Patchwork [STABLE,V2] commands: print security protocol support in debuginstall

login
register
mail settings
Submitter Gregory Szorc
Date Oct. 21, 2016, 11:23 p.m.
Message ID <7d6d017ee2dbb51dcbfc.1477092189@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/17180/
State Accepted
Headers show

Comments

Gregory Szorc - Oct. 21, 2016, 11:23 p.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1476914831 25200
#      Wed Oct 19 15:07:11 2016 -0700
# Branch stable
# Node ID 7d6d017ee2dbb51dcbfc7c6f116e4c899f95b638
# Parent  e478f11e418288b8308457303d3ddf6a23f874f8
commands: print security protocol support in debuginstall

Over the past week I've had to instruct multiple people to run
Python code to query the ssl module to see what TLS protocol support
is present. I think it would be useful for `hg debuginstall` to print
this info to make it easier to access and debug why Mercurial is
complaining about using an insecure TLS 1.0 protocol.

Ideally we'd also print the path to the CA cert bundle. But the APIs
for querying that in sslutil can emit warnings, making it slightly
more difficult to integrate into `hg debuginstall`. That work will
have to wait for another day.
Yuya Nishihara - Oct. 22, 2016, 7:51 a.m.
On Fri, 21 Oct 2016 16:23:09 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc@gmail.com>
> # Date 1476914831 25200
> #      Wed Oct 19 15:07:11 2016 -0700
> # Branch stable
> # Node ID 7d6d017ee2dbb51dcbfc7c6f116e4c899f95b638
> # Parent  e478f11e418288b8308457303d3ddf6a23f874f8
> commands: print security protocol support in debuginstall

Queued this, thanks.
Yuya Nishihara - Oct. 22, 2016, 10:27 a.m.
On Fri, 21 Oct 2016 16:23:09 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc@gmail.com>
> # Date 1476914831 25200
> #      Wed Oct 19 15:07:11 2016 -0700
> # Branch stable
> # Node ID 7d6d017ee2dbb51dcbfc7c6f116e4c899f95b638
> # Parent  e478f11e418288b8308457303d3ddf6a23f874f8
> commands: print security protocol support in debuginstall

> +    if 'tls1.2' not in security:
> +        fm.plain(_('  TLS 1.2 not supported by Python install; '
> +                   'network connections lack modern security'))
> +    if 'sni' not in security:
> +        fm.plain(_('  SNI not supported by Python install; may have '
> +                   'connectivity issues with some servers'))

Doh, I should run the test with python 2.6. Fixed in flight.

https://buildbot.mercurial-scm.org/builders/hg%20tests%20%28stable%29/builds/128/steps/run-tests.py%20%28python%202.6.9%29/logs/stdio

Patch

diff --git a/mercurial/commands.py b/mercurial/commands.py
--- a/mercurial/commands.py
+++ b/mercurial/commands.py
@@ -63,16 +63,17 @@  from . import (
     pvec,
     repair,
     revlog,
     revset,
     scmutil,
     setdiscovery,
     simplemerge,
     sshserver,
+    sslutil,
     streamclone,
     templatekw,
     templater,
     treediscovery,
     ui as uimod,
     util,
 )
 
@@ -2698,16 +2699,35 @@  def debuginstall(ui, **opts):
     # Python
     fm.write('pythonexe', _("checking Python executable (%s)\n"),
              sys.executable)
     fm.write('pythonver', _("checking Python version (%s)\n"),
              ("%s.%s.%s" % sys.version_info[:3]))
     fm.write('pythonlib', _("checking Python lib (%s)...\n"),
              os.path.dirname(os.__file__))
 
+    security = set(sslutil.supportedprotocols)
+    if sslutil.hassni:
+        security.add('sni')
+
+    fm.write('pythonsecurity', _("checking Python security support (%s)\n"),
+             fm.formatlist(sorted(security), name='protocol',
+                           fmt='%s', sep=','))
+
+    # These are warnings, not errors. So don't increment problem count. This
+    # may change in the future.
+    if 'tls1.2' not in security:
+        fm.plain(_('  TLS 1.2 not supported by Python install; '
+                   'network connections lack modern security'))
+    if 'sni' not in security:
+        fm.plain(_('  SNI not supported by Python install; may have '
+                   'connectivity issues with some servers'))
+
+    # TODO print CA cert info
+
     # hg version
     hgver = util.version()
     fm.write('hgver', _("checking Mercurial version (%s)\n"),
              hgver.split('+')[0])
     fm.write('hgverextra', _("checking Mercurial custom build (%s)\n"),
              '+'.join(hgver.split('+')[1:]))
 
     # compiled modules
diff --git a/tests/test-install.t b/tests/test-install.t
--- a/tests/test-install.t
+++ b/tests/test-install.t
@@ -1,14 +1,17 @@ 
 hg debuginstall
   $ hg debuginstall
   checking encoding (ascii)...
   checking Python executable (*) (glob)
   checking Python version (2.*) (glob)
   checking Python lib (*lib*)... (glob)
+  checking Python security support (*) (glob)
+    TLS 1.2 not supported by Python install; network connections lack modern security (?)
+    SNI not supported by Python install; may have connectivity issues with some servers (?)
   checking Mercurial version (*) (glob)
   checking Mercurial custom build (*) (glob)
   checking module policy (*) (glob)
   checking installed modules (*mercurial)... (glob)
   checking templates (*mercurial?templates)... (glob)
   checking default template (*mercurial?templates?map-cmdline.default) (glob)
   checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
   checking username (test)
@@ -28,30 +31,34 @@  hg debuginstall JSON
     "extensionserror": null,
     "hgmodulepolicy": "*", (glob)
     "hgmodules": "*mercurial", (glob)
     "hgver": "*", (glob)
     "hgverextra": "*", (glob)
     "problems": 0,
     "pythonexe": "*", (glob)
     "pythonlib": "*", (glob)
+    "pythonsecurity": [*], (glob)
     "pythonver": "*.*.*", (glob)
     "templatedirs": "*mercurial?templates", (glob)
     "username": "test",
     "usernameerror": null,
     "vinotfound": false
    }
   ]
 
 hg debuginstall with no username
   $ HGUSER= hg debuginstall
   checking encoding (ascii)...
   checking Python executable (*) (glob)
   checking Python version (2.*) (glob)
   checking Python lib (*lib*)... (glob)
+  checking Python security support (*) (glob)
+    TLS 1.2 not supported by Python install; network connections lack modern security (?)
+    SNI not supported by Python install; may have connectivity issues with some servers (?)
   checking Mercurial version (*) (glob)
   checking Mercurial custom build (*) (glob)
   checking module policy (*) (glob)
   checking installed modules (*mercurial)... (glob)
   checking templates (*mercurial?templates)... (glob)
   checking default template (*mercurial?templates?map-cmdline.default) (glob)
   checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
   checking username...
@@ -66,16 +73,19 @@  path variables are expanded (~ is the sa
 #if execbit
   $ chmod 755 tools/testeditor.exe
 #endif
   $ hg debuginstall --config ui.editor=~/tools/testeditor.exe
   checking encoding (ascii)...
   checking Python executable (*) (glob)
   checking Python version (*) (glob)
   checking Python lib (*lib*)... (glob)
+  checking Python security support (*) (glob)
+    TLS 1.2 not supported by Python install; network connections lack modern security (?)
+    SNI not supported by Python install; may have connectivity issues with some servers (?)
   checking Mercurial version (*) (glob)
   checking Mercurial custom build (*) (glob)
   checking module policy (*) (glob)
   checking installed modules (*mercurial)... (glob)
   checking templates (*mercurial?templates)... (glob)
   checking default template (*mercurial?templates?map-cmdline.default) (glob)
   checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
   checking username (test)