Bug 1355624 - Make Mercurial require TLS 1.2+ connections. r=dustin, a=NPOTB
authorGregory Szorc <gps@mozilla.com>
Tue, 11 Apr 2017 14:52:39 -0700
changeset 395832 9bd10c7f62175b53d634f1f0ca20d0baf42bfdcd
parent 395831 73708b8f9cbc177d23aa5d2293c8cafe453ce90e
child 395833 9be31b94dd56a73b07149ae458076a4454bcd9c8
push id1468
push userasasaki@mozilla.com
push dateMon, 05 Jun 2017 19:31:07 +0000
treeherdermozilla-release@0641fc6ee9d1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdustin, NPOTB
bugs1355624
milestone54.0a2
Bug 1355624 - Make Mercurial require TLS 1.2+ connections. r=dustin, a=NPOTB Mercurial uses the latest version of TLS that is both supported by Python and the server. In automation, the servers we care about should all support TLS 1.2. The Python side is trickier. Modern versions of Python (typically 2.7.9+) support TLS 1.1 and 1.2. Mercurial will default to allowing TLS 1.1+ - explicitly disallowing TLS 1.0. However, legacy versions of Python don't support TLS 1.1+, so Mercurial will allow TLS 1.0+ rather than prevent connections at all. TLS 1.0 is borderline secure these days. I think it is a bug for TLS 1.0 to be used anywhere in the Firefox release process. This simple patch changes our default Mercurial config in TaskCluster to require TLS 1.2+ for all https:// communications. For modern Python versions, this effectively prevents potential downgrade attacks to TLS 1.1 (connections before should have negotiated the use of TLS 1.2). I expect this change to break things. Finding and fixing automation that isn't capable of speaking TLS 1.1+ should be encouraged. MozReview-Commit-ID: 876YpL5vB3T
taskcluster/docker/recipes/install-mercurial.sh
--- a/taskcluster/docker/recipes/install-mercurial.sh
+++ b/taskcluster/docker/recipes/install-mercurial.sh
@@ -125,16 +125,24 @@ refresh = 1.0
 assume-tty = true
 
 [web]
 cacerts = ${CERT_PATH}
 
 [extensions]
 robustcheckout = /usr/local/mercurial/robustcheckout.py
 
+[hostsecurity]
+# When running a modern Python, Mercurial will default to TLS 1.1+.
+# When running on a legacy Python, Mercurial will default to TLS 1.0+.
+# There is no good reason we shouldn't be running a modern Python
+# capable of speaking TLS 1.2. And the only Mercurial servers we care
+# about should be running TLS 1.2. So make TLS 1.2 the minimum.
+minimumprotocol = tls1.2
+
 # Settings to make 1-click loaners more useful.
 [extensions]
 color =
 histedit =
 pager =
 rebase =
 
 [diff]