Patchwork [2,of,4,STABLE] sslutil: allow TLS 1.0 when --insecure is used

login
register
mail settings
Submitter Gregory Szorc
Date July 20, 2016, 4:31 a.m.
Message ID <c575dafbff39b743957f.1468989114@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/15962/
State Accepted
Headers show

Comments

Gregory Szorc - July 20, 2016, 4:31 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1468984611 25200
#      Tue Jul 19 20:16:51 2016 -0700
# Branch stable
# Node ID c575dafbff39b743957fc39af4f107fba04ee467
# Parent  3b67fc038e07238b23843f2bbbb609b5c4ee9e53
sslutil: allow TLS 1.0 when --insecure is used

--insecure is our psuedo-supported footgun for disabling connection
security.

The flag already disables CA verification. I think allowing the use of
TLS 1.0 when specified is appropriate.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -176,16 +176,22 @@  def _hostsettings(ui, hostname):
     key = 'minimumprotocol'
     protocol = ui.config('hostsecurity', key, defaultprotocol)
     validateprotocol(protocol, key)
 
     key = '%s:minimumprotocol' % hostname
     protocol = ui.config('hostsecurity', key, protocol)
     validateprotocol(protocol, key)
 
+    # If --insecure is used, we allow the use of TLS 1.0 despite config options.
+    # We always print a "connection security to %s is disabled..." message when
+    # --insecure is used. So no need to print anything more here.
+    if ui.insecureconnections:
+        protocol = 'tls1.0'
+
     s['protocol'], s['ctxoptions'] = protocolsettings(protocol)
 
     ciphers = ui.config('hostsecurity', 'ciphers')
     ciphers = ui.config('hostsecurity', '%s:ciphers' % hostname, ciphers)
     s['ciphers'] = ciphers
 
     # Look for fingerprints in [hostsecurity] section. Value is a list
     # of <alg>:<fingerprint> strings.
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -481,16 +481,22 @@  Clients requiring newer TLS version than
   (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
   abort: error: *unsupported protocol* (glob)
   [255]
   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT1/
   (could not negotiate a common protocol; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
   abort: error: *unsupported protocol* (glob)
   [255]
 
+--insecure will allow TLS 1.0 connections and override configs
+
+  $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
+  warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
+  5fed3813f7f5
+
 The per-host config option overrides the default
 
   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
   > --config hostsecurity.minimumprotocol=tls1.2 \
   > --config hostsecurity.localhost:minimumprotocol=tls1.0
   5fed3813f7f5
 
 The per-host config option by itself works