This is an archive of the discontinued Mercurial Phabricator instance.

Differential D12488

sslutil: avoid deprecation warnings from python 3.10's ssl module
ClosedPublic

Authored by jcristau on Apr 9 2022, 8:44 AM.

Details

Reviewers
Alphare
Group Reviewers
hg-reviewers
Commits
rHG5144d3579a9c: sslutil: avoid deprecation warnings from python 3.10's ssl module
rHGbf703c3eb60a: sslutil: avoid deprecation warnings from python 3.10's ssl module
Summary

Use ssl.PROTOCOL_TLS_{CLIENT,SERVER} and
SSLContext.{min,max}imum_version when supported (3.7+).

And, catch deprecation warnings when the user asks for deprecated TLS
versions (1.0 and 1.1).

Diff Detail

Repository
rHG Mercurial
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

jcristau created this revision.Apr 9 2022, 8:44 AM
Alphare requested changes to this revision.Apr 12 2022, 9:36 AM
Alphare added a subscriber: Alphare.
Alphare added inline comments.
mercurial/sslutil.py
328

I still prefer giving a real error message in supposed unreachable conditions in case they become reachable some ways down the road

This revision now requires changes to proceed.Apr 12 2022, 9:36 AM
jcristau added inline comments.Apr 12 2022, 9:47 AM
mercurial/sslutil.py
328

This is the exact same error message that's already there for the python < 3.7 case (in commonssloptions), so any improvement on that feels like it belongs in a different patch.

Alphare accepted this revision.Apr 12 2022, 10:26 AM

Right, that's fine, thanks!

This revision is now accepted and ready to land.Apr 12 2022, 10:26 AM

Revision Contents
Changeset List

PathPackages
Mmercurial/sslutil.py (127 lines)

Diff 33018

mercurial/sslutil.py

# sslutil.py - SSL handling for mercurial # sslutil.py - SSL handling for mercurial
# #
# Copyright 2005, 2006, 2007, 2008 Olivia Mackall <olivia@selenic.com> # Copyright 2005, 2006, 2007, 2008 Olivia Mackall <olivia@selenic.com>
# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br> # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
# #
# This software may be used and distributed according to the terms of the # This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version. # GNU General Public License version 2 or any later version.
import hashlib import hashlib
import os import os
import re import re
import ssl import ssl
import warnings
from .i18n import _ from .i18n import _
from .pycompat import getattr from .pycompat import getattr
from .node import hex from .node import hex
from . import ( from . import (
encoding, encoding,
error, error,
pycompat, pycompat,
# We can't use ssl.create_default_context() because it calls # We can't use ssl.create_default_context() because it calls
# load_default_certs() unless CA arguments are passed to it. We want to # load_default_certs() unless CA arguments are passed to it. We want to
# have explicit control over CA loading because implicitly loading # have explicit control over CA loading because implicitly loading
# CAs may undermine the user's intent. For example, a user may define a CA # CAs may undermine the user's intent. For example, a user may define a CA
# bundle with a specific CA cert removed. If the system/default CA bundle # bundle with a specific CA cert removed. If the system/default CA bundle
# is loaded and contains that removed CA, you've just undone the user's # is loaded and contains that removed CA, you've just undone the user's
# choice. # choice.
#
if util.safehasattr(ssl, 'PROTOCOL_TLS_CLIENT'):
# python 3.7+
sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
minimumprotocol = settings[b'minimumprotocol']
if minimumprotocol == b'tls1.0':
with warnings.catch_warnings():
warnings.filterwarnings('ignore', 'ssl.TLSVersion.TLSv1 is deprecated', DeprecationWarning)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1
elif minimumprotocol == b'tls1.1':
with warnings.catch_warnings():
warnings.filterwarnings('ignore', 'ssl.TLSVersion.TLSv1_1 is deprecated', DeprecationWarning)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
elif minimumprotocol == b'tls1.2':
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
else:
raise error.Abort(_(b'this should not happen'))
AlphareUnsubmitted
Not Done

I still prefer giving a real error message in supposed unreachable conditions in case they become reachable some ways down the road

Alphare: I still prefer giving a real error message in supposed unreachable conditions in case they…
jcristauAuthorUnsubmitted
Done

This is the exact same error message that's already there for the python < 3.7 case (in commonssloptions), so any improvement on that feels like it belongs in a different patch.

jcristau: This is the exact same error message that's already there for the python < 3.7 case (in…
# Prevent CRIME.
# There is no guarantee this attribute is defined on the module.
sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
else:
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
# ends support, including TLS protocols. commonssloptions() restricts the # ends support, including TLS protocols. commonssloptions() restricts the
# set of allowed protocols. # set of allowed protocols.
sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
sslcontext.options |= commonssloptions(settings[b'minimumprotocol']) sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
# We check the hostname ourselves in _verifycert
sslcontext.check_hostname = False
sslcontext.verify_mode = settings[b'verifymode'] sslcontext.verify_mode = settings[b'verifymode']
if settings[b'ciphers']: if settings[b'ciphers']:
try: try:
sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers']))
except ssl.SSLError as e: except ssl.SSLError as e:
raise error.Abort( raise error.Abort(
_(b'could not set ciphers: %s') _(b'could not set ciphers: %s')
% stringutil.forcebytestr(e.args[0]), % stringutil.forcebytestr(e.args[0]),
hint=_(b'change cipher string (%s) in config') hint=_(b'change cipher string (%s) in config')
# This function is not used much by core Mercurial, so the error messaging # This function is not used much by core Mercurial, so the error messaging
# doesn't have to be as detailed as for wrapsocket(). # doesn't have to be as detailed as for wrapsocket().
for f in (certfile, keyfile, cafile): for f in (certfile, keyfile, cafile):
if f and not os.path.exists(f): if f and not os.path.exists(f):
raise error.Abort( raise error.Abort(
_(b'referenced certificate file (%s) does not exist') % f _(b'referenced certificate file (%s) does not exist') % f
) )
if util.safehasattr(ssl, 'PROTOCOL_TLS_SERVER'):
# python 3.7+
sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
# This config option is intended for use in tests only. It is a giant
# footgun to kill security. Don't define it.
exactprotocol = ui.config(b'devel', b'serverexactprotocol')
if exactprotocol == b'tls1.0':
if b'tls1.0' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
with warnings.catch_warnings():
warnings.filterwarnings('ignore', 'ssl.TLSVersion.TLSv1 is deprecated', DeprecationWarning)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1
sslcontext.maximum_version = ssl.TLSVersion.TLSv1
elif exactprotocol == b'tls1.1':
if b'tls1.1' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
with warnings.catch_warnings():
warnings.filterwarnings('ignore', 'ssl.TLSVersion.TLSv1_1 is deprecated', DeprecationWarning)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1
elif exactprotocol == b'tls1.2':
if b'tls1.2' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
elif exactprotocol:
raise error.Abort(
_(b'invalid value for serverexactprotocol: %s') % exactprotocol
)
else:
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
# ends support, including TLS protocols. commonssloptions() restricts the # ends support, including TLS protocols. commonssloptions() restricts the
# set of allowed protocols. # set of allowed protocols.
protocol = ssl.PROTOCOL_SSLv23 protocol = ssl.PROTOCOL_SSLv23
options = commonssloptions(b'tls1.0') options = commonssloptions(b'tls1.0')
# This config option is intended for use in tests only. It is a giant # This config option is intended for use in tests only. It is a giant
# footgun to kill security. Don't define it. # footgun to kill security. Don't define it.
exactprotocol = ui.config(b'devel', b'serverexactprotocol') exactprotocol = ui.config(b'devel', b'serverexactprotocol')
if exactprotocol == b'tls1.0': if exactprotocol == b'tls1.0':
if b'tls1.0' not in supportedprotocols: if b'tls1.0' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.0 not supported by this Python')) raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1 protocol = ssl.PROTOCOL_TLSv1
elif exactprotocol == b'tls1.1': elif exactprotocol == b'tls1.1':
if b'tls1.1' not in supportedprotocols: if b'tls1.1' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.1 not supported by this Python')) raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_1 protocol = ssl.PROTOCOL_TLSv1_1
elif exactprotocol == b'tls1.2': elif exactprotocol == b'tls1.2':
if b'tls1.2' not in supportedprotocols: if b'tls1.2' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.2 not supported by this Python')) raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_2 protocol = ssl.PROTOCOL_TLSv1_2
elif exactprotocol: elif exactprotocol:
raise error.Abort( raise error.Abort(
_(b'invalid value for serverexactprotocol: %s') % exactprotocol _(b'invalid value for serverexactprotocol: %s') % exactprotocol
) )
# We /could/ use create_default_context() here since it doesn't load # We /could/ use create_default_context() here since it doesn't load
# CAs when configured for client auth. However, it is hard-coded to # CAs when configured for client auth. However, it is hard-coded to
# use ssl.PROTOCOL_SSLv23 which may not be appropriate here. # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
sslcontext = ssl.SSLContext(protocol) sslcontext = ssl.SSLContext(protocol)
sslcontext.options |= options sslcontext.options |= options
# Improve forward secrecy. # Improve forward secrecy.
sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
# Use the list of more secure ciphers if found in the ssl module. # Use the list of more secure ciphers if found in the ssl module.
if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)