Patchwork [v4] setup: require that Python has TLS 1.1 or TLS 1.2

login
register
mail settings
Submitter Manuel Jacob
Date May 31, 2020, 7:08 a.m.
Message ID <0b80baeded449c19f89d.1590908896@tmp>
Download mbox | patch
Permalink /patch/46432/
State Superseded
Headers show

Comments

Manuel Jacob - May 31, 2020, 7:08 a.m.
# HG changeset patch
# User Manuel Jacob <me@manueljacob.de>
# Date 1590874939 -7200
#      Sat May 30 23:42:19 2020 +0200
# Node ID 0b80baeded449c19f89d4b6cec2a00eec4d286a7
# Parent  61cdc8137d5326ed075b982693469a2134365ff5
# EXP-Topic require_modern_ssl
setup: require that Python has TLS 1.1 or TLS 1.2

This increases the minimum security baseline of Mercurial (up from TLS 1.0)
and enables us to remove compatibility code that downgrades security if these
features are not available.

It is reasonable to expect that distributions having Python 2.7.9+ or having
backported modern features to the ssl module (which we require) have a OpenSSL
version supporting TLS 1.1 or TLS 1.2, as this is the main reason why
distributions would want to backport these features.

TLS 1.1 and TLS 1.2 are often either both enabled or both not enabled.
However, both can be disabled independently, at least on current Python /
OpenSSL versions.

ssl.HAS_TLSv1_1 / ssl.HAS_TLSv1_2 are preferred to check support but they were
added in Python 3.7. ssl.PROTOCOL_TLSv1_1 / ssl.PROTOCOL_TLSv1_2 were
deprecated in Python 3.6, but checking their presence is good enough for older
Python versions.
Yuya Nishihara - May 31, 2020, 1:48 p.m.
On Sun, 31 May 2020 09:08:16 +0200, Manuel Jacob wrote:
> # HG changeset patch
> # User Manuel Jacob <me@manueljacob.de>
> # Date 1590874939 -7200
> #      Sat May 30 23:42:19 2020 +0200
> # Node ID 0b80baeded449c19f89d4b6cec2a00eec4d286a7
> # Parent  61cdc8137d5326ed075b982693469a2134365ff5
> # EXP-Topic require_modern_ssl
> setup: require that Python has TLS 1.1 or TLS 1.2

This patch itself doesn't make much sense. Please resend it with your
upcoming series.

Patch

diff --git a/relnotes/next b/relnotes/next
--- a/relnotes/next
+++ b/relnotes/next
@@ -7,7 +7,9 @@ 
 == Backwards Compatibility Changes ==
 
 * Mercurial now requires at least Python 2.7.9 or a Python version that
-  backported modern SSL/TLS features (as defined in PEP 466).
+  backported modern SSL/TLS features (as defined in PEP 466), and that Python
+  was compiled against a OpenSSL version supporting TLS 1.1 or TLS 1.2
+  (likely this requires the OpenSSL version to be at least 1.0.1).
 
 
 == Internal API Changes ==
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -98,6 +98,23 @@  features.
     printf(error, file=sys.stderr)
     sys.exit(1)
 
+_notset = object()
+has_tlsv1_1 = getattr(ssl, 'HAS_TLSv1_1', _notset)
+if has_tlsv1_1 is _notset:
+    has_tlsv1_1 = getattr(ssl, 'PROTOCOL_TLSv1_1', _notset) is not _notset
+has_tlsv1_2 = getattr(ssl, 'HAS_TLSv1_2', _notset)
+if has_tlsv1_2 is _notset:
+    has_tlsv1_2 = getattr(ssl, 'PROTOCOL_TLSv1_2', _notset) is not _notset
+if not (has_tlsv1_1 or has_tlsv1_2):
+    error = """
+The `ssl` module does not advertise support for TLS 1.1 or TLS 1.2.
+Please make sure that your Python installation was compiled against an OpenSSL
+version enabling these features (likely this requires the OpenSSL version to
+be at least 1.0.1).
+"""
+    printf(error, file=sys.stderr)
+    sys.exit(1)
+
 if sys.version_info[0] >= 3:
     DYLIB_SUFFIX = sysconfig.get_config_vars()['EXT_SUFFIX']
 else: