This is an archive of the discontinued Mercurial Phabricator instance.

Differential D12489

sslutil: be less strict about which ciphers are allowed when using --insecure
ClosedPublic

Authored by jcristau on Apr 9 2022, 8:44 AM.

Details

Reviewers
Alphare
Group Reviewers
hg-reviewers
Commits
rHG50bd2910d162: sslutil: be less strict about which ciphers are allowed when using --insecure
rHGf6cb8f414321: sslutil: be less strict about which ciphers are allowed when using --insecure
Summary

Python 3.10 restricted which ciphers are enabled by default, leading to
no available ciphers for TLS < 1.2. When using the --insecure flag we
allow old TLS, so also adjust the cipher list to give connections a
chance to work.

On the server side, also loosen the cipher selection in tests (when
using the devel.serverexactprotocol option).

Diff Detail

Repository
rHG Mercurial
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Revision Contents
Changeset List

PathPackages
Mmercurial/sslutil.py (15 lines)

Diff 33019

mercurial/sslutil.py

key = b'minimumprotocol' key = b'minimumprotocol'
minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol) minimumprotocol = ui.config(b'hostsecurity', key, defaultminimumprotocol)
validateprotocol(minimumprotocol, key) validateprotocol(minimumprotocol, key)
key = b'%s:minimumprotocol' % bhostname key = b'%s:minimumprotocol' % bhostname
minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol) minimumprotocol = ui.config(b'hostsecurity', key, minimumprotocol)
validateprotocol(minimumprotocol, key) validateprotocol(minimumprotocol, key)
ciphers = ui.config(b'hostsecurity', b'ciphers')
ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
# If --insecure is used, we allow the use of TLS 1.0 despite config options. # If --insecure is used, we allow the use of TLS 1.0 despite config options.
# We always print a "connection security to %s is disabled..." message when # We always print a "connection security to %s is disabled..." message when
# --insecure is used. So no need to print anything more here. # --insecure is used. So no need to print anything more here.
if ui.insecureconnections: if ui.insecureconnections:
minimumprotocol = b'tls1.0' minimumprotocol = b'tls1.0'
if not ciphers:
ciphers = b'DEFAULT'
s[b'minimumprotocol'] = minimumprotocol s[b'minimumprotocol'] = minimumprotocol
ciphers = ui.config(b'hostsecurity', b'ciphers')
ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
s[b'ciphers'] = ciphers s[b'ciphers'] = ciphers
# Look for fingerprints in [hostsecurity] section. Value is a list # Look for fingerprints in [hostsecurity] section. Value is a list
# of <alg>:<fingerprint> strings. # of <alg>:<fingerprint> strings.
fingerprints = ui.configlist( fingerprints = ui.configlist(
b'hostsecurity', b'%s:fingerprints' % bhostname b'hostsecurity', b'%s:fingerprints' % bhostname
) )
for fingerprint in fingerprints: for fingerprint in fingerprints:
# use ssl.PROTOCOL_SSLv23 which may not be appropriate here. # use ssl.PROTOCOL_SSLv23 which may not be appropriate here.
sslcontext = ssl.SSLContext(protocol) sslcontext = ssl.SSLContext(protocol)
sslcontext.options |= options sslcontext.options |= options
# Improve forward secrecy. # Improve forward secrecy.
sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
# Use the list of more secure ciphers if found in the ssl module. # In tests, allow insecure ciphers
if util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): # Otherwise, use the list of more secure ciphers if found in the ssl module.
if exactprotocol:
sslcontext.set_ciphers('DEFAULT')
elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
# pytype: disable=module-attr # pytype: disable=module-attr
sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
# pytype: enable=module-attr # pytype: enable=module-attr
if requireclientcert: if requireclientcert:
sslcontext.verify_mode = ssl.CERT_REQUIRED sslcontext.verify_mode = ssl.CERT_REQUIRED
else: else: