Mercurial > hg
diff tests/test-https.t @ 29559:7dec5e441bf7
sslutil: config option to specify TLS protocol version
Currently, Mercurial will use TLS 1.0 or newer when connecting to
remote servers, selecting the highest TLS version supported by both
peers. On older Pythons, only TLS 1.0 is available. On newer Pythons,
TLS 1.1 and 1.2 should be available.
Security-minded people may want to not take any risks running
TLS 1.0 (or even TLS 1.1). This patch gives those people a config
option to explicitly control which TLS versions Mercurial should use.
By providing this option, one can require newer TLS versions
before they are formally deprecated by Mercurial/Python/OpenSSL/etc
and lower their security exposure. This option also provides an
easy mechanism to change protocol policies in Mercurial. If there
is a 0-day and TLS 1.0 is completely broken, we can act quickly
without changing much code.
Because setting the minimum TLS protocol is something you'll likely
want to do globally, this patch introduces a global config option under
[hostsecurity] for that purpose.
wrapserversocket() has been taught a hidden config option to define
the explicit protocol to use. This is queried in this function and
not passed as an argument because I don't want to expose this dangerous
option as part of the Python API. There is a risk someone could footgun
themselves. But the config option is a devel option, has a warning
comment, and I doubt most people are using `hg serve` to run a
production HTTPS server (I would have something not Mercurial/Python
handle TLS). If this is problematic, we can go back to using a
custom extension in tests to coerce the server into bad behavior.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Thu, 14 Jul 2016 20:47:22 -0700 |
| parents | 121d11814c62 |
| children | 303e9300772a |
line wrap: on
line diff
--- a/tests/test-https.t Thu Jul 14 20:07:10 2016 -0700 +++ b/tests/test-https.t Thu Jul 14 20:47:22 2016 -0700 @@ -345,11 +345,79 @@ $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 5fed3813f7f5 -HGPORT1 is reused below for tinyproxy tests. Kill that server. +Ports used by next test. Kill servers. + + $ killdaemons.py hg0.pid $ killdaemons.py hg1.pid + $ killdaemons.py hg2.pid + +#if sslcontext +Start servers running supported TLS versions + + $ cd test + $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \ + > --config devel.serverexactprotocol=tls1.0 + $ cat ../hg0.pid >> $DAEMON_PIDS + $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \ + > --config devel.serverexactprotocol=tls1.1 + $ cat ../hg1.pid >> $DAEMON_PIDS + $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ + > --config devel.serverexactprotocol=tls1.2 + $ cat ../hg2.pid >> $DAEMON_PIDS + $ cd .. + +Clients talking same TLS versions work + + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 id https://localhost:$HGPORT/ + 5fed3813f7f5 + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT1/ + 5fed3813f7f5 + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ + 5fed3813f7f5 + +Clients requiring newer TLS version than what server supports fail + + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ + (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + abort: error: *unsupported protocol* (glob) + [255] + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT/ + (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + abort: error: *unsupported protocol* (glob) + [255] + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/ + (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + abort: error: *unsupported protocol* (glob) + [255] + +The per-host config option overrides the default + + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ + > --config hostsecurity.minimumprotocol=tls1.2 \ + > --config hostsecurity.localhost:minimumprotocol=tls1.0 + 5fed3813f7f5 + +The per-host config option by itself works + + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ + > --config hostsecurity.localhost:minimumprotocol=tls1.2 + (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + abort: error: *unsupported protocol* (glob) + [255] + + $ killdaemons.py hg0.pid + $ killdaemons.py hg1.pid + $ killdaemons.py hg2.pid +#endif Prepare for connecting through proxy + $ hg serve -R test -p $HGPORT -d --pid-file=hg0.pid --certificate=$PRIV + $ cat hg0.pid >> $DAEMON_PIDS + $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem + $ cat hg2.pid >> $DAEMON_PIDS +tinyproxy.py doesn't fully detach, so killing it may result in extra output +from the shell. So don't kill it. $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 & $ while [ ! -f proxy.pid ]; do sleep 0; done $ cat proxy.pid >> $DAEMON_PIDS