Bug 1355624 - Make Mercurial require TLS 1.2+ connections. r=dustin, a=NPOTB
authorGregory Szorc <gps@mozilla.com>
Tue, 11 Apr 2017 14:52:39 -0700
changeset 355645 154327e98878f5d8d1869505312ece14c2207153
parent 355644 e35c073dbc8bbd9a11852fd83d685934de9eb59c
child 355646 af7d378522eee1714b5398d510005af4efb3457c
push id7027
push userryanvm@gmail.com
push dateWed, 12 Apr 2017 21:21:53 +0000
treeherdermozilla-esr52@aaa0bba23803 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdustin, NPOTB
bugs1355624
milestone52.1.0
Bug 1355624 - Make Mercurial require TLS 1.2+ connections. r=dustin, a=NPOTB Mercurial uses the latest version of TLS that is both supported by Python and the server. In automation, the servers we care about should all support TLS 1.2. The Python side is trickier. Modern versions of Python (typically 2.7.9+) support TLS 1.1 and 1.2. Mercurial will default to allowing TLS 1.1+ - explicitly disallowing TLS 1.0. However, legacy versions of Python don't support TLS 1.1+, so Mercurial will allow TLS 1.0+ rather than prevent connections at all. TLS 1.0 is borderline secure these days. I think it is a bug for TLS 1.0 to be used anywhere in the Firefox release process. This simple patch changes our default Mercurial config in TaskCluster to require TLS 1.2+ for all https:// communications. For modern Python versions, this effectively prevents potential downgrade attacks to TLS 1.1 (connections before should have negotiated the use of TLS 1.2). I expect this change to break things. Finding and fixing automation that isn't capable of speaking TLS 1.1+ should be encouraged. MozReview-Commit-ID: 876YpL5vB3T
testing/docker/recipes/install-mercurial.sh
--- a/testing/docker/recipes/install-mercurial.sh
+++ b/testing/docker/recipes/install-mercurial.sh
@@ -125,16 +125,24 @@ refresh = 1.0
 assume-tty = true
 
 [web]
 cacerts = ${CERT_PATH}
 
 [extensions]
 robustcheckout = /usr/local/mercurial/robustcheckout.py
 
+[hostsecurity]
+# When running a modern Python, Mercurial will default to TLS 1.1+.
+# When running on a legacy Python, Mercurial will default to TLS 1.0+.
+# There is no good reason we shouldn't be running a modern Python
+# capable of speaking TLS 1.2. And the only Mercurial servers we care
+# about should be running TLS 1.2. So make TLS 1.2 the minimum.
+minimumprotocol = tls1.2
+
 # Settings to make 1-click loaners more useful.
 [extensions]
 color =
 histedit =
 pager =
 rebase =
 
 [diff]