On Sat, May 30, 2020 at 6:36 AM Yuya Nishihara <y...@tcha.org> wrote:
> On Sat, 30 May 2020 07:52:22 +0200, Manuel Jacob wrote: > > # HG changeset patch > > # User Manuel Jacob <m...@manueljacob.de> > > # Date 1590783568 -7200 > > # Fri May 29 22:19:28 2020 +0200 > > # Node ID 38f91fbf3f53237e4f5b7fd382f72cfab5e2c8fd > > # Parent 13922e383d20ca51752a2c3bd16429a5b0e30397 > > # EXP-Topic require_modern_ssl > > sslutil: assert that the Python we run on supports TLS 1.1 and TLS 1.2 > > > > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py > > --- a/mercurial/sslutil.py > > +++ b/mercurial/sslutil.py > > @@ -44,13 +44,18 @@ configprotocols = { > > > > hassni = getattr(ssl, 'HAS_SNI', False) > > > > -# TLS 1.1 and 1.2 may not be supported if the OpenSSL Python is compiled > > -# against doesn't support them. > > -supportedprotocols = {b'tls1.0'} > > -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_1'): > > - supportedprotocols.add(b'tls1.1') > > -if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): > > - supportedprotocols.add(b'tls1.2') > > +# TLS 1.1 and 1.2 are supported since OpenSSL 1.0.1, released on > 2012-03-14. > > +# OpenSSL 1.0.0 is EOL since 2015-12-31. It is reasonable to expect that > > +# distributions having Python 2.7.9+ or having backported modern > features to > > +# the ssl module (which we require) have OpenSSL 1.0.1+. To be sure, we > assert > > +# that support is actually present. > > +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_1') > > +assert util.safehasattr(ssl, b'PROTOCOL_TLSv1_2') > > Can we expect that old RHEL/CentOS migrated to OpenSSL 1.0.1+? > I hope they did, but I'm not sure. > > Also, raising AssertionError at import time might break client code, which > would expect ImportError/AttributeError on import error. > Agreed that we want to avoid the AssertionError at import time. I would refactor all the code for validating the sanity of the `ssl` module into a single function (perhaps the one that constructs an SSLContext) and have it abort if we fail to meet security requirements. That way we won't get an error until we actually attempt an operation that requires ssl. This feels better than running code at module import time, which can slow down code paths that don't need it. Regarding the minimum versions, given that TLS 1.2 is the minimum TLS version to be reasonably secure in 2020, I would strongly prefer requiring it by default. I'm not opposed to a config option to allow TLS 1.0 and 1.1 for the legacy environments that can't do better. Just as long as we document that it weakens security.
_______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel