Bug 1355624 - Make Mercurial require TLS 1.2+ connections; r=dustin
authorGregory Szorc <gps@mozilla.com>
Tue, 11 Apr 2017 14:52:39 -0700
changeset 352487 26b7053440a5cf15eacd10b9cbf16597eb75916b
parent 352486 a9fb56b87d011e6e85cc30684d719c68bd8189a4
child 352488 a6300a521f9c0438c1688007c2889530a0facce2
push id31641
push userkwierso@gmail.com
push dateWed, 12 Apr 2017 17:51:17 +0000
treeherdermozilla-central@bc086e9044e6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdustin
bugs1355624
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1355624 - Make Mercurial require TLS 1.2+ connections; r=dustin Mercurial uses the latest version of TLS that is both supported by Python and the server. In automation, the servers we care about should all support TLS 1.2. The Python side is trickier. Modern versions of Python (typically 2.7.9+) support TLS 1.1 and 1.2. Mercurial will default to allowing TLS 1.1+ - explicitly disallowing TLS 1.0. However, legacy versions of Python don't support TLS 1.1+, so Mercurial will allow TLS 1.0+ rather than prevent connections at all. TLS 1.0 is borderline secure these days. I think it is a bug for TLS 1.0 to be used anywhere in the Firefox release process. This simple patch changes our default Mercurial config in TaskCluster to require TLS 1.2+ for all https:// communications. For modern Python versions, this effectively prevents potential downgrade attacks to TLS 1.1 (connections before should have negotiated the use of TLS 1.2). I expect this change to break things. Finding and fixing automation that isn't capable of speaking TLS 1.1+ should be encouraged. MozReview-Commit-ID: 876YpL5vB3T
taskcluster/docker/recipes/install-mercurial.sh
--- a/taskcluster/docker/recipes/install-mercurial.sh
+++ b/taskcluster/docker/recipes/install-mercurial.sh
@@ -125,16 +125,24 @@ refresh = 1.0
 assume-tty = true
 
 [web]
 cacerts = ${CERT_PATH}
 
 [extensions]
 robustcheckout = /usr/local/mercurial/robustcheckout.py
 
+[hostsecurity]
+# When running a modern Python, Mercurial will default to TLS 1.1+.
+# When running on a legacy Python, Mercurial will default to TLS 1.0+.
+# There is no good reason we shouldn't be running a modern Python
+# capable of speaking TLS 1.2. And the only Mercurial servers we care
+# about should be running TLS 1.2. So make TLS 1.2 the minimum.
+minimumprotocol = tls1.2
+
 # Settings to make 1-click loaners more useful.
 [extensions]
 color =
 histedit =
 pager =
 rebase =
 
 [diff]