/tests/test-wireproto-content-redirects.t
@@ -69,21 +69,18 @@ Redirect targets advertised when configu
s> Content-Length: 2308\r\n
s> \r\n
s>
\xa3GapibaseDapi/Dapis\xa1Pexp-http-v2-0003\xa5Hcommands\xacIbranchmap\xa2Dargs\xa0Kpermissions\x81DpullLcapabilities\xa2Dargs\xa0Kpermissions\x81DpullMchangesetdata\xa2Dargs\xa2Ffields\xa4Gdefault\xd9\x01\x02\x80Hrequired\xf4DtypeCsetKvalidvalues\xd9\x01\x02\x84IbookmarksGparentsEphaseHrevisionIrevisions\xa2Hrequired\xf5DtypeDlistKpermissions\x81DpullHfiledata\xa2Dargs\xa4Ffields\xa4Gdefault\xd9\x01\x02\x80Hrequired\xf4DtypeCsetKvalidvalues\xd9\x01\x02\x83HlinknodeGparentsHrevisionKhaveparents\xa3Gdefault\xf4Hrequired\xf4DtypeDboolEnodes\xa2Hrequired\xf5DtypeDlistDpath\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpullIfilesdata\xa3Dargs\xa4Ffields\xa4Gdefault\xd9\x01\x02\x80Hrequired\xf4DtypeCsetKvalidvalues\xd9\x01\x02\x84NfirstchangesetHlinknodeGparentsHrevisionKhaveparents\xa3Gdefault\xf4Hrequired\xf4DtypeDboolJpathfilter\xa3Gdefault\xf6Hrequired\xf4DtypeDdictIrevisions\xa2Hrequired\xf5DtypeDlistKpermissions\x81DpullTrecommendedbatchsize\x19\xc3PEheads\xa2Dargs\xa1Jpubliconly\xa3Gdefault\xf4Hrequired\xf4DtypeDboolKpermissions\x81DpullEknown\xa2Dargs\xa1Enodes\xa3Gdefault\x80Hrequired\xf4DtypeDlistKpermissions\x81DpullHlistkeys\xa2Dargs\xa1Inamespace\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpullFlookup\xa2Dargs\xa1Ckey\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpullLmanifestdata\xa3Dargs\xa4Ffields\xa4Gdefault\xd9\x01\x02\x80Hrequired\xf4DtypeCsetKvalidvalues\xd9\x01\x02\x82GparentsHrevisionKhaveparents\xa3Gdefault\xf4Hrequired\xf4DtypeDboolEnodes\xa2Hrequired\xf5DtypeDlistDtree\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpullTrecommendedbatchsize\x1a\x00\x01\x86\xa0Gpushkey\xa2Dargs\xa4Ckey\xa2Hrequired\xf5DtypeEbytesInamespace\xa2Hrequired\xf5DtypeEbytesCnew\xa2Hrequired\xf5DtypeEbytesCold\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpushPrawstorefiledata\xa2Dargs\xa2Efiles\xa2Hrequired\xf5DtypeDlistJpathfilter\xa3Gdefault\xf6Hrequired\xf4DtypeDlistKpermissions\x81DpullQframingmediatypes\x81X/mercurial-exp-framing-0006Rpathfilterprefixes\xd9\x01\x02\x82Epath:Lrootfilesin:Nrawrepoformats\x83LgeneraldeltaHrevlogv1LsparserevlogHredirect\xa2Fhashes\x82Fsha256Dsha1Gtargets\x81\xa5DnameHtarget-aHprotocolDhttpKsnirequired\xf4Ktlsversions\x82C1.2C1.3Duris\x81Shttp://example.com/Nv1capabilitiesY\x01\xf7batch
branchmap $USUAL_BUNDLE2_CAPS$ changegroupsubset
compression=$BUNDLE2_COMPRESSIONS$ getbundle httpheader=1024
httpmediatype=0.1rx,0.1tx,0.2tx known lookup pushkey
streamreqs=generaldelta,revlogv1,sparserevlog unbundle=HG10GZ,HG10BZ,HG10UN
unbundlehash
- (remote redirect target target-a is compatible) (tls1.2 !)
- (remote redirect target target-a requires unsupported TLS versions: 1.2,
1.3) (no-tls1.2 !)
+ (remote redirect target target-a is compatible)
sending capabilities command
s> setsockopt(6, 1, 1) -> None (?)
s> POST /api/exp-http-v2-0003/ro/capabilities HTTP/1.1\r\n
s> Accept-Encoding: identity\r\n
s> accept: application/mercurial-exp-framing-0006\r\n
s> content-type: application/mercurial-exp-framing-0006\r\n
- s> content-length: 111\r\n (tls1.2 !)
- s> content-length: 102\r\n (no-tls1.2 !)
+ s> content-length: 111\r\n
s> host: $LOCALIP:$HGPORT\r\n (glob)
s> user-agent: Mercurial debugwireproto\r\n
s> \r\n
- s>
[PATCH 03 of 15] sslutil: remove code checking for presence of ssl.SSLContext
# HG changeset patch
# User Manuel Jacob
# Date 1590779902 -7200
# Fri May 29 21:18:22 2020 +0200
# Node ID 4b0fc7112e0c75ae290e9204bd9efdca841244df
# Parent c8a697e466dec7726cf0e5d30dafcc37f13196f0
# EXP-Topic require_modern_ssl
sslutil: remove code checking for presence of ssl.SSLContext
Now that we require the presence of ssl.SSLContext in setup.py, we can remove
this code.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -33,9 +33,8 @@ from .utils import (
# support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
# all exposed via the "ssl" module.
#
-# Depending on the version of Python being used, SSL/TLS support is either
-# modern/secure or legacy/insecure. Many operations in this module have
-# separate code paths depending on support in Python.
+# We require in setup.py the presence of ssl.SSLContext, which indicates modern
+# SSL/TLS support.
configprotocols = {
b'tls1.0',
@@ -53,67 +52,8 @@ if util.safehasattr(ssl, b'PROTOCOL_TLSv
if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
supportedprotocols.add(b'tls1.2')
-try:
-# ssl.SSLContext was added in 2.7.9 and presence indicates modern
-# SSL/TLS features are available.
-SSLContext = ssl.SSLContext
-modernssl = True
-_canloaddefaultcerts = True
-except AttributeError:
-modernssl = False
-_canloaddefaultcerts = False
-
-# We implement SSLContext using the interface from the standard library.
-class SSLContext(object):
-def __init__(self, protocol):
-# From the public interface of SSLContext
-self.protocol = protocol
-self.check_hostname = False
-self.options = 0
-self.verify_mode = ssl.CERT_NONE
-
-# Used by our implementation.
-self._certfile = None
-self._keyfile = None
-self._certpassword = None
-self._cacerts = None
-self._ciphers = None
-
-def load_cert_chain(self, certfile, keyfile=None, password=None):
-self._certfile = certfile
-self._keyfile = keyfile
-self._certpassword = password
-
-def load_default_certs(self, purpose=None):
-pass
-
-def load_verify_locations(self, cafile=None, capath=None, cadata=None):
-if capath:
-raise error.Abort(_(b'capath not supported'))
-if cadata:
-raise error.Abort(_(b'cadata not supported'))
-
-self._cacerts = cafile
-
-def set_ciphers(self, ciphers):
-self._ciphers = ciphers
-
-def wrap_socket(self, socket, server_hostname=None, server_side=False):
-# server_hostname is unique to SSLContext.wrap_socket and is used
-# for SNI in that context. So there's nothing for us to do with it
-# in this legacy code since we don't support SNI.
-
-args = {
-'keyfile': self._keyfile,
-'certfile': self._certfile,
-'server_side': server_side,
-'cert_reqs': self.verify_mode,
-'ssl_version': self.protocol,
-'ca_certs': self._cacerts,
-'ciphers': self._ciphers,
-}
-
-return ssl.wrap_socket(socket, **args)
+modernssl = True
+_canloaddefaultcerts = True
def _hostsettings(ui, hostname):
@@ -414,7 +354,7 @@ def wrapsocket(sock, keyfile, certfile,
# bundle with a specific CA cert removed. If the system/default CA bundle
# is loaded and contains that removed CA, you've just undone the user's
# choice.
-sslcontext = SSLContext(settings[b'protocol'])
+sslcontext = ssl.SSLContext(settings[b'protocol'])
# This is a no-op unless using modern ssl.
sslcontext.options |= settings[b'ctxoptions']
@@ -642,7 +582,7 @@ def wrapserversocket(
# We /could/ use create_default_context() here since it doesn't load
# CAs when configured for client auth. However, it is hard-coded to
# use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
-sslcontext = SSLContext(protocol)
+sslcontext = ssl.SSLContext(protocol)
sslcontext.options |= options
# Improve forward secrecy.
@@ -654,7 +594,7 @@ def wrapserversocket(
sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE',
0)
sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
else:
-sslcontext = SSLContext(ssl.PROTOCOL_TLSv1)
+sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
if requireclientcert:
sslcontext.verify_mode = ssl.CERT_REQUIRED
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 10 of 15] sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
# HG changeset patch
# User Manuel Jacob
# Date 1590783568 -7200
# Fri May 29 22:19:28 2020 +0200
# Node ID 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd
# Parent 13922e383d20ca51752a2c3bd16429a5b0e30397
# EXP-Topic require_modern_ssl
sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -44,13 +44,18 @@ configprotocols = {
hassni = getattr(ssl, 'HAS_SNI', False)
-# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
-# against doesn't support them.
-supportedprotocols = {b'tls1.0'}
-if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
-supportedprotocols.add(b'tls1.1')
-if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
-supportedprotocols.add(b'tls1.2')
+# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on 2012-03-14.
+# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that
+# distributions having Python 2.7.9+ or having backported modern features to
+# the ssl module (which we require) have OpenSSL 1.0.1+. To be sure, we assert
+# that support is actually present.
+assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1')
+assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2')
+supportedprotocols = {
+b'tls1.0',
+b'tls1.1',
+b'tls1.2',
+}
def _hostsettings(ui, hostname):
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 02 of 15] setup: require a Python version with modern SSL features
# HG changeset patch
# User Manuel Jacob
# Date 1590779246 -7200
# Fri May 29 21:07:26 2020 +0200
# Node ID c8a697e466dec7726cf0e5d30dafcc37f13196f0
# Parent 45c87d05a2ba00d32181c94bf56d52f48f9c9f02
# EXP-Topic require_modern_ssl
setup: require a Python version with modern SSL features
This increases the minimum security baseline of Mercurial and enables us to
remove compatibility code for supporting older, less secure Python versions.
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -83,6 +83,20 @@ Python {py} detected.
printf(error, file=sys.stderr)
sys.exit(1)
+import ssl
+try:
+ssl.SSLContext
+except AttributeError:
+error = """
+The `ssl` module does not have the `SSLContext` class. This indicates an old
+Python version which does not support modern security features (which were
+added to Python 2.7 as part of "PEP 466"). Please make sure you have installed
+at least Python 2.7.9 or a Python version with backports of these security
+features.
+"""
+printf(error, file=sys.stderr)
+sys.exit(1)
+
if sys.version_info[0] >= 3:
DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX']
else:
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 06 of 15] sslutil: eliminate `modernssl` by constant-folding code using it
# HG changeset patch # User Manuel Jacob # Date 1590780604 -7200 # Fri May 29 21:30:04 2020 +0200 # Node ID 0f3d341877afb1bb05ec8abc5e4bbc5d318a6d41 # Parent f8ae379a8dcfebbec6cf6570d8d38fa1e3b6bcea # EXP-Topic require_modern_ssl sslutil: eliminate `modernssl` by constant-folding code using it diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -52,7 +52,6 @@ if util.safehasattr(ssl, b'PROTOCOL_TLSv if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): supportedprotocols.add(b'tls1.2') -modernssl = True _canloaddefaultcerts = True @@ -399,8 +398,6 @@ def wrapsocket(sock, keyfile, certfile, # If we're doing certificate verification and no CA certs are loaded, # that is almost certainly the reason why verification failed. Provide # a hint to the user. -# Only modern ssl module exposes SSLContext.get_ca_certs() so we can -# only show this warning if modern ssl is available. # The exception handler is here to handle bugs around cert attributes: # https://bugs.python.org/issue20916#msg213479. (See issues5313.) # When the main 20916 bug occurs, 'sslcontext.get_ca_certs()' is a @@ -409,7 +406,6 @@ def wrapsocket(sock, keyfile, certfile, if ( caloaded and settings[b'verifymode'] == ssl.CERT_REQUIRED -and modernssl and not sslcontext.get_ca_certs() ): ui.warn( @@ -569,23 +565,20 @@ def wrapserversocket( _(b'invalid value for serverexactprotocol: %s') % exactprotocol ) -if modernssl: -# We /could/ use create_default_context() here since it doesn't load -# CAs when configured for client auth. However, it is hard-coded to -# use ssl.PROTOCOL_SSLv23 which may not be appropriate here. -sslcontext = ssl.SSLContext(protocol) -sslcontext.options |= options +# We /could/ use create_default_context() here since it doesn't load +# CAs when configured for client auth. However, it is hard-coded to +# use ssl.PROTOCOL_SSLv23 which may not be appropriate here. +sslcontext = ssl.SSLContext(protocol) +sslcontext.options |= options -# Improve forward secrecy. -sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) -sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) +# Improve forward secrecy. +sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) +sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) -# Use the list of more secure ciphers if found in the ssl module. -if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): -sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) -sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) -else: -sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1) +# Use the list of more secure ciphers if found in the ssl module. +if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): +sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) +sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) if requireclientcert: sslcontext.verify_mode = ssl.CERT_REQUIRED ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[Bug 6338] New: filemap need files-list support
https://bz.mercurial-scm.org/show_bug.cgi?id=6338 Bug ID: 6338 Summary: filemap need files-list support Product: Mercurial Version: 5.4rc0 Hardware: All OS: All Status: UNCONFIRMED Severity: feature Priority: wish Component: convert Assignee: bugzi...@mercurial-scm.org Reporter: alexraynepe...@gmail.com CC: duri...@gmail.com, mercurial-devel@mercurial-scm.org Python Version: --- There (#4308) was alredy requested support of glob. pattern sintax for filemap commands. imho, it would be grateful if provided support of files-list items. Such files list can be generated easy like ... grep > list But prefix all items in this list - more complex, and not trivial. -- You are receiving this mail because: You are on the CC list for the bug. ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 10 of 15] sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
On Sat, 30 May 2020 07:52:22 +0200, Manuel Jacob wrote:
> # HG changeset patch
> # User Manuel Jacob
> # Date 1590783568 -7200
> # Fri May 29 22:19:28 2020 +0200
> # Node ID 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd
> # Parent 13922e383d20ca51752a2c3bd16429a5b0e30397
> # EXP-Topic require_modern_ssl
> sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
>
> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
> @@ -44,13 +44,18 @@ configprotocols = {
>
> hassni = getattr(ssl, 'HAS_SNI', False)
>
> -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
> -# against doesn't support them.
> -supportedprotocols = {b'tls1.0'}
> -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
> -supportedprotocols.add(b'tls1.1')
> -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
> -supportedprotocols.add(b'tls1.2')
> +# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on 2012-03-14.
> +# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that
> +# distributions having Python 2.7.9+ or having backported modern features to
> +# the ssl module (which we require) have OpenSSL 1.0.1+. To be sure, we
> assert
> +# that support is actually present.
> +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1')
> +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2')
Can we expect that old RHEL/CentOS migrated to OpenSSL 1.0.1+?
I hope they did, but I'm not sure.
Also, raising AssertionError at import time might break client code, which
would expect ImportError/AttributeError on import error.
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 11 of 15] sslutil: remove comment referring to unsupported legacy stacks
# HG changeset patch # User Manuel Jacob # Date 1590785278 -7200 # Fri May 29 22:47:58 2020 +0200 # Node ID 34c4c1b13c793f5860c840043fbf8e4b2eb8a9a2 # Parent 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd # EXP-Topic require_modern_ssl sslutil: remove comment referring to unsupported legacy stacks diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -258,9 +258,7 @@ def protocolsettings(protocol): raise ValueError(b'protocol value not supported: %s' % protocol) # Despite its name, PROTOCOL_SSLv23 selects the highest protocol -# that both ends support, including TLS protocols. On legacy stacks, -# the highest it likely goes is TLS 1.0. On modern stacks, it can -# support TLS 1.2. +# that both ends support, including TLS protocols. # # The PROTOCOL_TLSv* constants select a specific TLS version # only (as opposed to multiple versions). So the method for ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 15 of 15] sslutil: remove fallback for `ssl` attributes that we can assume to be present
# HG changeset patch
# User Manuel Jacob
# Date 1590806514 -7200
# Sat May 30 04:41:54 2020 +0200
# Node ID c9b1893bc6f9e93599187d3f38c5fce282b045b8
# Parent 115c95a26b530486ebf9000ad5b7dc6a0c188e7a
# EXP-Topic require_modern_ssl
sslutil: remove fallback for `ssl` attributes that we can assume to be present
Two requirements need to be satisfied for this to work.
1) The Python version must support these attributes. I checked that this is
the case for Python 2.7.9 (which added `ssl.SSLContext) and the version that
backported `ssl.SSLContext` to RHEL7.
2) The OpenSSL version Python is compiled against must support them. I checked
that OpenSSL 1.0.1, which we require for TLS 1.1 and TLS 1.2 support, support
them.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -42,7 +42,7 @@ configprotocols = {
b'tls1.2',
}
-hassni = getattr(ssl, 'HAS_SNI', False)
+hassni = ssl.HAS_SNI
# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on 2012-03-14.
# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that
@@ -262,8 +262,7 @@ def protocolsettings(protocol):
raise error.Abort(_(b'this should not happen'))
# Prevent CRIME.
-# There is no guarantee this attribute is defined on the module.
-options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+options |= ssl.OP_NO_COMPRESSION
return ssl.PROTOCOL_SSLv23, options, protocol
@@ -504,13 +503,12 @@ def wrapserversocket(
sslcontext.options |= options
# Improve forward secrecy.
-sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
-sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
+sslcontext.options |= ssl.OP_SINGLE_DH_USE
+sslcontext.options |= ssl.OP_SINGLE_ECDH_USE
-# Use the list of more secure ciphers if found in the ssl module.
-if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
-sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
-sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
+# Use the list of more secure ciphers.
+sslcontext.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
+sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
if requireclientcert:
sslcontext.verify_mode = ssl.CERT_REQUIRED
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH v2] sslutil: remove fallback for `ssl` attributes that we can assume to be present
# HG changeset patch
# User Manuel Jacob
# Date 1590806514 -7200
# Sat May 30 04:41:54 2020 +0200
# Node ID 7a6519cba165ec9dced7465359d2937cc7587328
# Parent 7e15b535202e2ac21349cb5b66c3374e176d3bab
# EXP-Topic require_modern_ssl
sslutil: remove fallback for `ssl` attributes that we can assume to be present
Two requirements need to be satisfied for this to work.
1) The Python version must support these attributes. I checked that this is
the case for Python 2.7.9 (which added `ssl.SSLContext) and the version that
backported `ssl.SSLContext` to RHEL7.
2) The OpenSSL version Python is compiled against must support them. I checked
that OpenSSL 1.0.1, which we require for TLS 1.1 and TLS 1.2 support, support
them.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -15,7 +15,6 @@ import re
import ssl
from .i18n import _
-from .pycompat import getattr
from . import (
encoding,
error,
@@ -42,7 +41,7 @@ configprotocols = {
b'tls1.2',
}
-hassni = getattr(ssl, 'HAS_SNI', False)
+hassni = ssl.HAS_SNI
# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on 2012-03-14.
# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that
@@ -262,8 +261,7 @@ def protocolsettings(protocol):
raise error.Abort(_(b'this should not happen'))
# Prevent CRIME.
-# There is no guarantee this attribute is defined on the module.
-options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+options |= ssl.OP_NO_COMPRESSION
return ssl.PROTOCOL_SSLv23, options, protocol
@@ -504,13 +502,12 @@ def wrapserversocket(
sslcontext.options |= options
# Improve forward secrecy.
-sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
-sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
+sslcontext.options |= ssl.OP_SINGLE_DH_USE
+sslcontext.options |= ssl.OP_SINGLE_ECDH_USE
-# Use the list of more secure ciphers if found in the ssl module.
-if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
-sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
-sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
+# Use the list of more secure ciphers.
+sslcontext.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
+sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
if requireclientcert:
sslcontext.verify_mode = ssl.CERT_REQUIRED
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 05 of 15] hgweb: avoid using `sslutil.modernssl`
On Sat, 30 May 2020 07:52:17 +0200, Manuel Jacob wrote: > # HG changeset patch > # User Manuel Jacob > # Date 1590807553 -7200 > # Sat May 30 04:59:13 2020 +0200 > # Node ID f8ae379a8dcfebbec6cf6570d8d38fa1e3b6bcea > # Parent fa4460229a8d1a392564d0cbe78216760154822c > # EXP-Topic require_modern_ssl > hgweb: avoid using `sslutil.modernssl` > > `sslutil.modernssl` is going to be removed. Since the point of using this > attribute was to check the importability of the `sslutil`, a different > attribute can be used. `sslutil.wrapserversocket` is used because it’s anyway > used a few lines below. > > diff --git a/mercurial/hgweb/server.py b/mercurial/hgweb/server.py > --- a/mercurial/hgweb/server.py > +++ b/mercurial/hgweb/server.py > @@ -313,7 +313,7 @@ class _httprequesthandlerssl(_httpreques > try: > from .. import sslutil > > -sslutil.modernssl > +sslutil.wrapserversocket > except ImportError: I wonder if we should still support Python builds of ssl disabled. If we should, setup.py condition needs to be relaxed. ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 04 of 15] sslutil: remove comments referring to removed SSLContext emulation class
# HG changeset patch
# User Manuel Jacob
# Date 1590784286 -7200
# Fri May 29 22:31:26 2020 +0200
# Node ID fa4460229a8d1a392564d0cbe78216760154822c
# Parent 4b0fc7112e0c75ae290e9204bd9efdca841244df
# EXP-Topic require_modern_ssl
sslutil: remove comments referring to removed SSLContext emulation class
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -264,8 +264,6 @@ def protocolsettings(protocol):
# only (as opposed to multiple versions). So the method for
# supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
# disable protocols via SSLContext.options and OP_NO_* constants.
-# However, SSLContext.options doesn't work unless we have the
-# full/real SSLContext available to us.
if supportedprotocols == {b'tls1.0'}:
if protocol != b'tls1.0':
raise error.Abort(
@@ -279,9 +277,6 @@ def protocolsettings(protocol):
return ssl.PROTOCOL_TLSv1, 0, b'tls1.0'
-# WARNING: returned options don't work unless the modern ssl module
-# is available. Be careful when adding options here.
-
# SSLv2 and SSLv3 are broken. We ban them outright.
options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
@@ -355,11 +350,7 @@ def wrapsocket(sock, keyfile, certfile,
# is loaded and contains that removed CA, you've just undone the user's
# choice.
sslcontext = ssl.SSLContext(settings[b'protocol'])
-
-# This is a no-op unless using modern ssl.
sslcontext.options |= settings[b'ctxoptions']
-
-# This still works on our fake SSLContext.
sslcontext.verify_mode = settings[b'verifymode']
if settings[b'ciphers']:
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 08 of 15] sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it
# HG changeset patch # User Manuel Jacob # Date 1590801838 -7200 # Sat May 30 03:23:58 2020 +0200 # Node ID 9ae0e1b1a499dfce1807e3c9ec5c03714c6f154a # Parent 992db2b7bd11431df9145abc35dca2eba73b9972 # EXP-Topic require_modern_ssl sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -52,8 +52,6 @@ if util.safehasattr(ssl, b'PROTOCOL_TLSv if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): supportedprotocols.add(b'tls1.2') -_canloaddefaultcerts = True - def _hostsettings(ui, hostname): """Obtain security settings for a hostname. @@ -227,7 +225,7 @@ def _hostsettings(ui, hostname): # Require certificate validation if CA certs are being loaded and # verification hasn't been disabled above. -if cafile or (_canloaddefaultcerts and s[b'allowloaddefaultcerts']): +if cafile or (s[b'allowloaddefaultcerts']): s[b'verifymode'] = ssl.CERT_REQUIRED else: # At this point we don't have a fingerprint, aren't being @@ -721,14 +719,6 @@ def _plainapplepython(): ) -_systemcacertpaths = [ -# RHEL, CentOS, and Fedora -b'/etc/pki/tls/certs/ca-bundle.trust.crt', -# Debian, Ubuntu, Gentoo -b'/etc/ssl/certs/ca-certificates.crt', -] - - def _defaultcacerts(ui): """return path to default CA certificates or None. @@ -751,23 +741,6 @@ def _defaultcacerts(ui): except (ImportError, AttributeError): pass -# On Windows, only the modern ssl module is capable of loading the system -# CA certificates. If we're not capable of doing that, emit a warning -# because we'll get a certificate verification error later and the lack -# of loaded CA certificates will be the reason why. -# Assertion: this code is only called if certificates are being verified. -if pycompat.iswindows: -if not _canloaddefaultcerts: -ui.warn( -_( -b'(unable to load Windows CA certificates; see ' -b'https://mercurial-scm.org/wiki/SecureConnections for ' -b'how to configure Mercurial to avoid this message)\n' -) -) - -return None - # Apple's OpenSSL has patches that allow a specially constructed certificate # to load the system CA store. If we're running on Apple Python, use this # trick. @@ -778,58 +751,6 @@ def _defaultcacerts(ui): if os.path.exists(dummycert): return dummycert -# The Apple OpenSSL trick isn't available to us. If Python isn't able to -# load system certs, we're out of luck. -if pycompat.isdarwin: -# FUTURE Consider looking for Homebrew or MacPorts installed certs -# files. Also consider exporting the keychain certs to a file during -# Mercurial install. -if not _canloaddefaultcerts: -ui.warn( -_( -b'(unable to load CA certificates; see ' -b'https://mercurial-scm.org/wiki/SecureConnections for ' -b'how to configure Mercurial to avoid this message)\n' -) -) -return None - -# / is writable on Windows. Out of an abundance of caution make sure -# we're not on Windows because paths from _systemcacerts could be installed -# by non-admin users. -assert not pycompat.iswindows - -# Try to find CA certificates in well-known locations. We print a warning -# when using a found file because we don't want too much silent magic -# for security settings. The expectation is that proper Mercurial -# installs will have the CA certs path defined at install time and the -# installer/packager will make an appropriate decision on the user's -# behalf. We only get here and perform this setting as a feature of -# last resort. -if not _canloaddefaultcerts: -for path in _systemcacertpaths: -if os.path.isfile(path): -ui.warn( -_( -b'(using CA certificates from %s; if you see this ' -b'message, your Mercurial install is not properly ' -b'configured; see ' -b'https://mercurial-scm.org/wiki/SecureConnections ' -b'for how to configure Mercurial to avoid this ' -b'message)\n' -) -% path -) -return path - -ui.warn( -_( -b'(unable to load CA certificates; see ' -b'https://mercurial-scm.org/wiki/SecureConnections for ' -b'how to configure Mercurial to avoid this message)\n' -) -) - return None ___
[PATCH 01 of 15] sslutil: set `_canloaddefaultcerts` to `True` if `ssl.SSLContext` is present
# HG changeset patch # User Manuel Jacob # Date 1590803219 -7200 # Sat May 30 03:46:59 2020 +0200 # Node ID 45c87d05a2ba00d32181c94bf56d52f48f9c9f02 # Parent 3aed7d262bdfd08e8a5d356c8f5a90251bfc70b5 # EXP-Topic require_modern_ssl sslutil: set `_canloaddefaultcerts` to `True` if `ssl.SSLContext` is present The `load_default_certs()` method was already present when `ssl.SSLContext` was backported to Python 2.7 (https://hg.python.org/cpython/rev/221a1f9155e2). diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -58,7 +58,7 @@ try: # SSL/TLS features are available. SSLContext = ssl.SSLContext modernssl = True -_canloaddefaultcerts = util.safehasattr(SSLContext, b'load_default_certs') +_canloaddefaultcerts = True except AttributeError: modernssl = False _canloaddefaultcerts = False ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 13 of 15] sslutil: simplify code, now that `supportedprotocols` is constant
# HG changeset patch
# User Manuel Jacob
# Date 1590798598 -7200
# Sat May 30 02:29:58 2020 +0200
# Node ID e42ce24c506a9336dd6ecc8b4f83889580d8af6b
# Parent de89534c092f5d2e2eb8c7b21dcb81d83aa3
# EXP-Topic require_modern_ssl
sslutil: simplify code, now that `supportedprotocols` is constant
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -100,27 +100,10 @@ def _hostsettings(ui, hostname):
% b' '.join(sorted(configprotocols)),
)
-# We default to TLS 1.1+ where we can because TLS 1.0 has known
-# vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
-# TLS 1.0+ via config options in case a legacy server is encountered.
-if b'tls1.1' in supportedprotocols:
-defaultprotocol = b'tls1.1'
-else:
-# Let people know they are borderline secure.
-# We don't document this config option because we want people to see
-# the bold warnings on the web site.
-# internal config: hostsecurity.disabletls10warning
-if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
-ui.warn(
-_(
-b'warning: connecting to %s using legacy security '
-b'technology (TLS 1.0); see '
-b'https://mercurial-scm.org/wiki/SecureConnections for '
-b'more info\n'
-)
-% bhostname
-)
-defaultprotocol = b'tls1.0'
+# We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like
+# BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
+# options in case a legacy server is encountered.
+defaultprotocol = b'tls1.1'
key = b'minimumprotocol'
protocol = ui.config(b'hostsecurity', key, defaultprotocol)
@@ -264,18 +247,6 @@ def protocolsettings(protocol):
# only (as opposed to multiple versions). So the method for
# supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
# disable protocols via SSLContext.options and OP_NO_* constants.
-if supportedprotocols == {b'tls1.0'}:
-if protocol != b'tls1.0':
-raise error.Abort(
-_(b'current Python does not support protocol setting %s')
-% protocol,
-hint=_(
-b'upgrade Python or disable setting since '
-b'only TLS 1.0 is supported'
-),
-)
-
-return ssl.PROTOCOL_TLSv1, 0, b'tls1.0'
# SSLv2 and SSLv3 are broken. We ban them outright.
options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
@@ -518,12 +489,8 @@ def wrapserversocket(
if exactprotocol == b'tls1.0':
protocol = ssl.PROTOCOL_TLSv1
elif exactprotocol == b'tls1.1':
-if b'tls1.1' not in supportedprotocols:
-raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_1
elif exactprotocol == b'tls1.2':
-if b'tls1.2' not in supportedprotocols:
-raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_2
elif exactprotocol:
raise error.Abort(
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH v2] setup: require a Python version with modern SSL features
# HG changeset patch
# User Manuel Jacob
# Date 1590779246 -7200
# Fri May 29 21:07:26 2020 +0200
# Node ID 0b77428d79bddca909ade8dcb59fb153f15db0d8
# Parent 45c87d05a2ba00d32181c94bf56d52f48f9c9f02
# EXP-Topic require_modern_ssl
setup: require a Python version with modern SSL features
This increases the minimum security baseline of Mercurial and enables us to
remove compatibility code for supporting older, less secure Python versions.
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -83,6 +83,21 @@ Python {py} detected.
printf(error, file=sys.stderr)
sys.exit(1)
+import ssl
+
+try:
+ssl.SSLContext
+except AttributeError:
+error = """
+The `ssl` module does not have the `SSLContext` class. This indicates an old
+Python version which does not support modern security features (which were
+added to Python 2.7 as part of "PEP 466"). Please make sure you have installed
+at least Python 2.7.9 or a Python version with backports of these security
+features.
+"""
+printf(error, file=sys.stderr)
+sys.exit(1)
+
if sys.version_info[0] >= 3:
DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX']
else:
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 07 of 15] tests: remove "defaultcacerts" check
# HG changeset patch
# User Manuel Jacob
# Date 1590808082 -7200
# Sat May 30 05:08:02 2020 +0200
# Node ID 992db2b7bd11431df9145abc35dca2eba73b9972
# Parent 0f3d341877afb1bb05ec8abc5e4bbc5d318a6d41
# EXP-Topic require_modern_ssl
tests: remove "defaultcacerts" check
`sslutil._canloaddefaultcerts` is always true (and will be removed).
diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -656,21 +656,11 @@ def has_sslcontext():
return False
-@check("defaultcacerts", "can verify SSL certs by system's CA certs store")
-def has_defaultcacerts():
-from mercurial import sslutil, ui as uimod
-
-ui = uimod.ui.load()
-return sslutil._defaultcacerts(ui) or sslutil._canloaddefaultcerts
-
-
@check("defaultcacertsloaded", "detected presence of loaded system CA certs")
def has_defaultcacertsloaded():
import ssl
from mercurial import sslutil, ui as uimod
-if not has_defaultcacerts():
-return False
if not has_sslcontext():
return False
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -49,14 +49,14 @@ Test server address cannot be reused
Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
-#if sslcontext defaultcacerts no-defaultcacertsloaded
+#if sslcontext no-defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
(an attempt was made to load CA certificates but none were loaded; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this error)
abort: error: *certificate verify failed* (glob)
[255]
#endif
-#if no-sslcontext defaultcacerts
+#if no-sslcontext
$ hg clone https://localhost:$HGPORT/ copy-pull
warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
(using CA certificates from *; if you see this message, your Mercurial
install is not properly configured; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this message) (glob) (?)
@@ -90,15 +90,6 @@ we are able to load CA certs.
[255]
#endif
-#if no-defaultcacerts
- $ hg clone https://localhost:$HGPORT/ copy-pull
- warning: connecting to localhost using legacy security technology (TLS 1.0);
see https://mercurial-scm.org/wiki/SecureConnections for more info (?)
- (unable to load * certificates; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this message) (glob) (?)
- abort: localhost certificate error: no certificate received
- (set
hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
config setting or use --insecure to connect insecurely)
- [255]
-#endif
-
Specifying a per-host certificate file that doesn't exist will abort. The full
C:/path/to/msysroot will print on Windows.
diff --git a/tests/test-patchbomb-tls.t b/tests/test-patchbomb-tls.t
--- a/tests/test-patchbomb-tls.t
+++ b/tests/test-patchbomb-tls.t
@@ -39,7 +39,7 @@ Utility functions:
Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs:
-#if sslcontext defaultcacerts no-defaultcacertsloaded
+#if sslcontext no-defaultcacertsloaded
$ try
this patch series consists of 1 patches.
@@ -49,7 +49,7 @@ we are able to load CA certs:
[255]
#endif
-#if no-sslcontext defaultcacerts
+#if no-sslcontext
$ try
this patch series consists of 1 patches.
@@ -73,17 +73,6 @@ we are able to load CA certs:
#endif
-#if no-defaultcacerts
- $ try
- this patch series consists of 1 patches.
-
-
- (unable to load * certificates; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial
to avoid this message) (glob) (?)
- abort: localhost certificate error: no certificate received
- (set
hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
config setting or use --insecure to connect insecurely)
- [255]
-#endif
-
$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
Without certificates:
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 12 of 15] sslutil: simplify code for printing an error message when negotiation fails
# HG changeset patch
# User Manuel Jacob
# Date 1590800420 -7200
# Sat May 30 03:00:20 2020 +0200
# Node ID de89534c092f5d2e2eb8c7b21dcb81d83aa3
# Parent 34c4c1b13c793f5860c840043fbf8e4b2eb8a9a2
# EXP-Topic require_modern_ssl
sslutil: simplify code for printing an error message when negotiation fails
The original motivation for doing this was that we now depend on that TLS 1.1
and TLS 1.2 are supported by the underlying Python, so that we don’t have to
handle the case where the client supports only TLS 1.0. While making the
change, I realized that there’s no good reason to print a different message
depending on which minimum protocol was configured. Actually, "could not
communicate with %s using security protocols ..." was imprecise, as the
underlying SSL implementation is free to use a higher version if available.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -429,73 +429,37 @@ def wrapsocket(sock, keyfile, certfile,
# TLS 1.1+ and the server only supports TLS 1.0. Whatever the
# reason, try to emit an actionable warning.
if e.reason == 'UNSUPPORTED_PROTOCOL':
-# We attempted TLS 1.0+.
-if settings[b'protocolui'] == b'tls1.0':
-# We support more than just TLS 1.0+. If this happens,
-# the likely scenario is either the client or the server
-# is really old. (e.g. server doesn't support TLS 1.0+ or
-# client doesn't support modern TLS versions introduced
-# several years from when this comment was written).
-if supportedprotocols != {b'tls1.0'}:
-ui.warn(
-_(
-b'(could not communicate with %s using
security '
-b'protocols %s; if you are using a modern
Mercurial '
-b'version, consider contacting the operator of
this '
-b'server; see '
-
b'https://mercurial-scm.org/wiki/SecureConnections '
-b'for more info)\n'
-)
-% (
-pycompat.bytesurl(serverhostname),
-b', '.join(sorted(supportedprotocols)),
-)
-)
-else:
-ui.warn(
-_(
-b'(could not communicate with %s using TLS
1.0; the '
-b'likely cause of this is the server no longer
'
-b'supports TLS 1.0 because it has known
security '
-b'vulnerabilities; see '
-
b'https://mercurial-scm.org/wiki/SecureConnections '
-b'for more info)\n'
-)
-% pycompat.bytesurl(serverhostname)
-)
-else:
-# We attempted TLS 1.1+. We can only get here if the client
-# supports the configured protocol. So the likely reason is
-# the client wants better security than the server can
-# offer.
-ui.warn(
-_(
-b'(could not negotiate a common security protocol
(%s+) '
-b'with %s; the likely cause is Mercurial is
configured '
-b'to be more secure than the server can support)\n'
-)
-% (
-settings[b'protocolui'],
-pycompat.bytesurl(serverhostname),
-)
+# We can only get here if the client supports the configured
+# protocol. So the likely reason is the client wants better
+# security than the server can offer.
+ui.warn(
+_(
+b'(could not negotiate a common security protocol
(%s+) '
+b'with %s; the likely cause is Mercurial is configured
'
+b'to be more secure than the server can support)\n'
+)
+% (
+settings[b'protocolui'],
+pycompat.bytesurl(serverhostname),
)
-ui.warn(
-_(
-b'(consider contacting the operator of this '
-b'server and ask them to support modern TLS '
-b'protocol versions; or, set '
-
mercurial@44872: 4 new changesets
4 new changesets in mercurial: https://www.mercurial-scm.org/repo/hg/rev/4313a0d7540d changeset: 44869:4313a0d7540d user:Raphaël Gomès date:Fri May 29 12:12:16 2020 +0200 summary: rust-dependencies: update `regex` to 1.3.9 https://www.mercurial-scm.org/repo/hg/rev/9f96beb9bafe changeset: 44870:9f96beb9bafe user:Raphaël Gomès date:Fri May 29 12:17:59 2020 +0200 summary: rust: remove support for `re2` https://www.mercurial-scm.org/repo/hg/rev/17d928f8abaf changeset: 44871:17d928f8abaf user:Augie Fackler date:Thu May 28 16:17:28 2020 -0400 summary: mergestate: move staticmethod _filectxorabsent to module level https://www.mercurial-scm.org/repo/hg/rev/aa790f7c967a changeset: 44872:aa790f7c967a bookmark:@ tag: tip user:Augie Fackler date:Thu May 28 16:16:13 2020 -0400 summary: filemerge: add __bytes__ for absentfilectx -- Repository URL: https://www.mercurial-scm.org/repo/hg ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8602: rust: update the mention of hgcli in rust/README.rst
valentin.gatienbaron created this revision. Herald added a reviewer: hg-reviewers. Herald added a subscriber: mercurial-patches. REVISION SUMMARY This may not be exactly right, but it's better than before. REPOSITORY rHG Mercurial BRANCH default REVISION DETAIL https://phab.mercurial-scm.org/D8602 AFFECTED FILES rust/README.rst CHANGE DETAILS diff --git a/rust/README.rst b/rust/README.rst --- a/rust/README.rst +++ b/rust/README.rst @@ -8,9 +8,9 @@ There are currently three independent rust projects: - chg. An implementation of chg, in rust instead of C. -- hgcli. A experiment for starting hg in rust rather than in python, - by linking with the python runtime. Probably meant to be replaced by - PyOxidizer at some point. +- hgcli. A project that provide a (mostly) self-contained "hg" binary, + for ease of deployment and a bit of speed, using PyOxidizer. See + hgcli/README.md. - hg-core (and hg-cpython): implementation of some functionality of mercurial in rust, e.g. ancestry computations in revision graphs, status or pull discovery. The top-level ``Cargo.toml`` file To: valentin.gatienbaron, #hg-reviewers Cc: mercurial-patches, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 10 of 15] sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
On Sat, May 30, 2020 at 6:36 AM Yuya Nishihara wrote:
> On Sat, 30 May 2020 07:52:22 +0200, Manuel Jacob wrote:
> > # HG changeset patch
> > # User Manuel Jacob
> > # Date 1590783568 -7200
> > # Fri May 29 22:19:28 2020 +0200
> > # Node ID 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd
> > # Parent 13922e383d20ca51752a2c3bd16429a5b0e30397
> > # EXP-Topic require_modern_ssl
> > sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
> >
> > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> > --- a/mercurial/sslutil.py
> > +++ b/mercurial/sslutil.py
> > @@ -44,13 +44,18 @@ configprotocols = {
> >
> > hassni = getattr(ssl, 'HAS_SNI', False)
> >
> > -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
> > -# against doesn't support them.
> > -supportedprotocols = {b'tls1.0'}
> > -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
> > -supportedprotocols.add(b'tls1.1')
> > -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
> > -supportedprotocols.add(b'tls1.2')
> > +# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on
> 2012-03-14.
> > +# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that
> > +# distributions having Python 2.7.9+ or having backported modern
> features to
> > +# the ssl module (which we require) have OpenSSL 1.0.1+. To be sure, we
> assert
> > +# that support is actually present.
> > +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1')
> > +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2')
>
> Can we expect that old RHEL/CentOS migrated to OpenSSL 1.0.1+?
> I hope they did, but I'm not sure.
>
> Also, raising AssertionError at import time might break client code, which
> would expect ImportError/AttributeError on import error.
>
Agreed that we want to avoid the AssertionError at import time. I would
refactor all the code for validating the sanity of the `ssl` module into a
single function (perhaps the one that constructs an SSLContext) and have it
abort if we fail to meet security requirements. That way we won't get an
error until we actually attempt an operation that requires ssl. This feels
better than running code at module import time, which can slow down code
paths that don't need it.
Regarding the minimum versions, given that TLS 1.2 is the minimum TLS
version to be reasonably secure in 2020, I would strongly prefer requiring
it by default. I'm not opposed to a config option to allow TLS 1.0 and 1.1
for the legacy environments that can't do better. Just as long as we
document that it weakens security.
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8456: rust: remove duplicate import
indygreg added a comment. It looks like `hg phabread | hg import -` produced an empty changeset, which I accidentally pushed. I have since rewritten `@` on `hg-committed` to remove the empty changeset. This differential revision should be reopened (which I cannot do since I don't own it). REPOSITORY rHG Mercurial CHANGES SINCE LAST ACTION https://phab.mercurial-scm.org/D8456/new/ REVISION DETAIL https://phab.mercurial-scm.org/D8456 To: Alphare, #hg-reviewers, marmoute, indygreg Cc: indygreg, mercurial-patches, marmoute, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 10 of 15] sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
On 2020-05-30 17:54, Gregory Szorc wrote:
On Sat, May 30, 2020 at 6:36 AM Yuya Nishihara wrote:
On Sat, 30 May 2020 07:52:22 +0200, Manuel Jacob wrote:
> # HG changeset patch
> # User Manuel Jacob
> # Date 1590783568 -7200
> # Fri May 29 22:19:28 2020 +0200
> # Node ID 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd
> # Parent 13922e383d20ca51752a2c3bd16429a5b0e30397
> # EXP-Topic require_modern_ssl
> sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
>
> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
> @@ -44,13 +44,18 @@ configprotocols = {
>
> hassni = getattr(ssl, 'HAS_SNI', False)
>
> -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
> -# against doesn't support them.
> -supportedprotocols = {b'tls1.0'}
> -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
> -supportedprotocols.add(b'tls1.1')
> -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
> -supportedprotocols.add(b'tls1.2')
> +# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on
2012-03-14.
> +# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that
> +# distributions having Python 2.7.9+ or having backported modern
features to
> +# the ssl module (which we require) have OpenSSL 1.0.1+. To be sure, we
assert
> +# that support is actually present.
> +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1')
> +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2')
Can we expect that old RHEL/CentOS migrated to OpenSSL 1.0.1+?
I hope they did, but I'm not sure.
RHEL6 originally had OpenSSL 1.0.0 but "rebased" to OpenSSL 1.0.1 with
RHEL6.5 (according to https://access.redhat.com/articles/1462223). I do
not know whether they also maintain OpenSSL 1.0.0 with backports, but I
found no evidence for this.
Also, raising AssertionError at import time might break client code,
which
would expect ImportError/AttributeError on import error.
Agreed that we want to avoid the AssertionError at import time. I would
refactor all the code for validating the sanity of the `ssl` module
into a
single function (perhaps the one that constructs an SSLContext) and
have it
abort if we fail to meet security requirements. That way we won't get
an
error until we actually attempt an operation that requires ssl. This
feels
better than running code at module import time, which can slow down
code
paths that don't need it.
Isn't that part already handled by demandimport? In any case, I'm fine
with changing the patches to check the TLS 1.2 support in setup.py, or
when creating the context, or a combination of both.
Regarding the minimum versions, given that TLS 1.2 is the minimum TLS
version to be reasonably secure in 2020, I would strongly prefer
requiring
it by default. I'm not opposed to a config option to allow TLS 1.0 and
1.1
for the legacy environments that can't do better. Just as long as we
document that it weakens security.
Do you refer to requiring the underlying Python version to support TLS
1.2 or to requiring the wire protocol to be at least TLS 1.2?
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
mercurial@44882: 3 new changesets
3 new changesets in mercurial: https://www.mercurial-scm.org/repo/hg/rev/7dd63a8cb1ee changeset: 44880:7dd63a8cb1ee user:Manuel Jacob date:Sat May 30 03:23:58 2020 +0200 summary: sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it https://www.mercurial-scm.org/repo/hg/rev/89f83e47e9c9 changeset: 44881:89f83e47e9c9 user:Manuel Jacob date:Sat May 30 05:27:53 2020 +0200 summary: tests: remove "sslcontext" check https://www.mercurial-scm.org/repo/hg/rev/be3e85cf8f4d changeset: 44882:be3e85cf8f4d bookmark:@ tag: tip user:Raphaël Gomès date:Fri Apr 17 10:41:05 2020 +0200 summary: rust: remove duplicate import -- Repository URL: https://www.mercurial-scm.org/repo/hg ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH v2] tests: stop checking for optional, now impossible output
# HG changeset patch # User Manuel Jacob # Date 1590858293 -7200 # Sat May 30 19:04:53 2020 +0200 # Node ID cb67261e7796a4b31597192a4f4cde83fb1bc406 # Parent 89f83e47e9c9ad53a04c8c829730f04d8275437e tests: stop checking for optional, now impossible output In 7dd63a8cb1ee, the code that could output that line was removed. diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -59,7 +59,6 @@ we are able to load CA certs. #if defaultcacertsloaded $ hg clone https://localhost:$HGPORT/ copy-pull warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) - (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) abort: error: *certificate verify failed* (glob) [255] diff --git a/tests/test-patchbomb-tls.t b/tests/test-patchbomb-tls.t --- a/tests/test-patchbomb-tls.t +++ b/tests/test-patchbomb-tls.t @@ -55,7 +55,6 @@ we are able to load CA certs: warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) - (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) (?i)abort: .*?certificate.verify.failed.* (re) [255] ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 05 of 15] hgweb: avoid using `sslutil.modernssl`
On Sat, May 30, 2020 at 6:25 AM Yuya Nishihara wrote: > On Sat, 30 May 2020 07:52:17 +0200, Manuel Jacob wrote: > > # HG changeset patch > > # User Manuel Jacob > > # Date 1590807553 -7200 > > # Sat May 30 04:59:13 2020 +0200 > > # Node ID f8ae379a8dcfebbec6cf6570d8d38fa1e3b6bcea > > # Parent fa4460229a8d1a392564d0cbe78216760154822c > > # EXP-Topic require_modern_ssl > > hgweb: avoid using `sslutil.modernssl` > > > > `sslutil.modernssl` is going to be removed. Since the point of using this > > attribute was to check the importability of the `sslutil`, a different > > attribute can be used. `sslutil.wrapserversocket` is used because it’s > anyway > > used a few lines below. > > > > diff --git a/mercurial/hgweb/server.py b/mercurial/hgweb/server.py > > --- a/mercurial/hgweb/server.py > > +++ b/mercurial/hgweb/server.py > > @@ -313,7 +313,7 @@ class _httprequesthandlerssl(_httpreques > > try: > > from .. import sslutil > > > > -sslutil.modernssl > > +sslutil.wrapserversocket > > except ImportError: > > I wonder if we should still support Python builds of ssl disabled. If we > should, setup.py condition needs to be relaxed. > What environments might not have ssl support? Strictly speaking, it is possible to produce a Python distribution without ssl support. But it isn't something I've seen in years. ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 05 of 15] hgweb: avoid using `sslutil.modernssl`
On Sat, May 30, 2020 at 9:04 AM Manuel Jacob wrote: > On 2020-05-30 17:49, Gregory Szorc wrote: > > On Sat, May 30, 2020 at 6:25 AM Yuya Nishihara wrote: > > > >> On Sat, 30 May 2020 07:52:17 +0200, Manuel Jacob wrote: > >> > # HG changeset patch > >> > # User Manuel Jacob > >> > # Date 1590807553 -7200 > >> > # Sat May 30 04:59:13 2020 +0200 > >> > # Node ID f8ae379a8dcfebbec6cf6570d8d38fa1e3b6bcea > >> > # Parent fa4460229a8d1a392564d0cbe78216760154822c > >> > # EXP-Topic require_modern_ssl > >> > hgweb: avoid using `sslutil.modernssl` > >> > > >> > `sslutil.modernssl` is going to be removed. Since the point of using > this > >> > attribute was to check the importability of the `sslutil`, a different > >> > attribute can be used. `sslutil.wrapserversocket` is used because it’s > >> anyway > >> > used a few lines below. > >> > > >> > diff --git a/mercurial/hgweb/server.py b/mercurial/hgweb/server.py > >> > --- a/mercurial/hgweb/server.py > >> > +++ b/mercurial/hgweb/server.py > >> > @@ -313,7 +313,7 @@ class _httprequesthandlerssl(_httpreques > >> > try: > >> > from .. import sslutil > >> > > >> > -sslutil.modernssl > >> > +sslutil.wrapserversocket > >> > except ImportError: > >> > >> I wonder if we should still support Python builds of ssl disabled. If > >> we > >> should, setup.py condition needs to be relaxed. > >> > > > > What environments might not have ssl support? > > > > Strictly speaking, it is possible to produce a Python distribution > > without > > ssl support. But it isn't something I've seen in years. > > I sometimes compile Python interpreters (usually PyPy) with a limited > set of extension modules. However, I very rarely run Mercurial on top of > these and in these cases I can comment out that check manually. > > I would be fine with leaving it as is or sending a patch relaxing it. > I would prefer to leave it as is and avoid the complexity until someone actually complains about it. ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8603: rust: add a pointer for profiling to the README
valentin.gatienbaron created this revision. Herald added a reviewer: hg-reviewers. Herald added a subscriber: mercurial-patches. REVISION SUMMARY As figuring out how to get useful profiles is not obvious. REPOSITORY rHG Mercurial BRANCH default REVISION DETAIL https://phab.mercurial-scm.org/D8603 AFFECTED FILES rust/README.rst CHANGE DETAILS diff --git a/rust/README.rst b/rust/README.rst --- a/rust/README.rst +++ b/rust/README.rst @@ -34,6 +34,21 @@ One day we may use this environment variable to switch to new experimental binding crates like a hypothetical ``HGWITHRUSTEXT=hpy``. +Profiling += + +Setting the environment variable ``RUST_LOG=trace`` will make hg print +a few high level rust-related performance numbers. It can also +indicate why the rust code cannot be used (say, using lookarounds in +hgignore). + +``py-spy`` (https://github.com/benfred/py-spy) can be used to +construct a single profile with rust functions and python functions +(as opposed to ``hg --profile``, which attributes time spent in rust +to some unlucky python code running shortly after the rust code, and +as opposed to tools for native code like ``perf``, which attribute +time to the python interpreter instead of python functions). + Developing Rust === To: valentin.gatienbaron, #hg-reviewers Cc: mercurial-patches, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH] tests: stop checking for optional, now impossible output
# HG changeset patch # User Manuel Jacob # Date 1590858293 -7200 # Sat May 30 19:04:53 2020 +0200 # Node ID 70309bddd6a07a36583b54fef06591c212508990 # Parent 89f83e47e9c9ad53a04c8c829730f04d8275437e tests: stop checking for optional, now impossible output In 7dd63a8cb1ee, the code that could output that line was removed. diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -59,7 +59,6 @@ we are able to load CA certs. #if defaultcacertsloaded $ hg clone https://localhost:$HGPORT/ copy-pull warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) - (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) abort: error: *certificate verify failed* (glob) [255] ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8600: scmutil: clarify getuipathfn comment
valentin.gatienbaron created this revision. Herald added a reviewer: hg-reviewers. Herald added a subscriber: mercurial-patches. REPOSITORY rHG Mercurial BRANCH default REVISION DETAIL https://phab.mercurial-scm.org/D8600 AFFECTED FILES mercurial/scmutil.py CHANGE DETAILS diff --git a/mercurial/scmutil.py b/mercurial/scmutil.py --- a/mercurial/scmutil.py +++ b/mercurial/scmutil.py @@ -804,8 +804,8 @@ if relative: cwd = repo.getcwd() if cwd != b'': -# this branch is correct when cwd == b'', ie cwd = repo root, -# but it's slower +# this branch would work even if cwd == b'' (ie cwd = repo +# root), but its generality makes the returned function slower pathto = repo.pathto return lambda f: pathto(f, cwd) if repo.ui.configbool(b'ui', b'slash'): To: valentin.gatienbaron, #hg-reviewers Cc: mercurial-patches, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8601: rust: remove one more occurrence of re2
valentin.gatienbaron created this revision. Herald added a reviewer: hg-reviewers. Herald added a subscriber: mercurial-patches. REPOSITORY rHG Mercurial BRANCH default REVISION DETAIL https://phab.mercurial-scm.org/D8601 AFFECTED FILES rust/README.rst CHANGE DETAILS diff --git a/rust/README.rst b/rust/README.rst --- a/rust/README.rst +++ b/rust/README.rst @@ -27,8 +27,6 @@ $ ./hg debuginstall | grep -i rust # to validate rust is in use checking Rust extensions (installed) checking module policy (rust+c-allow) - checking "re2" regexp engine Rust bindings (installed) - If the environment variable ``HGWITHRUSTEXT=cpython`` is set, the Rust extension will be used by default unless ``--no-rust``. To: valentin.gatienbaron, #hg-reviewers Cc: mercurial-patches, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 05 of 15] hgweb: avoid using `sslutil.modernssl`
On 2020-05-30 17:49, Gregory Szorc wrote: On Sat, May 30, 2020 at 6:25 AM Yuya Nishihara wrote: On Sat, 30 May 2020 07:52:17 +0200, Manuel Jacob wrote: > # HG changeset patch > # User Manuel Jacob > # Date 1590807553 -7200 > # Sat May 30 04:59:13 2020 +0200 > # Node ID f8ae379a8dcfebbec6cf6570d8d38fa1e3b6bcea > # Parent fa4460229a8d1a392564d0cbe78216760154822c > # EXP-Topic require_modern_ssl > hgweb: avoid using `sslutil.modernssl` > > `sslutil.modernssl` is going to be removed. Since the point of using this > attribute was to check the importability of the `sslutil`, a different > attribute can be used. `sslutil.wrapserversocket` is used because it’s anyway > used a few lines below. > > diff --git a/mercurial/hgweb/server.py b/mercurial/hgweb/server.py > --- a/mercurial/hgweb/server.py > +++ b/mercurial/hgweb/server.py > @@ -313,7 +313,7 @@ class _httprequesthandlerssl(_httpreques > try: > from .. import sslutil > > -sslutil.modernssl > +sslutil.wrapserversocket > except ImportError: I wonder if we should still support Python builds of ssl disabled. If we should, setup.py condition needs to be relaxed. What environments might not have ssl support? Strictly speaking, it is possible to produce a Python distribution without ssl support. But it isn't something I've seen in years. I sometimes compile Python interpreters (usually PyPy) with a limited set of extension modules. However, I very rarely run Mercurial on top of these and in these cases I can comment out that check manually. I would be fine with leaving it as is or sending a patch relaxing it. ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8456: rust: remove duplicate import
Herald added a subscriber: mercurial-patches. This revision now requires changes to proceed. indygreg added a comment. indygreg requested changes to this revision. This patch currently fails to apply. REPOSITORY rHG Mercurial CHANGES SINCE LAST ACTION https://phab.mercurial-scm.org/D8456/new/ REVISION DETAIL https://phab.mercurial-scm.org/D8456 To: Alphare, #hg-reviewers, marmoute, indygreg Cc: indygreg, mercurial-patches, marmoute, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8604: relnotes: advertize the possibility to use rust
valentin.gatienbaron created this revision. Herald added a reviewer: hg-reviewers. Herald added a subscriber: mercurial-patches. REVISION SUMMARY I think the rust work may have been mentioned in the release notes, but if so only in passing, and not as an invitation to try it out. I think the next version is a decent time to do this, because the rust doesn't come with performance regressions AFAIK, speeds up status noticeably when it applies, which is the case for most invocations of status, and doesn't have the undesirable restriction of regex around empty patterns anymore. I am cheating a bit, because I'm giving numbers for `hg status` in mozilla-central, but they have one hgignore pattern that uses lookaround, ".vscode/(?!extensions\.json|tasks\.json", which I took out as it would cause a fallback to python when unknown files are requested. But it seems that they could express their hgignore differently if they were so inclined. Not sure if there are limitation other than linux-only that I am not thinking of but would be worth mentioning upfront, to avoid disappointing users? REPOSITORY rHG Mercurial BRANCH default REVISION DETAIL https://phab.mercurial-scm.org/D8604 AFFECTED FILES relnotes/next CHANGE DETAILS diff --git a/relnotes/next b/relnotes/next --- a/relnotes/next +++ b/relnotes/next @@ -3,6 +3,12 @@ == New Experimental Features == + * The core of some hg operations have been (and are being) + implemented in rust, for speed. `hg status` on a repository with + 300k tracked files goes from 1.8s to 0.6s for instance. + This has currently been tested only on linux, and does not build on + windows. See rust/README.rst in the mercurial repository for + instructions to opt into this. == Backwards Compatibility Changes == To: valentin.gatienbaron, #hg-reviewers Cc: mercurial-patches, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8456: rust: remove duplicate import
indygreg added a comment. Well, I attempted to rewrite `@`. But somehow the empty changeset got published before that push completed. So it is forever part of history now :/ REPOSITORY rHG Mercurial CHANGES SINCE LAST ACTION https://phab.mercurial-scm.org/D8456/new/ REVISION DETAIL https://phab.mercurial-scm.org/D8456 To: Alphare, #hg-reviewers, marmoute, indygreg Cc: indygreg, mercurial-patches, marmoute, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D7177: rebase: introduce optional parent mapping
martinvonz added a comment. Maybe another option is to allow multiple `-d` arguments for this case? Something like `hg rebase -r C -d B -d D`. I haven't thought through BC, but I think that's what I'd prefer if we were writing rebase from scratch. I know we can't support `hg rebase -r C -d 'B + D'` for backward-compatibility reasons (because we already support that -- it rebases to the highest revnum in the set). REPOSITORY rHG Mercurial CHANGES SINCE LAST ACTION https://phab.mercurial-scm.org/D7177/new/ REVISION DETAIL https://phab.mercurial-scm.org/D7177 To: joerg.sonnenberger, martinvonz, #hg-reviewers, baymax Cc: mercurial-patches, marmoute, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
D8456: rust: remove duplicate import
Closed by commit rHGbe3e85cf8f4d: rust: remove duplicate import (authored by Alphare). This revision was automatically updated to reflect the committed changes. This revision was not accepted when it landed; it landed in state "Needs Revision". CHANGED PRIOR TO COMMIT https://phab.mercurial-scm.org/D8456?vs=21152=21533#toc REPOSITORY rHG Mercurial CHANGES SINCE LAST UPDATE https://phab.mercurial-scm.org/D8456?vs=21152=21533 CHANGES SINCE LAST ACTION https://phab.mercurial-scm.org/D8456/new/ REVISION DETAIL https://phab.mercurial-scm.org/D8456 AFFECTED FILES CHANGE DETAILS To: Alphare, #hg-reviewers, marmoute, indygreg Cc: indygreg, mercurial-patches, marmoute, mercurial-devel ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 10 of 15] sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
On Sat, May 30, 2020 at 07:52:22AM +0200, Manuel Jacob wrote: > sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2 Given that many systems want to phase out TLS 1.1, it seems questionable to enforce this. Joerg ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 10 of 15] sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
On Sat, May 30, 2020 at 9:51 AM Manuel Jacob wrote:
> On 2020-05-30 17:54, Gregory Szorc wrote:
> > On Sat, May 30, 2020 at 6:36 AM Yuya Nishihara wrote:
> >
> >> On Sat, 30 May 2020 07:52:22 +0200, Manuel Jacob wrote:
> >> > # HG changeset patch
> >> > # User Manuel Jacob
> >> > # Date 1590783568 -7200
> >> > # Fri May 29 22:19:28 2020 +0200
> >> > # Node ID 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd
> >> > # Parent 13922e383d20ca51752a2c3bd16429a5b0e30397
> >> > # EXP-Topic require_modern_ssl
> >> > sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
> >> >
> >> > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> >> > --- a/mercurial/sslutil.py
> >> > +++ b/mercurial/sslutil.py
> >> > @@ -44,13 +44,18 @@ configprotocols = {
> >> >
> >> > hassni = getattr(ssl, 'HAS_SNI', False)
> >> >
> >> > -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is
> compiled
> >> > -# against doesn't support them.
> >> > -supportedprotocols = {b'tls1.0'}
> >> > -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
> >> > -supportedprotocols.add(b'tls1.1')
> >> > -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
> >> > -supportedprotocols.add(b'tls1.2')
> >> > +# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on
> >> 2012-03-14.
> >> > +# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect
> that
> >> > +# distributions having Python 2.7.9+ or having backported modern
> >> features to
> >> > +# the ssl module (which we require) have OpenSSL 1.0.1+. To be sure,
> we
> >> assert
> >> > +# that support is actually present.
> >> > +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1')
> >> > +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2')
> >>
> >> Can we expect that old RHEL/CentOS migrated to OpenSSL 1.0.1+?
> >> I hope they did, but I'm not sure.
>
> RHEL6 originally had OpenSSL 1.0.0 but "rebased" to OpenSSL 1.0.1 with
> RHEL6.5 (according to https://access.redhat.com/articles/1462223). I do
> not know whether they also maintain OpenSSL 1.0.0 with backports, but I
> found no evidence for this.
>
> >> Also, raising AssertionError at import time might break client code,
> >> which
> >> would expect ImportError/AttributeError on import error.
> >>
> >
> > Agreed that we want to avoid the AssertionError at import time. I would
> > refactor all the code for validating the sanity of the `ssl` module
> > into a
> > single function (perhaps the one that constructs an SSLContext) and
> > have it
> > abort if we fail to meet security requirements. That way we won't get
> > an
> > error until we actually attempt an operation that requires ssl. This
> > feels
> > better than running code at module import time, which can slow down
> > code
> > paths that don't need it.
>
> Isn't that part already handled by demandimport? In any case, I'm fine
> with changing the patches to check the TLS 1.2 support in setup.py, or
> when creating the context, or a combination of both.
>
demandimport helps with deferring the module import. But there are many
pieces of code that look at module attributes, which trigger an import. So
module-scoped code that we can avoid can potentially help with startup
times.
>
> > Regarding the minimum versions, given that TLS 1.2 is the minimum TLS
> > version to be reasonably secure in 2020, I would strongly prefer
> > requiring
> > it by default. I'm not opposed to a config option to allow TLS 1.0 and
> > 1.1
> > for the legacy environments that can't do better. Just as long as we
> > document that it weakens security.
>
> Do you refer to requiring the underlying Python version to support TLS
> 1.2 or to requiring the wire protocol to be at least TLS 1.2?
>
I think we should require TLS 1.2+ on the wire protocol by default. If the
Python environment or the server doesn't support TLS 1.2+, we should allow
people to downgrade via a config option and/or command argument. And we
should consider a future where TLS 1.2 becomes insecure and we need to
change defaults again. IMO the code should be structured to make these
future transitions as easy as possible.
While I'm here, Python 3.7+ supports TLS 1.3 if the underlying SSL library
supports it. I'd love to see support for TLS 1.3 in `sslutil.py`. This is
out of scope for your series and you don't have to take on the work if you
don't want to.
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 10 of 15] sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
On 2020-05-30 19:10, Gregory Szorc wrote:
On Sat, May 30, 2020 at 9:51 AM Manuel Jacob wrote:
On 2020-05-30 17:54, Gregory Szorc wrote:
> On Sat, May 30, 2020 at 6:36 AM Yuya Nishihara wrote:
>
>> On Sat, 30 May 2020 07:52:22 +0200, Manuel Jacob wrote:
>> > # HG changeset patch
>> > # User Manuel Jacob
>> > # Date 1590783568 -7200
>> > # Fri May 29 22:19:28 2020 +0200
>> > # Node ID 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd
>> > # Parent 13922e383d20ca51752a2c3bd16429a5b0e30397
>> > # EXP-Topic require_modern_ssl
>> > sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2
>> >
>> > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
>> > --- a/mercurial/sslutil.py
>> > +++ b/mercurial/sslutil.py
>> > @@ -44,13 +44,18 @@ configprotocols = {
>> >
>> > hassni = getattr(ssl, 'HAS_SNI', False)
>> >
>> > -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is
compiled
>> > -# against doesn't support them.
>> > -supportedprotocols = {b'tls1.0'}
>> > -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
>> > -supportedprotocols.add(b'tls1.1')
>> > -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
>> > -supportedprotocols.add(b'tls1.2')
>> > +# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on
>> 2012-03-14.
>> > +# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect
that
>> > +# distributions having Python 2.7.9+ or having backported modern
>> features to
>> > +# the ssl module (which we require) have OpenSSL 1.0.1+. To be sure,
we
>> assert
>> > +# that support is actually present.
>> > +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1')
>> > +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2')
>>
>> Can we expect that old RHEL/CentOS migrated to OpenSSL 1.0.1+?
>> I hope they did, but I'm not sure.
RHEL6 originally had OpenSSL 1.0.0 but "rebased" to OpenSSL 1.0.1 with
RHEL6.5 (according to https://access.redhat.com/articles/1462223). I
do
not know whether they also maintain OpenSSL 1.0.0 with backports, but
I
found no evidence for this.
>> Also, raising AssertionError at import time might break client code,
>> which
>> would expect ImportError/AttributeError on import error.
>>
>
> Agreed that we want to avoid the AssertionError at import time. I would
> refactor all the code for validating the sanity of the `ssl` module
> into a
> single function (perhaps the one that constructs an SSLContext) and
> have it
> abort if we fail to meet security requirements. That way we won't get
> an
> error until we actually attempt an operation that requires ssl. This
> feels
> better than running code at module import time, which can slow down
> code
> paths that don't need it.
Isn't that part already handled by demandimport? In any case, I'm fine
with changing the patches to check the TLS 1.2 support in setup.py, or
when creating the context, or a combination of both.
demandimport helps with deferring the module import. But there are many
pieces of code that look at module attributes, which trigger an import.
So
module-scoped code that we can avoid can potentially help with startup
times.
That makes sense, I'll update the patch later.
> Regarding the minimum versions, given that TLS 1.2 is the minimum TLS
> version to be reasonably secure in 2020, I would strongly prefer
> requiring
> it by default. I'm not opposed to a config option to allow TLS 1.0 and
> 1.1
> for the legacy environments that can't do better. Just as long as we
> document that it weakens security.
Do you refer to requiring the underlying Python version to support TLS
1.2 or to requiring the wire protocol to be at least TLS 1.2?
I think we should require TLS 1.2+ on the wire protocol by default. If
the
Python environment or the server doesn't support TLS 1.2+, we should
allow
people to downgrade via a config option and/or command argument. And we
should consider a future where TLS 1.2 becomes insecure and we need to
change defaults again. IMO the code should be structured to make these
future transitions as easy as possible.
I think that topic is independent of this patch series. The
infrastructure for what you describe is mostly there. It would seemingly
be a matter of changing `defaultprotocol` from 'tls1.1' to 'tls1.2'.
While I'm here, Python 3.7+ supports TLS 1.3 if the underlying SSL
library
supports it. I'd love to see support for TLS 1.3 in `sslutil.py`. This
is
out of scope for your series and you don't have to take on the work if
you
don't want to.
I think that OpenSSL automatically uses a newer version if available. If
not, we should fix our code so that this happens. What is not yet
implemented is a config to make TLS 1.3 mandatory. It would be a matter
of adding a few lines, and I can do it once this patch series got
through.
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
mercurial@44879: 7 new changesets
7 new changesets in mercurial: https://www.mercurial-scm.org/repo/hg/rev/47b3c8383cc1 changeset: 44873:47b3c8383cc1 user:Manuel Jacob date:Sat May 30 03:46:59 2020 +0200 summary: sslutil: set `_canloaddefaultcerts` to `True` if `ssl.SSLContext` is present https://www.mercurial-scm.org/repo/hg/rev/4c53c12b92d5 changeset: 44874:4c53c12b92d5 user:Manuel Jacob date:Fri May 29 21:07:26 2020 +0200 summary: setup: require a Python version with modern SSL features https://www.mercurial-scm.org/repo/hg/rev/7c19eb372438 changeset: 44875:7c19eb372438 user:Manuel Jacob date:Fri May 29 21:18:22 2020 +0200 summary: sslutil: remove code checking for presence of ssl.SSLContext https://www.mercurial-scm.org/repo/hg/rev/dca2629f6d2e changeset: 44876:dca2629f6d2e user:Manuel Jacob date:Fri May 29 22:31:26 2020 +0200 summary: sslutil: remove comments referring to removed SSLContext emulation class https://www.mercurial-scm.org/repo/hg/rev/86a7b7abf28e changeset: 44877:86a7b7abf28e user:Manuel Jacob date:Sat May 30 04:59:13 2020 +0200 summary: hgweb: avoid using `sslutil.modernssl` https://www.mercurial-scm.org/repo/hg/rev/035199ba04ee changeset: 44878:035199ba04ee user:Manuel Jacob date:Fri May 29 21:30:04 2020 +0200 summary: sslutil: eliminate `modernssl` by constant-folding code using it https://www.mercurial-scm.org/repo/hg/rev/ab5348bbc55e changeset: 44879:ab5348bbc55e bookmark:@ tag: tip user:Manuel Jacob date:Sat May 30 05:08:02 2020 +0200 summary: tests: remove "defaultcacerts" check -- Repository URL: https://www.mercurial-scm.org/repo/hg ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[Bug 6339] New: convert aborts with busy undo.backupfiles on filter empty merge rev
https://bz.mercurial-scm.org/show_bug.cgi?id=6339 Bug ID: 6339 Summary: convert aborts with busy undo.backupfiles on filter empty merge rev Product: Mercurial Version: 5.4rc0 Hardware: PC OS: Other Status: UNCONFIRMED Severity: bug Priority: wish Component: convert Assignee: bugzi...@mercurial-scm.org Reporter: alexraynepe...@gmail.com CC: duri...@gmail.com, mercurial-devel@mercurial-scm.org Python Version: --- Work on VirtualBox ubuntu 20.04 hosted on Win8 (ru) runing convert in linux conainer aborts with: ``` hg convert --filemap ./cleanup-ng.convert ./contiki.hggit ./contiki2.hggit -v --debug --traceback obsolete feature not enabled but 67 markers found! run hg source pre-conversion action run hg sink pre-conversion action сканирование источника... //<<- scaning source сортировка... //<<- sorting конвертирование...//<<- converting 9224 Merge pull request #1 from adamdunkels/master источник: a93f408b4c303b6fa476d2bd1b52a445d4e363de committing files: LICENSE reusing manifest from p1 (listed files actually unchanged) committing changelog updating the branch cache отфильтровывается пустая ревизия //<<- fileting empty revision repository tip rolled back to revision 7931 (undo convert) run hg sink post-conversion action run hg source post-conversion action Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/mercurial/scmutil.py", line 152, in callcatch return func() File "/usr/local/lib/python2.7/dist-packages/mercurial/dispatch.py", line 462, in _runcatchfunc return _dispatch(req) File "/usr/local/lib/python2.7/dist-packages/mercurial/dispatch.py", line 1226, in _dispatch lui, repo, cmd, fullargs, ui, options, d, cmdpats, cmdoptions File "/usr/local/lib/python2.7/dist-packages/mercurial/dispatch.py", line 910, in runcommand ret = _runcommand(ui, options, cmd, d) File "/usr/local/lib/python2.7/dist-packages/mercurial/dispatch.py", line 1237, in _runcommand return cmdfunc() File "/usr/local/lib/python2.7/dist-packages/mercurial/dispatch.py", line 1223, in d = lambda: util.checksignature(func)(ui, *args, **strcmdopt) File "/usr/local/lib/python2.7/dist-packages/mercurial/util.py", line 1864, in check return func(*args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/hgext/convert/__init__.py", line 495, in convert return convcmd.convert(ui, src, dest, revmapfile, **opts) File "/usr/local/lib/python2.7/dist-packages/hgext/convert/convcmd.py", line 670, in convert c.convert(sortmode) File "/usr/local/lib/python2.7/dist-packages/hgext/convert/convcmd.py", line 571, in convert self.copy(c) File "/usr/local/lib/python2.7/dist-packages/hgext/convert/convcmd.py", line 536, in copy files, copies, parents, commit, source, self.map, full, cleanp2 File "/usr/local/lib/python2.7/dist-packages/hgext/convert/hg.py", line 412, in putcommit self.repo.rollback(force=True) File "/usr/local/lib/python2.7/dist-packages/mercurial/localrepo.py", line 2370, in rollback return self._rollback(dryrun, force, dsguard) File "/usr/local/lib/python2.7/dist-packages/mercurial/localrepo.py", line 195, in wrapper return orig(repo.unfiltered(), *args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/mercurial/localrepo.py", line 2417, in _rollback self.svfs, vfsmap, b'undo', ui.warn, checkambigfiles=_cachedfiles File "/usr/local/lib/python2.7/dist-packages/mercurial/transaction.py", line 735, in rollback checkambigfiles=checkambigfiles, File "/usr/local/lib/python2.7/dist-packages/mercurial/transaction.py", line 114, in _playback opener.unlink(backuppath) File "/usr/local/lib/python2.7/dist-packages/mercurial/vfs.py", line 269, in unlink return util.unlink(self.join(path)) OSError: [Errno 26] Text file busy: '/media/sf_projects/contiki2.hggit/.hg/store/undo.backupfiles' отмена: Text file busy: '/media/sf_projects/contiki2.hggit/.hg/store/undo.backupfiles' ``` runing same on windows host completes, but resulted repository misses a lot of merge-revisions. -- You are receiving this mail because: You are on the CC list for the bug. ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Re: [PATCH 08 of 15] sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it
On Sat, May 30, 2020 at 10:16 AM Manuel Jacob wrote: > On 2020-05-30 18:11, Gregory Szorc wrote: > > On Fri, May 29, 2020 at 11:50 PM Manuel Jacob > > wrote: > > > >> # HG changeset patch > >> # User Manuel Jacob > >> # Date 1590801838 -7200 > >> # Sat May 30 03:23:58 2020 +0200 > >> # Node ID 9ae0e1b1a499dfce1807e3c9ec5c03714c6f154a > >> # Parent 992db2b7bd11431df9145abc35dca2eba73b9972 > >> # EXP-Topic require_modern_ssl > >> sslutil: eliminate `_canloaddefaultcerts` by constant-folding code > >> using it > >> > >> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py > >> --- a/mercurial/sslutil.py > >> +++ b/mercurial/sslutil.py > >> @@ -52,8 +52,6 @@ if util.safehasattr(ssl, b'PROTOCOL_TLSv > >> if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): > >> supportedprotocols.add(b'tls1.2') > >> > >> -_canloaddefaultcerts = True > >> - > >> > >> def _hostsettings(ui, hostname): > >> """Obtain security settings for a hostname. > >> @@ -227,7 +225,7 @@ def _hostsettings(ui, hostname): > >> > >> # Require certificate validation if CA certs are being loaded > >> and > >> # verification hasn't been disabled above. > >> -if cafile or (_canloaddefaultcerts and > >> s[b'allowloaddefaultcerts']): > >> +if cafile or (s[b'allowloaddefaultcerts']): > >> s[b'verifymode'] = ssl.CERT_REQUIRED > >> else: > >> # At this point we don't have a fingerprint, aren't being > >> @@ -721,14 +719,6 @@ def _plainapplepython(): > >> ) > >> > >> > >> -_systemcacertpaths = [ > >> -# RHEL, CentOS, and Fedora > >> -b'/etc/pki/tls/certs/ca-bundle.trust.crt', > >> -# Debian, Ubuntu, Gentoo > >> -b'/etc/ssl/certs/ca-certificates.crt', > >> -] > >> - > >> - > >> def _defaultcacerts(ui): > >> """return path to default CA certificates or None. > >> > >> @@ -751,23 +741,6 @@ def _defaultcacerts(ui): > >> except (ImportError, AttributeError): > >> pass > >> > >> -# On Windows, only the modern ssl module is capable of loading > >> the > >> system > >> -# CA certificates. If we're not capable of doing that, emit a > >> warning > >> -# because we'll get a certificate verification error later and > >> the > >> lack > >> -# of loaded CA certificates will be the reason why. > >> -# Assertion: this code is only called if certificates are being > >> verified. > >> -if pycompat.iswindows: > >> -if not _canloaddefaultcerts: > >> -ui.warn( > >> -_( > >> -b'(unable to load Windows CA certificates; see ' > >> - > >> b'https://mercurial-scm.org/wiki/SecureConnections > >> for ' > >> -b'how to configure Mercurial to avoid this > >> message)\n' > >> -) > >> -) > >> - > >> -return None > >> - > >> # Apple's OpenSSL has patches that allow a specially constructed > >> certificate > >> # to load the system CA store. If we're running on Apple Python, > >> use > >> this > >> # trick. > >> @@ -778,58 +751,6 @@ def _defaultcacerts(ui): > >> if os.path.exists(dummycert): > >> return dummycert > >> > >> -# The Apple OpenSSL trick isn't available to us. If Python isn't > >> able > >> to > >> -# load system certs, we're out of luck. > >> -if pycompat.isdarwin: > >> -# FUTURE Consider looking for Homebrew or MacPorts installed > >> certs > >> -# files. Also consider exporting the keychain certs to a file > >> during > >> -# Mercurial install. > >> -if not _canloaddefaultcerts: > >> -ui.warn( > >> -_( > >> -b'(unable to load CA certificates; see ' > >> - > >> b'https://mercurial-scm.org/wiki/SecureConnections > >> for ' > >> -b'how to configure Mercurial to avoid this > >> message)\n' > >> -) > >> -) > >> -return None > >> - > >> -# / is writable on Windows. Out of an abundance of caution make > >> sure > >> -# we're not on Windows because paths from _systemcacerts could be > >> installed > >> -# by non-admin users. > >> -assert not pycompat.iswindows > >> - > >> -# Try to find CA certificates in well-known locations. We print a > >> warning > >> -# when using a found file because we don't want too much silent > >> magic > >> -# for security settings. The expectation is that proper Mercurial > >> -# installs will have the CA certs path defined at install time > >> and the > >> -# installer/packager will make an appropriate decision on the > >> user's > >> -# behalf. We only get here and perform this setting as a feature > >> of > >> -# last resort. > >> -if not _canloaddefaultcerts: > >> -for path in _systemcacertpaths: > >> -if os.path.isfile(path): > >> -ui.warn( > >> -_( > >> -b'(using CA certificates
Re: [PATCH 08 of 15] sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it
On Fri, May 29, 2020 at 11:50 PM Manuel Jacob wrote: > # HG changeset patch > # User Manuel Jacob > # Date 1590801838 -7200 > # Sat May 30 03:23:58 2020 +0200 > # Node ID 9ae0e1b1a499dfce1807e3c9ec5c03714c6f154a > # Parent 992db2b7bd11431df9145abc35dca2eba73b9972 > # EXP-Topic require_modern_ssl > sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it > > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py > --- a/mercurial/sslutil.py > +++ b/mercurial/sslutil.py > @@ -52,8 +52,6 @@ if util.safehasattr(ssl, b'PROTOCOL_TLSv > if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): > supportedprotocols.add(b'tls1.2') > > -_canloaddefaultcerts = True > - > > def _hostsettings(ui, hostname): > """Obtain security settings for a hostname. > @@ -227,7 +225,7 @@ def _hostsettings(ui, hostname): > > # Require certificate validation if CA certs are being loaded and > # verification hasn't been disabled above. > -if cafile or (_canloaddefaultcerts and > s[b'allowloaddefaultcerts']): > +if cafile or (s[b'allowloaddefaultcerts']): > s[b'verifymode'] = ssl.CERT_REQUIRED > else: > # At this point we don't have a fingerprint, aren't being > @@ -721,14 +719,6 @@ def _plainapplepython(): > ) > > > -_systemcacertpaths = [ > -# RHEL, CentOS, and Fedora > -b'/etc/pki/tls/certs/ca-bundle.trust.crt', > -# Debian, Ubuntu, Gentoo > -b'/etc/ssl/certs/ca-certificates.crt', > -] > - > - > def _defaultcacerts(ui): > """return path to default CA certificates or None. > > @@ -751,23 +741,6 @@ def _defaultcacerts(ui): > except (ImportError, AttributeError): > pass > > -# On Windows, only the modern ssl module is capable of loading the > system > -# CA certificates. If we're not capable of doing that, emit a warning > -# because we'll get a certificate verification error later and the > lack > -# of loaded CA certificates will be the reason why. > -# Assertion: this code is only called if certificates are being > verified. > -if pycompat.iswindows: > -if not _canloaddefaultcerts: > -ui.warn( > -_( > -b'(unable to load Windows CA certificates; see ' > -b'https://mercurial-scm.org/wiki/SecureConnections > for ' > -b'how to configure Mercurial to avoid this message)\n' > -) > -) > - > -return None > - > # Apple's OpenSSL has patches that allow a specially constructed > certificate > # to load the system CA store. If we're running on Apple Python, use > this > # trick. > @@ -778,58 +751,6 @@ def _defaultcacerts(ui): > if os.path.exists(dummycert): > return dummycert > > -# The Apple OpenSSL trick isn't available to us. If Python isn't able > to > -# load system certs, we're out of luck. > -if pycompat.isdarwin: > -# FUTURE Consider looking for Homebrew or MacPorts installed certs > -# files. Also consider exporting the keychain certs to a file > during > -# Mercurial install. > -if not _canloaddefaultcerts: > -ui.warn( > -_( > -b'(unable to load CA certificates; see ' > -b'https://mercurial-scm.org/wiki/SecureConnections > for ' > -b'how to configure Mercurial to avoid this message)\n' > -) > -) > -return None > - > -# / is writable on Windows. Out of an abundance of caution make sure > -# we're not on Windows because paths from _systemcacerts could be > installed > -# by non-admin users. > -assert not pycompat.iswindows > - > -# Try to find CA certificates in well-known locations. We print a > warning > -# when using a found file because we don't want too much silent magic > -# for security settings. The expectation is that proper Mercurial > -# installs will have the CA certs path defined at install time and the > -# installer/packager will make an appropriate decision on the user's > -# behalf. We only get here and perform this setting as a feature of > -# last resort. > -if not _canloaddefaultcerts: > -for path in _systemcacertpaths: > -if os.path.isfile(path): > -ui.warn( > -_( > -b'(using CA certificates from %s; if you see this > ' > -b'message, your Mercurial install is not properly > ' > -b'configured; see ' > -b' > https://mercurial-scm.org/wiki/SecureConnections ' > -b'for how to configure Mercurial to avoid this ' > -b'message)\n' > -) > -% path > -) > -return path > - > -ui.warn( > -_( > -
Re: [PATCH 08 of 15] sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it
On 2020-05-30 18:11, Gregory Szorc wrote: On Fri, May 29, 2020 at 11:50 PM Manuel Jacob wrote: # HG changeset patch # User Manuel Jacob # Date 1590801838 -7200 # Sat May 30 03:23:58 2020 +0200 # Node ID 9ae0e1b1a499dfce1807e3c9ec5c03714c6f154a # Parent 992db2b7bd11431df9145abc35dca2eba73b9972 # EXP-Topic require_modern_ssl sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -52,8 +52,6 @@ if util.safehasattr(ssl, b'PROTOCOL_TLSv if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): supportedprotocols.add(b'tls1.2') -_canloaddefaultcerts = True - def _hostsettings(ui, hostname): """Obtain security settings for a hostname. @@ -227,7 +225,7 @@ def _hostsettings(ui, hostname): # Require certificate validation if CA certs are being loaded and # verification hasn't been disabled above. -if cafile or (_canloaddefaultcerts and s[b'allowloaddefaultcerts']): +if cafile or (s[b'allowloaddefaultcerts']): s[b'verifymode'] = ssl.CERT_REQUIRED else: # At this point we don't have a fingerprint, aren't being @@ -721,14 +719,6 @@ def _plainapplepython(): ) -_systemcacertpaths = [ -# RHEL, CentOS, and Fedora -b'/etc/pki/tls/certs/ca-bundle.trust.crt', -# Debian, Ubuntu, Gentoo -b'/etc/ssl/certs/ca-certificates.crt', -] - - def _defaultcacerts(ui): """return path to default CA certificates or None. @@ -751,23 +741,6 @@ def _defaultcacerts(ui): except (ImportError, AttributeError): pass -# On Windows, only the modern ssl module is capable of loading the system -# CA certificates. If we're not capable of doing that, emit a warning -# because we'll get a certificate verification error later and the lack -# of loaded CA certificates will be the reason why. -# Assertion: this code is only called if certificates are being verified. -if pycompat.iswindows: -if not _canloaddefaultcerts: -ui.warn( -_( -b'(unable to load Windows CA certificates; see ' - b'https://mercurial-scm.org/wiki/SecureConnections for ' -b'how to configure Mercurial to avoid this message)\n' -) -) - -return None - # Apple's OpenSSL has patches that allow a specially constructed certificate # to load the system CA store. If we're running on Apple Python, use this # trick. @@ -778,58 +751,6 @@ def _defaultcacerts(ui): if os.path.exists(dummycert): return dummycert -# The Apple OpenSSL trick isn't available to us. If Python isn't able to -# load system certs, we're out of luck. -if pycompat.isdarwin: -# FUTURE Consider looking for Homebrew or MacPorts installed certs -# files. Also consider exporting the keychain certs to a file during -# Mercurial install. -if not _canloaddefaultcerts: -ui.warn( -_( -b'(unable to load CA certificates; see ' - b'https://mercurial-scm.org/wiki/SecureConnections for ' -b'how to configure Mercurial to avoid this message)\n' -) -) -return None - -# / is writable on Windows. Out of an abundance of caution make sure -# we're not on Windows because paths from _systemcacerts could be installed -# by non-admin users. -assert not pycompat.iswindows - -# Try to find CA certificates in well-known locations. We print a warning -# when using a found file because we don't want too much silent magic -# for security settings. The expectation is that proper Mercurial -# installs will have the CA certs path defined at install time and the -# installer/packager will make an appropriate decision on the user's -# behalf. We only get here and perform this setting as a feature of -# last resort. -if not _canloaddefaultcerts: -for path in _systemcacertpaths: -if os.path.isfile(path): -ui.warn( -_( -b'(using CA certificates from %s; if you see this ' -b'message, your Mercurial install is not properly ' -b'configured; see ' -b' https://mercurial-scm.org/wiki/SecureConnections ' -b'for how to configure Mercurial to avoid this ' -b'message)\n' -) -% path -) -return path - -ui.warn( -_( -b'(unable to load CA certificates; see ' -b'https://mercurial-scm.org/wiki/SecureConnections for ' -b'how to configure Mercurial to
[PATCH 05 of 10 v2] sslutil: simplify code for printing an error message when negotiation fails
# HG changeset patch
# User Manuel Jacob
# Date 1590800420 -7200
# Sat May 30 03:00:20 2020 +0200
# Node ID bb58183ab539f542382b7f175377e8bd69cc452a
# Parent 5d4b7c8aac2c8e7c5f981e9e9c30dc14f90d886f
# EXP-Topic require_modern_ssl
sslutil: simplify code for printing an error message when negotiation fails
The original motivation for doing this was that we now depend on that TLS 1.1
and TLS 1.2 are supported by the underlying Python, so that we don’t have to
handle the case where the client supports only TLS 1.0. While making the
change, I realized that there’s no good reason to print a different message
depending on which minimum protocol was configured. Actually, "could not
communicate with %s using security protocols ..." was imprecise, as the
underlying SSL implementation is free to use a higher version if available.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -427,73 +427,37 @@ def wrapsocket(sock, keyfile, certfile,
# TLS 1.1+ and the server only supports TLS 1.0. Whatever the
# reason, try to emit an actionable warning.
if e.reason == 'UNSUPPORTED_PROTOCOL':
-# We attempted TLS 1.0+.
-if settings[b'protocolui'] == b'tls1.0':
-# We support more than just TLS 1.0+. If this happens,
-# the likely scenario is either the client or the server
-# is really old. (e.g. server doesn't support TLS 1.0+ or
-# client doesn't support modern TLS versions introduced
-# several years from when this comment was written).
-if supportedprotocols != {b'tls1.0'}:
-ui.warn(
-_(
-b'(could not communicate with %s using
security '
-b'protocols %s; if you are using a modern
Mercurial '
-b'version, consider contacting the operator of
this '
-b'server; see '
-
b'https://mercurial-scm.org/wiki/SecureConnections '
-b'for more info)\n'
-)
-% (
-pycompat.bytesurl(serverhostname),
-b', '.join(sorted(supportedprotocols)),
-)
-)
-else:
-ui.warn(
-_(
-b'(could not communicate with %s using TLS
1.0; the '
-b'likely cause of this is the server no longer
'
-b'supports TLS 1.0 because it has known
security '
-b'vulnerabilities; see '
-
b'https://mercurial-scm.org/wiki/SecureConnections '
-b'for more info)\n'
-)
-% pycompat.bytesurl(serverhostname)
-)
-else:
-# We attempted TLS 1.1+. We can only get here if the client
-# supports the configured protocol. So the likely reason is
-# the client wants better security than the server can
-# offer.
-ui.warn(
-_(
-b'(could not negotiate a common security protocol
(%s+) '
-b'with %s; the likely cause is Mercurial is
configured '
-b'to be more secure than the server can support)\n'
-)
-% (
-settings[b'protocolui'],
-pycompat.bytesurl(serverhostname),
-)
+# We can only get here if the client supports the configured
+# protocol. So the likely reason is the client wants better
+# security than the server can offer.
+ui.warn(
+_(
+b'(could not negotiate a common security protocol
(%s+) '
+b'with %s; the likely cause is Mercurial is configured
'
+b'to be more secure than the server can support)\n'
+)
+% (
+settings[b'protocolui'],
+pycompat.bytesurl(serverhostname),
)
-ui.warn(
-_(
-b'(consider contacting the operator of this '
-b'server and ask them to support modern TLS '
-b'protocol versions; or, set '
-
[PATCH 04 of 10 v2] sslutil: remove comment referring to unsupported legacy stacks
# HG changeset patch # User Manuel Jacob # Date 1590785278 -7200 # Fri May 29 22:47:58 2020 +0200 # Node ID 5d4b7c8aac2c8e7c5f981e9e9c30dc14f90d886f # Parent 594ab49f13ab0caba9f4934803932cd9b37e96d1 # EXP-Topic require_modern_ssl sslutil: remove comment referring to unsupported legacy stacks diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -256,9 +256,7 @@ def protocolsettings(protocol): assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2') # Despite its name, PROTOCOL_SSLv23 selects the highest protocol -# that both ends support, including TLS protocols. On legacy stacks, -# the highest it likely goes is TLS 1.0. On modern stacks, it can -# support TLS 1.2. +# that both ends support, including TLS protocols. # # The PROTOCOL_TLSv* constants select a specific TLS version # only (as opposed to multiple versions). So the method for ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 09 of 10 v2] tests: remove "tls1.2" check
# HG changeset patch
# User Manuel Jacob
# Date 1590816692 -7200
# Sat May 30 07:31:32 2020 +0200
# Node ID 727c3b95f5ace64398c262b1093427d6d8a03815
# Parent 08796924bd51030b433408c755b1bd28d38393e8
# EXP-Topic require_modern_ssl
tests: remove "tls1.2" check
Now that we require that the underlying Python version supports TLS 1.2, the
check would always return `True`.
diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -661,13 +661,6 @@ def has_defaultcacertsloaded():
return len(ctx.get_ca_certs()) > 0
-@check("tls1.2", "TLS 1.2 protocol support")
-def has_tls1_2():
-from mercurial import sslutil
-
-return b'tls1.2' in sslutil.supportedprotocols
-
-
@check("windows", "Windows")
def has_windows():
return os.name == 'nt'
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -344,7 +344,6 @@ Ports used by next test. Kill servers.
$ killdaemons.py hg1.pid
$ killdaemons.py hg2.pid
-#if tls1.2
Start servers running supported TLS versions
$ cd test
@@ -435,7 +434,6 @@ The per-host config option by itself wor
$ killdaemons.py hg0.pid
$ killdaemons.py hg1.pid
$ killdaemons.py hg2.pid
-#endif
Prepare for connecting through proxy
diff --git a/tests/test-wireproto-content-redirects.t
b/tests/test-wireproto-content-redirects.t
--- a/tests/test-wireproto-content-redirects.t
+++ b/tests/test-wireproto-content-redirects.t
@@ -69,21 +69,18 @@ Redirect targets advertised when configu
s> Content-Length: 2308\r\n
s> \r\n
s>
\xa3GapibaseDapi/Dapis\xa1Pexp-http-v2-0003\xa5Hcommands\xacIbranchmap\xa2Dargs\xa0Kpermissions\x81DpullLcapabilities\xa2Dargs\xa0Kpermissions\x81DpullMchangesetdata\xa2Dargs\xa2Ffields\xa4Gdefault\xd9\x01\x02\x80Hrequired\xf4DtypeCsetKvalidvalues\xd9\x01\x02\x84IbookmarksGparentsEphaseHrevisionIrevisions\xa2Hrequired\xf5DtypeDlistKpermissions\x81DpullHfiledata\xa2Dargs\xa4Ffields\xa4Gdefault\xd9\x01\x02\x80Hrequired\xf4DtypeCsetKvalidvalues\xd9\x01\x02\x83HlinknodeGparentsHrevisionKhaveparents\xa3Gdefault\xf4Hrequired\xf4DtypeDboolEnodes\xa2Hrequired\xf5DtypeDlistDpath\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpullIfilesdata\xa3Dargs\xa4Ffields\xa4Gdefault\xd9\x01\x02\x80Hrequired\xf4DtypeCsetKvalidvalues\xd9\x01\x02\x84NfirstchangesetHlinknodeGparentsHrevisionKhaveparents\xa3Gdefault\xf4Hrequired\xf4DtypeDboolJpathfilter\xa3Gdefault\xf6Hrequired\xf4DtypeDdictIrevisions\xa2Hrequired\xf5DtypeDlistKpermissions\x81DpullTrecommendedbatchsize\x19\xc3PEheads\xa2Dargs\xa1Jpubliconly\xa3Gdefault\xf4Hrequired\xf4DtypeDboolKpermissions\x81DpullEknown\xa2Dargs\xa1Enodes\xa3Gdefault\x80Hrequired\xf4DtypeDlistKpermissions\x81DpullHlistkeys\xa2Dargs\xa1Inamespace\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpullFlookup\xa2Dargs\xa1Ckey\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpullLmanifestdata\xa3Dargs\xa4Ffields\xa4Gdefault\xd9\x01\x02\x80Hrequired\xf4DtypeCsetKvalidvalues\xd9\x01\x02\x82GparentsHrevisionKhaveparents\xa3Gdefault\xf4Hrequired\xf4DtypeDboolEnodes\xa2Hrequired\xf5DtypeDlistDtree\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpullTrecommendedbatchsize\x1a\x00\x01\x86\xa0Gpushkey\xa2Dargs\xa4Ckey\xa2Hrequired\xf5DtypeEbytesInamespace\xa2Hrequired\xf5DtypeEbytesCnew\xa2Hrequired\xf5DtypeEbytesCold\xa2Hrequired\xf5DtypeEbytesKpermissions\x81DpushPrawstorefiledata\xa2Dargs\xa2Efiles\xa2Hrequired\xf5DtypeDlistJpathfilter\xa3Gdefault\xf6Hrequired\xf4DtypeDlistKpermissions\x81DpullQframingmediatypes\x81X/mercurial-exp-framing-0006Rpathfilterprefixes\xd9\x01\x02\x82Epath:Lrootfilesin:Nrawrepoformats\x83LgeneraldeltaHrevlogv1LsparserevlogHredirect\xa2Fhashes\x82Fsha256Dsha1Gtargets\x81\xa5DnameHtarget-aHprotocolDhttpKsnirequired\xf4Ktlsversions\x82C1.2C1.3Duris\x81Shttp://example.com/Nv1capabilitiesY\x01\xf7batch
branchmap $USUAL_BUNDLE2_CAPS$ changegroupsubset
compression=$BUNDLE2_COMPRESSIONS$ getbundle httpheader=1024
httpmediatype=0.1rx,0.1tx,0.2tx known lookup pushkey
streamreqs=generaldelta,revlogv1,sparserevlog unbundle=HG10GZ,HG10BZ,HG10UN
unbundlehash
- (remote redirect target target-a is compatible) (tls1.2 !)
- (remote redirect target target-a requires unsupported TLS versions: 1.2,
1.3) (no-tls1.2 !)
+ (remote redirect target target-a is compatible)
sending capabilities command
s> setsockopt(6, 1, 1) -> None (?)
s> POST /api/exp-http-v2-0003/ro/capabilities HTTP/1.1\r\n
s> Accept-Encoding: identity\r\n
s> accept: application/mercurial-exp-framing-0006\r\n
s> content-type: application/mercurial-exp-framing-0006\r\n
- s> content-length: 111\r\n (tls1.2 !)
- s> content-length: 102\r\n (no-tls1.2 !)
+ s> content-length: 111\r\n
s> host: $LOCALIP:$HGPORT\r\n (glob)
s> user-agent: Mercurial debugwireproto\r\n
s> \r\n
- s>
[PATCH 01 of 10 v2] relnotes: note that we now require modern SSL/TLS features in Python
# HG changeset patch # User Manuel Jacob # Date 1590873537 -7200 # Sat May 30 23:18:57 2020 +0200 # Node ID d5441892eb22aa451bb479919e95f671e99857eb # Parent ed05581cec9e829ee4dd3daef8fc4fdd63f6ab54 # EXP-Topic require_modern_ssl relnotes: note that we now require modern SSL/TLS features in Python diff --git a/relnotes/next b/relnotes/next --- a/relnotes/next +++ b/relnotes/next @@ -6,6 +6,9 @@ == Backwards Compatibility Changes == +* Mercurial now requires at least Python 2.7.9 or a Python version that + backported modern SSL/TLS features (as defined in PEP 466). + == Internal API Changes == ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 02 of 10 v2] setup: require that Python supports TLS 1.1 and TLS 1.2
# HG changeset patch # User Manuel Jacob # Date 1590874939 -7200 # Sat May 30 23:42:19 2020 +0200 # Node ID b33cc1f796e9c3aa6df1e51d36f0b3c061dfee9e # Parent d5441892eb22aa451bb479919e95f671e99857eb # EXP-Topic require_modern_ssl setup: require that Python supports TLS 1.1 and TLS 1.2 This increases the minimum security baseline of Mercurial and enables us to remove compatibility code that downgrades security if these features are not available. It is reasonable to expect that distributions having Python 2.7.9+ or having backported modern features to the ssl module (which we require) have a OpenSSL version supporting TLS 1.1 and TLS 1.2, as this is the main reason why distributions would want to backport these features. diff --git a/relnotes/next b/relnotes/next --- a/relnotes/next +++ b/relnotes/next @@ -7,7 +7,9 @@ == Backwards Compatibility Changes == * Mercurial now requires at least Python 2.7.9 or a Python version that - backported modern SSL/TLS features (as defined in PEP 466). + backported modern SSL/TLS features (as defined in PEP 466), and that Python + was compiled against a OpenSSL version supporting TLS 1.1 and TLS 1.2 + (likely this requires the OpenSSL version to be at least 1.0.1). == Internal API Changes == diff --git a/setup.py b/setup.py --- a/setup.py +++ b/setup.py @@ -98,6 +98,19 @@ features. printf(error, file=sys.stderr) sys.exit(1) +try: +ssl.PROTOCOL_TLSv1_1 +ssl.PROTOCOL_TLSv1_2 +except AttributeError: +error = """ +The `ssl` module does not advertise support for TLS 1.1 and TLS 1.2. +Please make sure that your Python installation was compiled against an OpenSSL +version enabling these features (likely this requires the OpenSSL version to +be at least 1.0.1). +""" +printf(error, file=sys.stderr) +sys.exit(1) + if sys.version_info[0] >= 3: DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX'] else: ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 03 of 10 v2] sslutil: convert check for TLS 1.1 and TLS 1.2 into assert
# HG changeset patch
# User Manuel Jacob
# Date 1590783568 -7200
# Fri May 29 22:19:28 2020 +0200
# Node ID 594ab49f13ab0caba9f4934803932cd9b37e96d1
# Parent b33cc1f796e9c3aa6df1e51d36f0b3c061dfee9e
# EXP-Topic require_modern_ssl
sslutil: convert check for TLS 1.1 and TLS 1.2 into assert
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -44,13 +44,11 @@ configprotocols = {
hassni = getattr(ssl, 'HAS_SNI', False)
-# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
-# against doesn't support them.
-supportedprotocols = {b'tls1.0'}
-if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'):
-supportedprotocols.add(b'tls1.1')
-if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
-supportedprotocols.add(b'tls1.2')
+supportedprotocols = {
+b'tls1.0',
+b'tls1.1',
+b'tls1.2',
+}
def _hostsettings(ui, hostname):
@@ -252,6 +250,11 @@ def protocolsettings(protocol):
if protocol not in configprotocols:
raise ValueError(b'protocol value not supported: %s' % protocol)
+# We already check in setup.py that these attributes are present. To be
+# sure, we double-check here.
+assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1')
+assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2')
+
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol
# that both ends support, including TLS protocols. On legacy stacks,
# the highest it likely goes is TLS 1.0. On modern stacks, it can
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 06 of 10 v2] tests: stop checking for optional, now impossible output
# HG changeset patch # User Manuel Jacob # Date 1590877556 -7200 # Sun May 31 00:25:56 2020 +0200 # Node ID 0e08e9113869685dd452056179c05e51c467c348 # Parent bb58183ab539f542382b7f175377e8bd69cc452a # EXP-Topic require_modern_ssl tests: stop checking for optional, now impossible output The code that could output that line is dead code and will be removed. diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -34,7 +34,6 @@ Make server certificates: cacert not found $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/ - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) abort: could not find web.cacerts: no-such.pem [255] @@ -58,7 +57,6 @@ we are able to load CA certs. #if defaultcacertsloaded $ hg clone https://localhost:$HGPORT/ copy-pull - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) abort: error: *certificate verify failed* (glob) [255] @@ -68,7 +66,6 @@ Specifying a per-host certificate file t C:/path/to/msysroot will print on Windows. $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/ - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: */does/not/exist (glob) [255] @@ -76,7 +73,6 @@ A malformed per-host certificate file wi $ echo baddata > badca.pem $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/ - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) abort: error loading CA file badca.pem: * (glob) (file is empty or malformed?) [255] @@ -85,7 +81,6 @@ A per-host certificate mismatching the s (modern ssl is able to discern whether the loaded cert is a CA cert) $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/ - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) abort: error: *certificate verify failed* (glob) @@ -94,7 +89,6 @@ A per-host certificate mismatching the s A per-host certificate matching the server's cert will be accepted $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1 - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) requesting all changes adding changesets adding manifests @@ -106,7 +100,6 @@ A per-host certificate with multiple cer $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2 - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) requesting all changes adding changesets adding manifests @@ -117,7 +110,6 @@ A per-host certificate with multiple cer Defining both per-host certificate and a fingerprint will print a warning $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification) requesting all changes adding changesets @@ -131,13 +123,11 @@ Defining both per-host certificate and a Inability to verify peer certificate will result in abort $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS - warning: connecting to localhost using legacy security technology (TLS 1.0); see https://mercurial-scm.org/wiki/SecureConnections for more info (?) abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect (see
[PATCH 08 of 10 v2] config: remove unused hostsecurity.disabletls10warning config
# HG changeset patch # User Manuel Jacob # Date 1590877849 -7200 # Sun May 31 00:30:49 2020 +0200 # Node ID 08796924bd51030b433408c755b1bd28d38393e8 # Parent 10a6978ae2f7de160e1468e5c434421ada5f3567 # EXP-Topic require_modern_ssl config: remove unused hostsecurity.disabletls10warning config diff --git a/mercurial/configitems.py b/mercurial/configitems.py --- a/mercurial/configitems.py +++ b/mercurial/configitems.py @@ -808,9 +808,6 @@ coreconfigitem( b'hostsecurity', b'ciphers', default=None, ) coreconfigitem( -b'hostsecurity', b'disabletls10warning', default=False, -) -coreconfigitem( b'hostsecurity', b'minimumprotocol', default=dynamicdefault, ) coreconfigitem( diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -268,12 +268,6 @@ Test server cert which no longer is vali abort: error: *certificate verify failed* (glob) [255] -Disabling the TLS 1.0 warning works - $ hg -R copy-pull id https://localhost:$HGPORT/ \ - > --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 \ - > --config hostsecurity.disabletls10warning=true - 5fed3813f7f5 - Setting ciphers to an invalid value aborts $ P="$CERTSDIR" hg --config hostsecurity.ciphers=invalid -R copy-pull id https://localhost:$HGPORT/ abort: could not set ciphers: No cipher can be selected. ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 10 of 10 v2] sslutil: remove fallback for `ssl` attributes that we can assume to be present
# HG changeset patch
# User Manuel Jacob
# Date 1590806514 -7200
# Sat May 30 04:41:54 2020 +0200
# Node ID 15f8f319b5a41dbf68b2dfc308503128c37c61ab
# Parent 727c3b95f5ace64398c262b1093427d6d8a03815
# EXP-Topic require_modern_ssl
sslutil: remove fallback for `ssl` attributes that we can assume to be present
Two requirements need to be satisfied for this to work.
1) The Python version must support these attributes. I checked that this is
the case for Python 2.7.9 (which added `ssl.SSLContext) and the version that
backported `ssl.SSLContext` to RHEL7.
2) The OpenSSL version Python is compiled against must support them. I checked
that OpenSSL 1.0.1, which we require for TLS 1.1 and TLS 1.2 support, support
them.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -15,7 +15,6 @@ import re
import ssl
from .i18n import _
-from .pycompat import getattr
from . import (
encoding,
error,
@@ -42,7 +41,7 @@ configprotocols = {
b'tls1.2',
}
-hassni = getattr(ssl, 'HAS_SNI', False)
+hassni = ssl.HAS_SNI
supportedprotocols = {
b'tls1.0',
@@ -260,8 +259,7 @@ def protocolsettings(protocol):
raise error.Abort(_(b'this should not happen'))
# Prevent CRIME.
-# There is no guarantee this attribute is defined on the module.
-options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+options |= ssl.OP_NO_COMPRESSION
return ssl.PROTOCOL_SSLv23, options, protocol
@@ -502,13 +500,12 @@ def wrapserversocket(
sslcontext.options |= options
# Improve forward secrecy.
-sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
-sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
+sslcontext.options |= ssl.OP_SINGLE_DH_USE
+sslcontext.options |= ssl.OP_SINGLE_ECDH_USE
-# Use the list of more secure ciphers if found in the ssl module.
-if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
-sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
-sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
+# Use the list of more secure ciphers.
+sslcontext.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
+sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
if requireclientcert:
sslcontext.verify_mode = ssl.CERT_REQUIRED
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 00 of 10 v2] require ssl module to support TLS 1.1 and 1.2
___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 1 of 2 v3] relnotes: note that we now require modern SSL/TLS features in Python
# HG changeset patch # User Manuel Jacob # Date 1590873537 -7200 # Sat May 30 23:18:57 2020 +0200 # Node ID d5441892eb22aa451bb479919e95f671e99857eb # Parent ed05581cec9e829ee4dd3daef8fc4fdd63f6ab54 # EXP-Topic require_modern_ssl relnotes: note that we now require modern SSL/TLS features in Python diff --git a/relnotes/next b/relnotes/next --- a/relnotes/next +++ b/relnotes/next @@ -6,6 +6,9 @@ == Backwards Compatibility Changes == +* Mercurial now requires at least Python 2.7.9 or a Python version that + backported modern SSL/TLS features (as defined in PEP 466). + == Internal API Changes == ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 07 of 10 v2] sslutil: simplify code, now that `supportedprotocols` is constant
# HG changeset patch
# User Manuel Jacob
# Date 1590798598 -7200
# Sat May 30 02:29:58 2020 +0200
# Node ID 10a6978ae2f7de160e1468e5c434421ada5f3567
# Parent 0e08e9113869685dd452056179c05e51c467c348
# EXP-Topic require_modern_ssl
sslutil: simplify code, now that `supportedprotocols` is constant
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -93,27 +93,10 @@ def _hostsettings(ui, hostname):
% b' '.join(sorted(configprotocols)),
)
-# We default to TLS 1.1+ where we can because TLS 1.0 has known
-# vulnerabilities (like BEAST and POODLE). We allow users to downgrade to
-# TLS 1.0+ via config options in case a legacy server is encountered.
-if b'tls1.1' in supportedprotocols:
-defaultprotocol = b'tls1.1'
-else:
-# Let people know they are borderline secure.
-# We don't document this config option because we want people to see
-# the bold warnings on the web site.
-# internal config: hostsecurity.disabletls10warning
-if not ui.configbool(b'hostsecurity', b'disabletls10warning'):
-ui.warn(
-_(
-b'warning: connecting to %s using legacy security '
-b'technology (TLS 1.0); see '
-b'https://mercurial-scm.org/wiki/SecureConnections for '
-b'more info\n'
-)
-% bhostname
-)
-defaultprotocol = b'tls1.0'
+# We default to TLS 1.1+ because TLS 1.0 has known vulnerabilities (like
+# BEAST and POODLE). We allow users to downgrade to TLS 1.0+ via config
+# options in case a legacy server is encountered.
+defaultprotocol = b'tls1.1'
key = b'minimumprotocol'
protocol = ui.config(b'hostsecurity', key, defaultprotocol)
@@ -262,18 +245,6 @@ def protocolsettings(protocol):
# only (as opposed to multiple versions). So the method for
# supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
# disable protocols via SSLContext.options and OP_NO_* constants.
-if supportedprotocols == {b'tls1.0'}:
-if protocol != b'tls1.0':
-raise error.Abort(
-_(b'current Python does not support protocol setting %s')
-% protocol,
-hint=_(
-b'upgrade Python or disable setting since '
-b'only TLS 1.0 is supported'
-),
-)
-
-return ssl.PROTOCOL_TLSv1, 0, b'tls1.0'
# SSLv2 and SSLv3 are broken. We ban them outright.
options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
@@ -516,12 +487,8 @@ def wrapserversocket(
if exactprotocol == b'tls1.0':
protocol = ssl.PROTOCOL_TLSv1
elif exactprotocol == b'tls1.1':
-if b'tls1.1' not in supportedprotocols:
-raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_1
elif exactprotocol == b'tls1.2':
-if b'tls1.2' not in supportedprotocols:
-raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_2
elif exactprotocol:
raise error.Abort(
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
[PATCH 2 of 2 v3] setup: require that Python has TLS 1.1 or TLS 1.2
# HG changeset patch # User Manuel Jacob # Date 1590874939 -7200 # Sat May 30 23:42:19 2020 +0200 # Node ID 9590fdc527eb7c96c252af5b471da6f33bb1295f # Parent d5441892eb22aa451bb479919e95f671e99857eb # EXP-Topic require_modern_ssl setup: require that Python has TLS 1.1 or TLS 1.2 This increases the minimum security baseline of Mercurial (up from TLS 1.0) and enables us to remove compatibility code that downgrades security if these features are not available. It is reasonable to expect that distributions having Python 2.7.9+ or having backported modern features to the ssl module (which we require) have a OpenSSL version supporting TLS 1.1 or TLS 1.2, as this is the main reason why distributions would want to backport these features. In practice, TLS 1.1 and TLS 1.2 are either both enabled or both not enabled. However, it is imaginable that only one of them is enabled. ssl.HAS_TLSv1_1 / ssl.HAS_TLSv1_2 are preferred to check support but they were added in Python 3.7. ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 were deprecated in Python 3.6, but checking their presence is good enough for older Python versions. diff --git a/relnotes/next b/relnotes/next --- a/relnotes/next +++ b/relnotes/next @@ -7,7 +7,9 @@ == Backwards Compatibility Changes == * Mercurial now requires at least Python 2.7.9 or a Python version that - backported modern SSL/TLS features (as defined in PEP 466). + backported modern SSL/TLS features (as defined in PEP 466), and that Python + was compiled against a OpenSSL version supporting TLS 1.1 or TLS 1.2 + (likely this requires the OpenSSL version to be at least 1.0.1). == Internal API Changes == diff --git a/setup.py b/setup.py --- a/setup.py +++ b/setup.py @@ -98,6 +98,21 @@ features. printf(error, file=sys.stderr) sys.exit(1) +if not any( +[ +getattr(ssl, 'HAS_TLSv1_1', hasattr(ssl, 'PROTOCOL_TLSv1_1')), +getattr(ssl, 'HAS_TLSv1_2', hasattr(ssl, 'PROTOCOL_TLSv1_2')), +] +): +error = """ +The `ssl` module does not advertise support for TLS 1.1 or TLS 1.2. +Please make sure that your Python installation was compiled against an OpenSSL +version enabling these features (likely this requires the OpenSSL version to +be at least 1.0.1). +""" +printf(error, file=sys.stderr) +sys.exit(1) + if sys.version_info[0] >= 3: DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX'] else: ___ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
