mercurial-scm/hg: comparison mercurial/sslutil.py

equal deleted inserted replaced

-:a935cd7d51a6
+:7dec5e441bf7
 #
 # Depending on the version of Python being used, SSL/TLS support is either
 # modern/secure or legacy/insecure. Many operations in this module have
 # separate code paths depending on support in Python.
+configprotocols = set([
+'tls1.0',
+'tls1.1',
+'tls1.2',
+])
 hassni = getattr(ssl, 'HAS_SNI', False)
-try:
-OP_NO_SSLv2 = ssl.OP_NO_SSLv2
-OP_NO_SSLv3 = ssl.OP_NO_SSLv3
-except AttributeError:
-OP_NO_SSLv2 = 0x1000000
-OP_NO_SSLv3 = 0x2000000
 try:
 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
 # SSL/TLS features are available.
 SSLContext = ssl.SSLContext
 'ctxoptions': None,
 }
 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
 # that both ends support, including TLS protocols. On legacy stacks,
-# the highest it likely goes in TLS 1.0. On modern stacks, it can
+# the highest it likely goes is TLS 1.0. On modern stacks, it can
 # support TLS 1.2.
 #
 # The PROTOCOL_TLSv* constants select a specific TLS version
 # only (as opposed to multiple versions). So the method for
 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
 # disable protocols via SSLContext.options and OP_NO_* constants.
 # However, SSLContext.options doesn't work unless we have the
 # full/real SSLContext available to us.
-if modernssl:
-s['protocol'] = ssl.PROTOCOL_SSLv23
+# Allow minimum TLS protocol to be specified in the config.
-else:
+def validateprotocol(protocol, key):
-s['protocol'] = ssl.PROTOCOL_TLSv1
+if protocol not in configprotocols:
+raise error.Abort(
-# SSLv2 and SSLv3 are broken. We ban them outright.
+_('unsupported protocol from hostsecurity.%s: %s') %
-# WARNING: ctxoptions doesn't have an effect unless the modern ssl module
+(key, protocol),
-# is available. Be careful when adding flags!
+hint=_('valid protocols: %s') %
-s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
+' '.join(sorted(configprotocols)))
-# Prevent CRIME.
+key = 'minimumprotocol'
-# There is no guarantee this attribute is defined on the module.
+# Default to TLS 1.0+ as that is what browsers are currently doing.
-s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+protocol = ui.config('hostsecurity', key, 'tls1.0')
+validateprotocol(protocol, key)
+key = '%s:minimumprotocol' % hostname
+protocol = ui.config('hostsecurity', key, protocol)
+validateprotocol(protocol, key)
+s['protocol'], s['ctxoptions'] = protocolsettings(protocol)
 # Look for fingerprints in [hostsecurity] section. Value is a list
 # of <alg>:<fingerprint> strings.
 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
 [])
 assert s['ctxoptions'] is not None
 assert s['verifymode'] is not None
 return s
+def protocolsettings(protocol):
+"""Resolve the protocol and context options for a config value."""
+if protocol not in configprotocols:
+raise ValueError('protocol value not supported: %s' % protocol)
+# Legacy ssl module only supports up to TLS 1.0. Ideally we'd use
+# PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However,
+# SSLContext.options doesn't work in our implementation since we use
+# a fake SSLContext on these Python versions.
+if not modernssl:
+if protocol != 'tls1.0':
+raise error.Abort(_('current Python does not support protocol '
+'setting %s') % protocol,
+hint=_('upgrade Python or disable setting since '
+'only TLS 1.0 is supported'))
+return ssl.PROTOCOL_TLSv1, 0
+# WARNING: returned options don't work unless the modern ssl module
+# is available. Be careful when adding options here.
+# SSLv2 and SSLv3 are broken. We ban them outright.
+options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+if protocol == 'tls1.0':
+# Defaults above are to use TLS 1.0+
+pass
+elif protocol == 'tls1.1':
+options |= ssl.OP_NO_TLSv1
+elif protocol == 'tls1.2':
+options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+else:
+raise error.Abort(_('this should not happen'))
+# Prevent CRIME.
+# There is no guarantee this attribute is defined on the module.
+options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+return ssl.PROTOCOL_SSLv23, options
 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
 """Add SSL/TLS to a socket.
 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
 choices based on what security options are available.
 else:
 caloaded = False
 try:
 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
-except ssl.SSLError:
+except ssl.SSLError as e:
 # If we're doing certificate verification and no CA certs are loaded,
 # that is almost certainly the reason why verification failed. Provide
 # a hint to the user.
 # Only modern ssl module exposes SSLContext.get_ca_certs() so we can
 # only show this warning if modern ssl is available.
 modernssl and not sslcontext.get_ca_certs()):
 ui.warn(_('(an attempt was made to load CA certificates but none '
 'were loaded; see '
 'https://mercurial-scm.org/wiki/SecureConnections for '
 'how to configure Mercurial to avoid this error)\n'))
+# Try to print more helpful error messages for known failures.
+if util.safehasattr(e, 'reason'):
+if e.reason == 'UNSUPPORTED_PROTOCOL':
+ui.warn(_('(could not negotiate a common protocol; see '
+'https://mercurial-scm.org/wiki/SecureConnections '
+'for how to configure Mercurial to avoid this '
+'error)\n'))
 raise
 # check if wrap_socket failed silently because socket had been
 # closed
 # - see http://bugs.python.org/issue13721
 ``requireclientcert`` specifies whether to require client certificates.
 Typically ``cafile`` is only defined if ``requireclientcert`` is true.
 """
+protocol, options = protocolsettings('tls1.0')
+# This config option is intended for use in tests only. It is a giant
+# footgun to kill security. Don't define it.
+exactprotocol = ui.config('devel', 'serverexactprotocol')
+if exactprotocol == 'tls1.0':
+protocol = ssl.PROTOCOL_TLSv1
+elif exactprotocol == 'tls1.1':
+protocol = ssl.PROTOCOL_TLSv1_1
+elif exactprotocol == 'tls1.2':
+protocol = ssl.PROTOCOL_TLSv1_2
+elif exactprotocol:
+raise error.Abort(_('invalid value for serverexactprotocol: %s') %
+exactprotocol)
 if modernssl:
 # We /could/ use create_default_context() here since it doesn't load
-# CAs when configured for client auth.
+# CAs when configured for client auth. However, it is hard-coded to
-sslcontext = SSLContext(ssl.PROTOCOL_SSLv23)
+# use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
-# SSLv2 and SSLv3 are broken. Ban them outright.
+sslcontext = SSLContext(protocol)
-sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
+sslcontext.options |= options
-# Prevent CRIME
-sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
 # Improve forward secrecy.
 sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
 sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
 # Use the list of more secure ciphers if found in the ssl module.

changeset 29559	7dec5e441bf7
parent 29558	a935cd7d51a6
child 29560	303e9300772a