Patchwork [02,of,10,v2] setup: require that Python supports TLS 1.1 and TLS 1.2

login
register
mail settings
Submitter Manuel Jacob
Date May 30, 2020, 10:37 p.m.
Message ID <b33cc1f796e9c3aa6df1.1590878235@tmp>
Download mbox | patch
Permalink /patch/46421/
State New
Headers show

Comments

Manuel Jacob - May 30, 2020, 10:37 p.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590874939 -7200
#      Sat May 30 23:42:19 2020 +0200
# Node ID b33cc1f796e9c3aa6df1e51d36f0b3c061dfee9e
# Parent  d5441892eb22aa451bb479919e95f671e99857eb
# EXP-Topic require_modern_ssl
setup: require that Python supports TLS 1.1 and TLS 1.2

This increases the minimum security baseline of Mercurial and enables us to
remove compatibility code that downgrades security if these features are not
available.

It is reasonable to expect that distributions having Python 2.7.9+ or having
backported modern features to the ssl module (which we require) have a OpenSSL
version supporting TLS 1.1 and TLS 1.2, as this is the main reason why
distributions would want to backport these features.

Patch

diff --git a/relnotes/next b/relnotes/next
--- a/relnotes/next
+++ b/relnotes/next
@@ -7,7 +7,9 @@ 
 == Backwards Compatibility Changes ==
 
 * Mercurial now requires at least Python 2.7.9 or a Python version that
-  backported modern SSL/TLS features (as defined in PEP 466).
+  backported modern SSL/TLS features (as defined in PEP 466), and that Python
+  was compiled against a OpenSSL version supporting TLS 1.1 and TLS 1.2
+  (likely this requires the OpenSSL version to be at least 1.0.1).
 
 
 == Internal API Changes ==
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -98,6 +98,19 @@  features.
     printf(error, file=sys.stderr)
     sys.exit(1)
 
+try:
+    ssl.PROTOCOL_TLSv1_1
+    ssl.PROTOCOL_TLSv1_2
+except AttributeError:
+    error = """
+The `ssl` module does not advertise support for TLS 1.1 and TLS 1.2.
+Please make sure that your Python installation was compiled against an OpenSSL
+version enabling these features (likely this requires the OpenSSL version to
+be at least 1.0.1).
+"""
+    printf(error, file=sys.stderr)
+    sys.exit(1)
+
 if sys.version_info[0] >= 3:
     DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX']
 else: