# HG changeset patch # User Gregory Szorc # Date 2016-07-14 04:35:54 # Node ID 303e9300772ab785812d9eb2835d8c4573aae672 # Parent 7dec5e441bf782a7acadc609531f17d5d05af44c sslutil: require TLS 1.1+ when supported Currently, Mercurial will use TLS 1.0 or newer when connecting to remote servers, selecting the highest TLS version supported by both peers. On older Pythons, only TLS 1.0 is available. On newer Pythons, TLS 1.1 and 1.2 should be available. Security professionals recommend avoiding TLS 1.0 if possible. PCI DSS 3.1 "strongly encourages" the use of TLS 1.2. Known attacks like BEAST and POODLE exist against TLS 1.0 (although mitigations are available and properly configured servers aren't vulnerable). I asked Eric Rescorla - Mozilla's resident crypto expert - whether Mercurial should drop support for TLS 1.0. His response was "if you can get away with it." Essentially, a number of servers on the Internet don't support TLS 1.1+. This is why web browsers continue to support TLS 1.0 despite desires from security experts. This patch changes Mercurial's default behavior on modern Python versions to require TLS 1.1+, thus avoiding known security issues with TLS 1.0 and making Mercurial more secure by default. Rather than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be used if configured. This is a compromise solution - ideally we'd disallow TLS 1.0. However, since we're not sure how many Mercurial servers don't support TLS 1.1+ and we're not sure how much user inconvenience this change will bring, I think it is prudent to ship an escape hatch that still allows usage of TLS 1.0. In the default case our users get better security. In the worst case, they are no worse off than before this patch. This patch has no effect when running on Python versions that don't support TLS 1.1+. As the added test shows, connecting to a server that doesn't support TLS 1.1+ will display a warning message with a link to our wiki, where we can guide people to configure their client to allow less secure connections. diff --git a/mercurial/help/config.txt b/mercurial/help/config.txt --- a/mercurial/help/config.txt +++ b/mercurial/help/config.txt @@ -1008,10 +1008,18 @@ The following options control default be ``minimumprotocol`` Defines the minimum channel encryption protocol to use. - By default, the highest version of TLS - 1.0 or greater - supported by - both client and server is used. - - Allowed values are: ``tls1.0`` (the default), ``tls1.1``, ``tls1.2``. + By default, the highest version of TLS supported by both client and server + is used. + + Allowed values are: ``tls1.0``, ``tls1.1``, ``tls1.2``. + + When running on an old Python version, only ``tls1.0`` is allowed since + old versions of Python only support up to TLS 1.0. + + When running a Python that supports modern TLS versions, the default is + ``tls1.1``. ``tls1.0`` can still be used to allow TLS 1.0. However, this + weakens security and should only be used as a feature of last resort if + a server does not support TLS 1.1+. Options in the ``[hostsecurity]`` section can have the form ``hostname``:``setting``. This allows multiple settings to be defined on a diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -154,9 +154,17 @@ def _hostsettings(ui, hostname): hint=_('valid protocols: %s') % ' '.join(sorted(configprotocols))) + # Legacy Python can only do TLS 1.0. We default to TLS 1.1+ where we + # can because TLS 1.0 has known vulnerabilities (like BEAST and POODLE). + # We allow users to downgrade to TLS 1.0+ via config options in case a + # legacy server is encountered. + if modernssl: + defaultprotocol = 'tls1.1' + else: + defaultprotocol = 'tls1.0' + key = 'minimumprotocol' - # Default to TLS 1.0+ as that is what browsers are currently doing. - protocol = ui.config('hostsecurity', key, 'tls1.0') + protocol = ui.config('hostsecurity', key, defaultprotocol) validateprotocol(protocol, key) key = '%s:minimumprotocol' % hostname diff --git a/tests/test-https.t b/tests/test-https.t --- a/tests/test-https.t +++ b/tests/test-https.t @@ -377,6 +377,11 @@ Clients talking same TLS versions work Clients requiring newer TLS version than what server supports fail + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ + (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) + abort: error: *unsupported protocol* (glob) + [255] + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 id https://localhost:$HGPORT/ (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) abort: error: *unsupported protocol* (glob)