Re: [PATCH v4] sslutil-add tls 1.3 support - done during IETF101 Hackathon

2018-04-08 Thread Yuya Nishihara 
On Sun, 8 Apr 2018 09:51:45 +0400, Codarren Velvindron wrote:
> # HG changeset patch
> # User Codarren Velvindron 
> # Date 1523166519 -14400
> #  Sun Apr 08 09:48:39 2018 +0400
> # Node ID 5df15ef67ce1674a8f408058cd953de5ab9601cf
> # Parent  632b928992039afe96df8f99a8dec6127ff983f1
> slutil: add tls 1.3 support

> -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
> +# TLS 1.1,1.2 and 1.3 may not be supported if the OpenSSL Python is compiled
>  # against doesn't support them.
>  supportedprotocols = {'tls1.0'}
>  if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'):
>  supportedprotocols.add('tls1.1')
>  if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'):
>  supportedprotocols.add('tls1.2')
> +if util.safehasattr(ssl, 'PROTOCOL_TLS'):
> +supportedprotocols.add('tls1.3')

PROTOCOL_TLS doesn't mean the Python supports TLS 1.3.

https://docs.python.org/2.7/library/ssl.html#ssl.PROTOCOL_TLS

Perhaps HAS_TLSv1_3 can be used instead.

  if getattr(ssl, 'HAS_TLSv1_3', False)

https://docs.python.org/2.7/library/ssl.html#ssl.HAS_TLSv1_3

> @@ -542,6 +547,10 @@
>  if 'tls1.2' not in supportedprotocols:
>  raise error.Abort(_('TLS 1.2 not supported by this Python'))
>  protocol = ssl.PROTOCOL_TLSv1_2
> +elif exactprotocol == 'tls1.3':
> +if 'tls1.3' not in supportedprotocols:
> +raise error.Abort(_('TLS 1.3 not supported by this Python'))
> +protocol = ssl.PROTOCOL_TLSv1_3

Undefined. I have no idea how to enforce the TLS 1.3 here.

Did you run tests? Since you're adding feature depending on unreleased
Python, you'll have to build Python from source.
___
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

[PATCH v4] sslutil-add tls 1.3 support - done during IETF101 Hackathon

2018-04-08 Thread Codarren Velvindron 
# HG changeset patch
# User Codarren Velvindron 
# Date 1523166519 -14400
#  Sun Apr 08 09:48:39 2018 +0400
# Node ID 5df15ef67ce1674a8f408058cd953de5ab9601cf
# Parent  632b928992039afe96df8f99a8dec6127ff983f1
slutil: add tls 1.3 support

Done during the IETF101 Hackathon.

diff -r 632b92899203 -r 5df15ef67ce1 mercurial/help/config.txt
--- a/mercurial/help/config.txt Sat Apr 07 21:26:37 2018 +0900
+++ b/mercurial/help/config.txt Sun Apr 08 09:48:39 2018 +0400
@@ -1163,7 +1163,7 @@
 By default, the highest version of TLS supported by both client and server
 is used.
 
-Allowed values are: ``tls1.0``, ``tls1.1``, ``tls1.2``.
+Allowed values are: ``tls1.0``, ``tls1.1``, ``tls1.2``, ``tls1.3``.
 
 When running on an old Python version, only ``tls1.0`` is allowed since
 old versions of Python only support up to TLS 1.0.
diff -r 632b92899203 -r 5df15ef67ce1 mercurial/sslutil.py
--- a/mercurial/sslutil.py  Sat Apr 07 21:26:37 2018 +0900
+++ b/mercurial/sslutil.py  Sun Apr 08 09:48:39 2018 +0400
@@ -38,17 +38,20 @@
 'tls1.0',
 'tls1.1',
 'tls1.2',
+'tls1.3',
 }
 
 hassni = getattr(ssl, 'HAS_SNI', False)
 
-# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
+# TLS 1.1,1.2 and 1.3 may not be supported if the OpenSSL Python is compiled
 # against doesn't support them.
 supportedprotocols = {'tls1.0'}
 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'):
 supportedprotocols.add('tls1.1')
 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'):
 supportedprotocols.add('tls1.2')
+if util.safehasattr(ssl, 'PROTOCOL_TLS'):
+supportedprotocols.add('tls1.3')
 
 try:
 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
@@ -293,7 +296,7 @@
 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
 # that both ends support, including TLS protocols. On legacy stacks,
 # the highest it likely goes is TLS 1.0. On modern stacks, it can
-# support TLS 1.2.
+# support TLS 1.2 or TLS 1.3.
 #
 # The PROTOCOL_TLSv* constants select a specific TLS version
 # only (as opposed to multiple versions). So the method for
@@ -323,6 +326,8 @@
 options |= ssl.OP_NO_TLSv1
 elif protocol == 'tls1.2':
 options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+elif protocol == 'tls1.3':
+options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
 else:
 raise error.Abort(_('this should not happen'))
 
@@ -542,6 +547,10 @@
 if 'tls1.2' not in supportedprotocols:
 raise error.Abort(_('TLS 1.2 not supported by this Python'))
 protocol = ssl.PROTOCOL_TLSv1_2
+elif exactprotocol == 'tls1.3':
+if 'tls1.3' not in supportedprotocols:
+raise error.Abort(_('TLS 1.3 not supported by this Python'))
+protocol = ssl.PROTOCOL_TLSv1_3
 elif exactprotocol:
 raise error.Abort(_('invalid value for serverexactprotocol: %s') %
   exactprotocol)
diff -r 632b92899203 -r 5df15ef67ce1 tests/hghave.py
--- a/tests/hghave.py   Sat Apr 07 21:26:37 2018 +0900
+++ b/tests/hghave.py   Sun Apr 08 09:48:39 2018 +0400
@@ -523,6 +523,11 @@
 from mercurial import sslutil
 return 'tls1.2' in sslutil.supportedprotocols
 
+@check("tls1.3", "TLS 1.3 protocol support")
+def has_tls1_3():
+from mercurial import sslutil
+return 'tls1.3' in sslutil.supportedprotocols
+
 @check("windows", "Windows")
 def has_windows():
 return os.name == 'nt'
diff -r 632b92899203 -r 5df15ef67ce1 tests/test-https.t
--- a/tests/test-https.tSat Apr 07 21:26:37 2018 +0900
+++ b/tests/test-https.tSun Apr 08 09:48:39 2018 +0400
@@ -536,6 +536,61 @@
   $ killdaemons.py hg2.pid
 #endif
 
+#if sslcontext tls1.3
+Start servers running supported TLS versions
+
+  $ cd test
+  $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
+  > --config devel.serverexactprotocol=tls1.0
+  $ cat ../hg0.pid >> $DAEMON_PIDS
+  $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
+  > --config devel.serverexactprotocol=tls1.3
+  $ cat ../hg1.pid >> $DAEMON_PIDS
+  $ cd ..
+
+Clients talking same TLS versions work
+
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id 
https://localhost:$HGPORT/
+  5fed3813f7f5
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id 
https://localhost:$HGPORT1/
+  5fed3813f7f5
+
+Clients requiring newer TLS version than what server supports fail
+
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id 
https://localhost:$HGPORT/
+  (could not negotiate a common security protocol (tls1.3+) with localhost; 
the likely cause is Mercurial is configured to be more secure than the server 
can support)
+  (consider contacting the operator of this server and ask them to support 
modern TLS protocol versions; or, set 
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less 
secure protocols when communicating with this ser

[PATCH v4] sslutil-add tls 1.3 support - done during IETF101 Hackathon

2018-04-07 Thread Codarren Velvindron 
# HG changeset patch
# User Codarren Velvindron 
# Date 1523166519 -14400
#  Sun Apr 08 09:48:39 2018 +0400
# Node ID 5df15ef67ce1674a8f408058cd953de5ab9601cf
# Parent  632b928992039afe96df8f99a8dec6127ff983f1
slutil: add tls 1.3 support

Done during the IETF101 Hackathon.

diff -r 632b92899203 -r 5df15ef67ce1 mercurial/help/config.txt
--- a/mercurial/help/config.txt Sat Apr 07 21:26:37 2018 +0900
+++ b/mercurial/help/config.txt Sun Apr 08 09:48:39 2018 +0400
@@ -1163,7 +1163,7 @@
 By default, the highest version of TLS supported by both client and server
 is used.
 
-Allowed values are: ``tls1.0``, ``tls1.1``, ``tls1.2``.
+Allowed values are: ``tls1.0``, ``tls1.1``, ``tls1.2``, ``tls1.3``.
 
 When running on an old Python version, only ``tls1.0`` is allowed since
 old versions of Python only support up to TLS 1.0.
diff -r 632b92899203 -r 5df15ef67ce1 mercurial/sslutil.py
--- a/mercurial/sslutil.py  Sat Apr 07 21:26:37 2018 +0900
+++ b/mercurial/sslutil.py  Sun Apr 08 09:48:39 2018 +0400
@@ -38,17 +38,20 @@
 'tls1.0',
 'tls1.1',
 'tls1.2',
+'tls1.3',
 }
 
 hassni = getattr(ssl, 'HAS_SNI', False)
 
-# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled
+# TLS 1.1,1.2 and 1.3 may not be supported if the OpenSSL Python is compiled
 # against doesn't support them.
 supportedprotocols = {'tls1.0'}
 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_1'):
 supportedprotocols.add('tls1.1')
 if util.safehasattr(ssl, 'PROTOCOL_TLSv1_2'):
 supportedprotocols.add('tls1.2')
+if util.safehasattr(ssl, 'PROTOCOL_TLS'):
+supportedprotocols.add('tls1.3')
 
 try:
 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
@@ -293,7 +296,7 @@
 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
 # that both ends support, including TLS protocols. On legacy stacks,
 # the highest it likely goes is TLS 1.0. On modern stacks, it can
-# support TLS 1.2.
+# support TLS 1.2 or TLS 1.3.
 #
 # The PROTOCOL_TLSv* constants select a specific TLS version
 # only (as opposed to multiple versions). So the method for
@@ -323,6 +326,8 @@
 options |= ssl.OP_NO_TLSv1
 elif protocol == 'tls1.2':
 options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+elif protocol == 'tls1.3':
+options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
 else:
 raise error.Abort(_('this should not happen'))
 
@@ -542,6 +547,10 @@
 if 'tls1.2' not in supportedprotocols:
 raise error.Abort(_('TLS 1.2 not supported by this Python'))
 protocol = ssl.PROTOCOL_TLSv1_2
+elif exactprotocol == 'tls1.3':
+if 'tls1.3' not in supportedprotocols:
+raise error.Abort(_('TLS 1.3 not supported by this Python'))
+protocol = ssl.PROTOCOL_TLSv1_3
 elif exactprotocol:
 raise error.Abort(_('invalid value for serverexactprotocol: %s') %
   exactprotocol)
diff -r 632b92899203 -r 5df15ef67ce1 tests/hghave.py
--- a/tests/hghave.py   Sat Apr 07 21:26:37 2018 +0900
+++ b/tests/hghave.py   Sun Apr 08 09:48:39 2018 +0400
@@ -523,6 +523,11 @@
 from mercurial import sslutil
 return 'tls1.2' in sslutil.supportedprotocols
 
+@check("tls1.3", "TLS 1.3 protocol support")
+def has_tls1_3():
+from mercurial import sslutil
+return 'tls1.3' in sslutil.supportedprotocols
+
 @check("windows", "Windows")
 def has_windows():
 return os.name == 'nt'
diff -r 632b92899203 -r 5df15ef67ce1 tests/test-https.t
--- a/tests/test-https.tSat Apr 07 21:26:37 2018 +0900
+++ b/tests/test-https.tSun Apr 08 09:48:39 2018 +0400
@@ -536,6 +536,61 @@
   $ killdaemons.py hg2.pid
 #endif
 
+#if sslcontext tls1.3
+Start servers running supported TLS versions
+
+  $ cd test
+  $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
+  > --config devel.serverexactprotocol=tls1.0
+  $ cat ../hg0.pid >> $DAEMON_PIDS
+  $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
+  > --config devel.serverexactprotocol=tls1.3
+  $ cat ../hg1.pid >> $DAEMON_PIDS
+  $ cd ..
+
+Clients talking same TLS versions work
+
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id 
https://localhost:$HGPORT/
+  5fed3813f7f5
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id 
https://localhost:$HGPORT1/
+  5fed3813f7f5
+
+Clients requiring newer TLS version than what server supports fail
+
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id 
https://localhost:$HGPORT/
+  (could not negotiate a common security protocol (tls1.3+) with localhost; 
the likely cause is Mercurial is configured to be more secure than the server 
can support)
+  (consider contacting the operator of this server and ask them to support 
modern TLS protocol versions; or, set 
hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less 
secure protocols when communicating with this ser