Mercurial > hg
comparison setup.py @ 44893:95c832849955
setup: require that Python has TLS 1.1 or TLS 1.2
This ensures that Mercurial never downgrades the minimum TLS version from
TLS 1.1+ to TLS 1.0+ and enables us to remove that compatibility code.
It is reasonable to expect that distributions having Python 2.7.9+ or having
backported modern features to the ssl module (which we require) have a OpenSSL
version supporting TLS 1.1 or TLS 1.2, as this is the main reason why
distributions would want to backport these features.
TLS 1.1 and TLS 1.2 are often either both enabled or both not enabled.
However, both can be disabled independently, at least on current Python /
OpenSSL versions.
For the record, I contacted the CPython developers to remark that
unconditionally defining ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 is
problematic:
https://github.com/python/cpython/commit/6e8cda91d92da72800d891b2fc2073ecbc134d98#r39569316
| author | Manuel Jacob <me@manueljacob.de> |
|---|---|
| date | Sat, 30 May 2020 23:42:19 +0200 |
| parents | 4c53c12b92d5 |
| children | 9d532329ee97 |
comparison
equal
deleted
inserted
replaced
| 44892:dd7c4a208a4e | 44893:95c832849955 |
|---|---|
| 92 The `ssl` module does not have the `SSLContext` class. This indicates an old | 92 The `ssl` module does not have the `SSLContext` class. This indicates an old |
| 93 Python version which does not support modern security features (which were | 93 Python version which does not support modern security features (which were |
| 94 added to Python 2.7 as part of "PEP 466"). Please make sure you have installed | 94 added to Python 2.7 as part of "PEP 466"). Please make sure you have installed |
| 95 at least Python 2.7.9 or a Python version with backports of these security | 95 at least Python 2.7.9 or a Python version with backports of these security |
| 96 features. | 96 features. |
| 97 """ | |
| 98 printf(error, file=sys.stderr) | |
| 99 sys.exit(1) | |
| 100 | |
| 101 # ssl.HAS_TLSv1* are preferred to check support but they were added in Python | |
| 102 # 3.7. Prior to CPython commit 6e8cda91d92da72800d891b2fc2073ecbc134d98 | |
| 103 # (backported to the 3.7 branch), ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 | |
| 104 # were defined only if compiled against a OpenSSL version with TLS 1.1 / 1.2 | |
| 105 # support. At the mentioned commit, they were unconditionally defined. | |
| 106 _notset = object() | |
| 107 has_tlsv1_1 = getattr(ssl, 'HAS_TLSv1_1', _notset) | |
| 108 if has_tlsv1_1 is _notset: | |
| 109 has_tlsv1_1 = getattr(ssl, 'PROTOCOL_TLSv1_1', _notset) is not _notset | |
| 110 has_tlsv1_2 = getattr(ssl, 'HAS_TLSv1_2', _notset) | |
| 111 if has_tlsv1_2 is _notset: | |
| 112 has_tlsv1_2 = getattr(ssl, 'PROTOCOL_TLSv1_2', _notset) is not _notset | |
| 113 if not (has_tlsv1_1 or has_tlsv1_2): | |
| 114 error = """ | |
| 115 The `ssl` module does not advertise support for TLS 1.1 or TLS 1.2. | |
| 116 Please make sure that your Python installation was compiled against an OpenSSL | |
| 117 version enabling these features (likely this requires the OpenSSL version to | |
| 118 be at least 1.0.1). | |
| 97 """ | 119 """ |
| 98 printf(error, file=sys.stderr) | 120 printf(error, file=sys.stderr) |
| 99 sys.exit(1) | 121 sys.exit(1) |
| 100 | 122 |
| 101 if sys.version_info[0] >= 3: | 123 if sys.version_info[0] >= 3: |