Mercurial > hg
comparison mercurial/help/config.txt @ 29559:7dec5e441bf7
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Thu, 14 Jul 2016 20:47:22 -0700 |
| parents | c4fc33c477da |
| children | 303e9300772a |
comparison
equal
deleted
inserted
replaced
| 29558:a935cd7d51a6 | 29559:7dec5e441bf7 |
|---|---|
| 998 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 | 998 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
| 999 | 999 |
| 1000 ``hostsecurity`` | 1000 ``hostsecurity`` |
| 1001 ---------------- | 1001 ---------------- |
| 1002 | 1002 |
| 1003 Used to specify per-host security settings. | 1003 Used to specify global and per-host security settings for connecting to |
| 1004 | 1004 other machines. |
| 1005 Options in this section have the form ``hostname``:``setting``. This allows | 1005 |
| 1006 multiple settings to be defined on a per-host basis. | 1006 The following options control default behavior for all hosts. |
| 1007 | |
| 1008 ``minimumprotocol`` | |
| 1009 Defines the minimum channel encryption protocol to use. | |
| 1010 | |
| 1011 By default, the highest version of TLS - 1.0 or greater - supported by | |
| 1012 both client and server is used. | |
| 1013 | |
| 1014 Allowed values are: ``tls1.0`` (the default), ``tls1.1``, ``tls1.2``. | |
| 1015 | |
| 1016 Options in the ``[hostsecurity]`` section can have the form | |
| 1017 ``hostname``:``setting``. This allows multiple settings to be defined on a | |
| 1018 per-host basis. | |
| 1007 | 1019 |
| 1008 The following per-host settings can be defined. | 1020 The following per-host settings can be defined. |
| 1009 | 1021 |
| 1010 ``fingerprints`` | 1022 ``fingerprints`` |
| 1011 A list of hashes of the DER encoded peer/remote certificate. Values have | 1023 A list of hashes of the DER encoded peer/remote certificate. Values have |
| 1024 This can provide stronger security than traditional CA-based validation | 1036 This can provide stronger security than traditional CA-based validation |
| 1025 at the expense of convenience. | 1037 at the expense of convenience. |
| 1026 | 1038 |
| 1027 This option takes precedence over ``verifycertsfile``. | 1039 This option takes precedence over ``verifycertsfile``. |
| 1028 | 1040 |
| 1041 ``minimumprotocol`` | |
| 1042 This behaves like ``minimumprotocol`` as described above except it | |
| 1043 only applies to the host on which it is defined. | |
| 1044 | |
| 1029 ``verifycertsfile`` | 1045 ``verifycertsfile`` |
| 1030 Path to file a containing a list of PEM encoded certificates used to | 1046 Path to file a containing a list of PEM encoded certificates used to |
| 1031 verify the server certificate. Environment variables and ``~user`` | 1047 verify the server certificate. Environment variables and ``~user`` |
| 1032 constructs are expanded in the filename. | 1048 constructs are expanded in the filename. |
| 1033 | 1049 |
| 1055 | 1071 |
| 1056 [hostsecurity] | 1072 [hostsecurity] |
| 1057 hg.example.com:fingerprints = sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2 | 1073 hg.example.com:fingerprints = sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2 |
| 1058 hg2.example.com:fingerprints = sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 | 1074 hg2.example.com:fingerprints = sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33 |
| 1059 foo.example.com:verifycertsfile = /etc/ssl/trusted-ca-certs.pem | 1075 foo.example.com:verifycertsfile = /etc/ssl/trusted-ca-certs.pem |
| 1076 | |
| 1077 To change the default minimum protocol version to TLS 1.2 but to allow TLS 1.1 | |
| 1078 when connecting to ``hg.example.com``:: | |
| 1079 | |
| 1080 [hostsecurity] | |
| 1081 minimumprotocol = tls1.2 | |
| 1082 hg.example.com:minimumprotocol = tls1.1 | |
| 1060 | 1083 |
| 1061 ``http_proxy`` | 1084 ``http_proxy`` |
| 1062 -------------- | 1085 -------------- |
| 1063 | 1086 |
| 1064 Used to access web-based Mercurial repositories through a HTTP | 1087 Used to access web-based Mercurial repositories through a HTTP |