##// END OF EJS Templates
sslutil: require TLS 1.1+ when supported...
sslutil: require TLS 1.1+ when supported Currently, Mercurial will use TLS 1.0 or newer when connecting to remote servers, selecting the highest TLS version supported by both peers. On older Pythons, only TLS 1.0 is available. On newer Pythons, TLS 1.1 and 1.2 should be available. Security professionals recommend avoiding TLS 1.0 if possible. PCI DSS 3.1 "strongly encourages" the use of TLS 1.2. Known attacks like BEAST and POODLE exist against TLS 1.0 (although mitigations are available and properly configured servers aren't vulnerable). I asked Eric Rescorla - Mozilla's resident crypto expert - whether Mercurial should drop support for TLS 1.0. His response was "if you can get away with it." Essentially, a number of servers on the Internet don't support TLS 1.1+. This is why web browsers continue to support TLS 1.0 despite desires from security experts. This patch changes Mercurial's default behavior on modern Python versions to require TLS 1.1+, thus avoiding known security issues with TLS 1.0 and making Mercurial more secure by default. Rather than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be used if configured. This is a compromise solution - ideally we'd disallow TLS 1.0. However, since we're not sure how many Mercurial servers don't support TLS 1.1+ and we're not sure how much user inconvenience this change will bring, I think it is prudent to ship an escape hatch that still allows usage of TLS 1.0. In the default case our users get better security. In the worst case, they are no worse off than before this patch. This patch has no effect when running on Python versions that don't support TLS 1.1+. As the added test shows, connecting to a server that doesn't support TLS 1.1+ will display a warning message with a link to our wiki, where we can guide people to configure their client to allow less secure connections.

File last commit:

r29526:9d02bed8 default
r29560:303e9300 default
Show More
README
50 lines | 2.0 KiB | text/plain | TextLexer
Generate a private key (priv.pem):
$ openssl genrsa -out priv.pem 2048
Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):
$ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub.pem
$ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 -out pub-other.pem
Now generate an expired certificate by turning back the system time:
$ date --set='2016-01-01T00:00:00Z'
$ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-expired.pem
Generate a certificate not yet active by advancing the system time:
$ date --set='2030-01-01T00:00:00Z'
$ printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 -out pub-not-yet.pem
Note: When adjusting system time, verify the time change sticks. If running
systemd, you may want to use `timedatectl set-ntp false` and e.g.
`timedatectl set-time '2016-01-01 00:00:00'` to set system time.
Generate a passphrase protected client certificate private key:
$ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048
Create a copy of the private key without a passphrase:
$ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
Create a CSR and sign the key using the server keypair:
$ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
$ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
-set_serial 01 -out client-cert.pem
When replacing the certificates, references to certificate fingerprints will
need to be updated in test files.
Fingerprints for certs can be obtained by running:
$ openssl x509 -in pub.pem -noout -sha1 -fingerprint
$ openssl x509 -in pub.pem -noout -sha256 -fingerprint