sslutil: add support for clients to set TLSv1.3 as the minimum protocol
authorMatt Harbison <matt_harbison@yahoo.com>
Mon, 21 Dec 2020 20:21:46 -0500
changeset 52289 323e3626929a
parent 52288 7f8d0c2c3692
child 52290 e03bc88776d3
sslutil: add support for clients to set TLSv1.3 as the minimum protocol AFAICT, all of the TLS versions are supported by the server without doing any explicit work, and there's only a `devel` config to specify an exact version on the server side. Clients would also use TLSv1.3 if available, but this prevents the server from negotiating down. This also causes "tls1.3" to be listed in `hg debuginstall`, even though it was previously supported (if the Python intepreter supported it- IDK if there's a good way to proactively test for and show future protocols without requiring manual updates like this). The v1.3 tests are nested inside the v1.2 tests for simplicity. The v1.2 blocks already assume v1.0 and v1.1 support, so this seems reasonable for now. If/when the older protocols start getting dropped, this will have to be reworked anyway.
mercurial/helptext/config.txt
mercurial/sslutil.py
tests/hghave.py
tests/test-https.t
--- a/mercurial/helptext/config.txt	Mon Dec 21 13:50:25 2020 -0500
+++ b/mercurial/helptext/config.txt	Mon Dec 21 20:21:46 2020 -0500
@@ -1531,7 +1531,7 @@
     By default, the highest version of TLS supported by both client and server
     is used.
 
-    Allowed values are: ``tls1.0``, ``tls1.1``, ``tls1.2``.
+    Allowed values are: ``tls1.0``, ``tls1.1``, ``tls1.2``, ``tls1.3``.
 
     When running on an old Python version, only ``tls1.0`` is allowed since
     old versions of Python only support up to TLS 1.0.
--- a/mercurial/sslutil.py	Mon Dec 21 13:50:25 2020 -0500
+++ b/mercurial/sslutil.py	Mon Dec 21 20:21:46 2020 -0500
@@ -40,6 +40,7 @@
     b'tls1.0',
     b'tls1.1',
     b'tls1.2',
+    b'tls1.3',
 }
 
 hassni = getattr(ssl, 'HAS_SNI', False)
@@ -56,6 +57,8 @@
     supportedprotocols.add(b'tls1.1')
 if getattr(ssl, 'HAS_TLSv1_2', hasattr(ssl, 'PROTOCOL_TLSv1_2')):
     supportedprotocols.add(b'tls1.2')
+if getattr(ssl, 'HAS_TLSv1_3', False):
+    supportedprotocols.add(b'tls1.3')
 
 
 def _hostsettings(ui, hostname):
@@ -307,6 +310,8 @@
             sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
     elif minimumprotocol == b'tls1.2':
         sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
+    elif minimumprotocol == b'tls1.3':
+        sslcontext.minimum_version = ssl.TLSVersion.TLSv1_3
     else:
         raise error.Abort(_(b'this should not happen'))
     # Prevent CRIME.
@@ -545,6 +550,11 @@
             raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
         sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
         sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
+    elif exactprotocol == b'tls1.3':
+        if b'tls1.3' not in supportedprotocols:
+            raise error.Abort(_(b'TLS 1.3 not supported by this Python'))
+        sslcontext.minimum_version = ssl.TLSVersion.TLSv1_3
+        sslcontext.maximum_version = ssl.TLSVersion.TLSv1_3
     elif exactprotocol:
         raise error.Abort(
             _(b'invalid value for server-insecure-exact-protocol: %s')
--- a/tests/hghave.py	Mon Dec 21 13:50:25 2020 -0500
+++ b/tests/hghave.py	Mon Dec 21 20:21:46 2020 -0500
@@ -706,6 +706,13 @@
     return b'tls1.2' in sslutil.supportedprotocols
 
 
+@check("tls1.3", "TLS 1.3 protocol support")
+def has_tls1_3():
+    from mercurial import sslutil
+
+    return b'tls1.3' in sslutil.supportedprotocols
+
+
 @check("windows", "Windows")
 def has_windows():
     return os.name == 'nt'
--- a/tests/test-https.t	Mon Dec 21 13:50:25 2020 -0500
+++ b/tests/test-https.t	Mon Dec 21 20:21:46 2020 -0500
@@ -352,6 +352,11 @@
   $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
   > --config devel.server-insecure-exact-protocol=tls1.2
   $ cat ../hg2.pid >> $DAEMON_PIDS
+#if tls1.3
+  $ hg serve -p $HGPORT3 -d --pid-file=../hg3.pid --certificate=$PRIV \
+  > --config devel.server-insecure-exact-protocol=tls1.3
+  $ cat ../hg3.pid >> $DAEMON_PIDS
+#endif
   $ cd ..
 
 Clients talking same TLS versions work
@@ -362,6 +367,10 @@
   5fed3813f7f5
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
   5fed3813f7f5
+#if tls1.3
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT3/
+  5fed3813f7f5
+#endif
 
 Clients requiring newer TLS version than what server supports fail
 
@@ -391,12 +400,40 @@
   abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
   [100]
 
+#if tls1.3
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT/
+  (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
+  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
+  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
+  [100]
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT1/
+  (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
+  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
+  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
+  [100]
+  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.3 id https://localhost:$HGPORT2/
+  (could not negotiate a common security protocol (tls1.3+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
+  (consider contacting the operator of this server and ask them to support modern TLS protocol versions; or, set hostsecurity.localhost:minimumprotocol=tls1.0 to allow use of legacy, less secure protocols when communicating with this server)
+  (see https://mercurial-scm.org/wiki/SecureConnections for more info)
+  abort: error: .*(unsupported protocol|wrong ssl version|alert protocol version).* (re)
+  [100]
+#endif
+
+
 --insecure will allow TLS 1.0 connections and override configs
 
   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
   warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
   5fed3813f7f5
 
+#if tls1.3
+  $ hg --config hostsecurity.minimumprotocol=tls1.3 id --insecure https://localhost:$HGPORT2/
+  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
+  5fed3813f7f5
+#endif
+
 The per-host config option overrides the default
 
   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
@@ -431,6 +468,9 @@
   $ killdaemons.py hg0.pid
   $ killdaemons.py hg1.pid
   $ killdaemons.py hg2.pid
+#if tls1.3
+  $ killdaemons.py hg3.pid
+#endif
 #endif
 
 Prepare for connecting through proxy