This is an archive of the discontinued Mercurial Phabricator instance.

Differential D12488

sslutil: avoid deprecation warnings from python 3.10's ssl module
ClosedPublic

Authored by jcristau on Apr 9 2022, 8:44 AM.

Details

Reviewers
Alphare
Group Reviewers
hg-reviewers
Commits
rHG5144d3579a9c: sslutil: avoid deprecation warnings from python 3.10's ssl module
rHGbf703c3eb60a: sslutil: avoid deprecation warnings from python 3.10's ssl module
Summary

Use ssl.PROTOCOL_TLS_{CLIENT,SERVER} and
SSLContext.{min,max}imum_version when supported (3.7+).

And, catch deprecation warnings when the user asks for deprecated TLS
versions (1.0 and 1.1).

Diff Detail

Repository
rHG Mercurial
Branch
default
Lint
No Linters Available
Unit
No Unit Test Coverage

Event Timeline

jcristau created this revision.Apr 9 2022, 8:44 AM
Alphare requested changes to this revision.Apr 12 2022, 9:36 AM
Alphare added a subscriber: Alphare.
Alphare added inline comments.
mercurial/sslutil.py
328

I still prefer giving a real error message in supposed unreachable conditions in case they become reachable some ways down the road

This revision now requires changes to proceed.Apr 12 2022, 9:36 AM
jcristau added inline comments.Apr 12 2022, 9:47 AM
mercurial/sslutil.py
328

This is the exact same error message that's already there for the python < 3.7 case (in commonssloptions), so any improvement on that feels like it belongs in a different patch.

Alphare accepted this revision.Apr 12 2022, 10:26 AM

Right, that's fine, thanks!

This revision is now accepted and ready to land.Apr 12 2022, 10:26 AM

Revision Contents
Changeset List

PathPackages
Mmercurial/sslutil.py (127 lines)

Diff 32994

mercurial/sslutil.py

# sslutil.py - SSL handling for mercurial # sslutil.py - SSL handling for mercurial
# #
# Copyright 2005, 2006, 2007, 2008 Olivia Mackall <olivia@selenic.com> # Copyright 2005, 2006, 2007, 2008 Olivia Mackall <olivia@selenic.com>
# Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br> # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
# #
# This software may be used and distributed according to the terms of the # This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version. # GNU General Public License version 2 or any later version.
import hashlib import hashlib
import os import os
import re import re
import ssl import ssl
import warnings
from .i18n import _ from .i18n import _
from .pycompat import getattr from .pycompat import getattr
from .node import hex from .node import hex
from . import ( from . import (
encoding, encoding,
error, error,
pycompat, pycompat,
# We can't use ssl.create_default_context() because it calls # We can't use ssl.create_default_context() because it calls
# load_default_certs() unless CA arguments are passed to it. We want to # load_default_certs() unless CA arguments are passed to it. We want to
# have explicit control over CA loading because implicitly loading # have explicit control over CA loading because implicitly loading
# CAs may undermine the user's intent. For example, a user may define a CA # CAs may undermine the user's intent. For example, a user may define a CA
# bundle with a specific CA cert removed. If the system/default CA bundle # bundle with a specific CA cert removed. If the system/default CA bundle
# is loaded and contains that removed CA, you've just undone the user's # is loaded and contains that removed CA, you've just undone the user's
# choice. # choice.
#
if util.safehasattr(ssl, 'PROTOCOL_TLS_CLIENT'):
# python 3.7+
sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
minimumprotocol = settings[b'minimumprotocol']
if minimumprotocol == b'tls1.0':
with warnings.catch_warnings():
warnings.filterwarnings('ignore', 'ssl.TLSVersion.TLSv1 is deprecated', DeprecationWarning)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1
elif minimumprotocol == b'tls1.1':
with warnings.catch_warnings():
warnings.filterwarnings('ignore', 'ssl.TLSVersion.TLSv1_1 is deprecated', DeprecationWarning)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
elif minimumprotocol == b'tls1.2':
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
else:
raise error.Abort(_(b'this should not happen'))
AlphareUnsubmitted
Not Done

I still prefer giving a real error message in supposed unreachable conditions in case they become reachable some ways down the road

Alphare: I still prefer giving a real error message in supposed unreachable conditions in case they…
jcristauAuthorUnsubmitted
Done

This is the exact same error message that's already there for the python < 3.7 case (in commonssloptions), so any improvement on that feels like it belongs in a different patch.

jcristau: This is the exact same error message that's already there for the python < 3.7 case (in…
# Prevent CRIME.
# There is no guarantee this attribute is defined on the module.
sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
else:
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
# ends support, including TLS protocols. commonssloptions() restricts the # ends support, including TLS protocols. commonssloptions() restricts the
# set of allowed protocols. # set of allowed protocols.
sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
sslcontext.options |= commonssloptions(settings[b'minimumprotocol']) sslcontext.options |= commonssloptions(settings[b'minimumprotocol'])
# We check the hostname ourselves in _verifycert
sslcontext.check_hostname = False
sslcontext.verify_mode = settings[b'verifymode'] sslcontext.verify_mode = settings[b'verifymode']
if settings[b'ciphers']: if settings[b'ciphers']:
try: try:
sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers'])) sslcontext.set_ciphers(pycompat.sysstr(settings[b'ciphers']))
except ssl.SSLError as e: except ssl.SSLError as e:
raise error.Abort( raise error.Abort(
_(b'could not set ciphers: %s') _(b'could not set ciphers: %s')
% stringutil.forcebytestr(e.args[0]), % stringutil.forcebytestr(e.args[0]),
hint=_(b'change cipher string (%s) in config') hint=_(b'change cipher string (%s) in config')
# This function is not used much by core Mercurial, so the error messaging # This function is not used much by core Mercurial, so the error messaging
# doesn't have to be as detailed as for wrapsocket(). # doesn't have to be as detailed as for wrapsocket().
for f in (certfile, keyfile, cafile): for f in (certfile, keyfile, cafile):
if f and not os.path.exists(f): if f and not os.path.exists(f):
raise error.Abort( raise error.Abort(
_(b'referenced certificate file (%s) does not exist') % f _(b'referenced certificate file (%s) does not exist') % f
) )
if util.safehasattr(ssl, 'PROTOCOL_TLS_SERVER'):
# python 3.7+
sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
# This config option is intended for use in tests only. It is a giant
# footgun to kill security. Don't define it.
exactprotocol = ui.config(b'devel', b'serverexactprotocol')
if exactprotocol == b'tls1.0':
if b'tls1.0' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
with warnings.catch_warnings():
warnings.filterwarnings('ignore', 'ssl.TLSVersion.TLSv1 is deprecated', DeprecationWarning)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1
sslcontext.maximum_version = ssl.TLSVersion.TLSv1
elif exactprotocol == b'tls1.1':
if b'tls1.1' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
with warnings.catch_warnings():
warnings.filterwarnings('ignore', 'ssl.TLSVersion.TLSv1_1 is deprecated', DeprecationWarning)
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_1
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_1
elif exactprotocol == b'tls1.2':
if b'tls1.2' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
sslcontext.minimum_version = ssl.TLSVersion.TLSv1_2
sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
elif exactprotocol:
raise error.Abort(
_(b'invalid value for serverexactprotocol: %s') % exactprotocol
)
else:
# Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
# ends support, including TLS protocols. commonssloptions() restricts the # ends support, including TLS protocols. commonssloptions() restricts the
# set of allowed protocols. # set of allowed protocols.
protocol = ssl.PROTOCOL_SSLv23 protocol = ssl.PROTOCOL_SSLv23
options = commonssloptions(b'tls1.0') options = commonssloptions(b'tls1.0')
# This config option is intended for use in tests only. It is a giant # This config option is intended for use in tests only. It is a giant
# footgun to kill security. Don't define it. # footgun to kill security. Don't define it.
exactprotocol = ui.config(b'devel', b'serverexactprotocol') exactprotocol = ui.config(b'devel', b'serverexactprotocol')
if exactprotocol == b'tls1.0': if exactprotocol == b'tls1.0':
if b'tls1.0' not in supportedprotocols: if b'tls1.0' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.0 not supported by this Python')) raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1 protocol = ssl.PROTOCOL_TLSv1
elif exactprotocol == b'tls1.1': elif exactprotocol == b'tls1.1':
if b'tls1.1' not in supportedprotocols: if b'tls1.1' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.1 not supported by this Python')) raise error.Abort(_(b'TLS 1.1 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_1 protocol = ssl.PROTOCOL_TLSv1_1
elif exactprotocol == b'tls1.2': elif exactprotocol == b'tls1.2':
if b'tls1.2' not in supportedprotocols: if b'tls1.2' not in supportedprotocols:
raise error.Abort(_(b'TLS 1.2 not supported by this Python')) raise error.Abort(_(b'TLS 1.2 not supported by this Python'))
protocol = ssl.PROTOCOL_TLSv1_2 protocol = ssl.PROTOCOL_TLSv1_2
elif exactprotocol: elif exactprotocol:
raise error.Abort( raise error.Abort(
_(b'invalid value for serverexactprotocol: %s') % exactprotocol _(b'invalid value for serverexactprotocol: %s') % exactprotocol
) )
# We /could/ use create_default_context() here since it doesn't load # We /could/ use create_default_context() here since it doesn't load
# CAs when configured for client auth. However, it is hard-coded to # CAs when configured for client auth. However, it is hard-coded to
# use ssl.PROTOCOL_SSLv23 which may not be appropriate here. # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
sslcontext = ssl.SSLContext(protocol) sslcontext = ssl.SSLContext(protocol)
sslcontext.options |= options sslcontext.options |= options
# Improve forward secrecy. # Improve forward secrecy.
sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
# Use the list of more secure ciphers if found in the ssl module. # Use the list of more secure ciphers if found in the ssl module.
if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)