[PATCH STABLE] commands: print security protocol support in debuginstall
Gregory Szorc
gregory.szorc at gmail.com
Wed Oct 19 22:16:15 UTC 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1476914831 25200
# Wed Oct 19 15:07:11 2016 -0700
# Branch stable
# Node ID 37eaf6c2b4ac3c1015965676db89e435a79b45ee
# Parent e478f11e418288b8308457303d3ddf6a23f874f8
commands: print security protocol support in debuginstall
Over the past ~48 hours I've had to instruct multiple people to run
Python code to query the ssl module to see what TLS protocol support
is present. I think it would be useful for `hg debuginstall` to print
this info to make it easier to access and debug why Mercurial is
complaining about using an insecure TLS 1.0 protocol.
Ideally we'd also print the path to the CA cert bundle. But the APIs
for querying that in sslutil can emit warnings, making it slightly
more difficult to integrate into `hg debuginstall`. That work will
have to wait for another day.
Yes, I realize it is feature freeze. But I think this is useful to
have in the release and it only changes a debug* command, so it
shouldn't be that risky.
diff --git a/mercurial/commands.py b/mercurial/commands.py
--- a/mercurial/commands.py
+++ b/mercurial/commands.py
@@ -63,16 +63,17 @@ from . import (
pvec,
repair,
revlog,
revset,
scmutil,
setdiscovery,
simplemerge,
sshserver,
+ sslutil,
streamclone,
templatekw,
templater,
treediscovery,
ui as uimod,
util,
)
@@ -2698,16 +2699,34 @@ def debuginstall(ui, **opts):
# Python
fm.write('pythonexe', _("checking Python executable (%s)\n"),
sys.executable)
fm.write('pythonver', _("checking Python version (%s)\n"),
("%s.%s.%s" % sys.version_info[:3]))
fm.write('pythonlib', _("checking Python lib (%s)...\n"),
os.path.dirname(os.__file__))
+ security = set(sslutil.supportedprotocols)
+ if sslutil.hassni:
+ security.add('sni')
+
+ fm.write('pythonsecurity', _("checking Python security support (%s)\n"),
+ ', '.join(sorted(security)))
+
+ # These are warnings, not errors. So don't increment problem count. This
+ # may change in the future.
+ fm.condwrite('tls1.2' not in security, 'tlswarning', ' %s\n',
+ _('TLS 1.2 not supported by Python install; '
+ 'network connections lack modern security'))
+ fm.condwrite('sni' not in security, 'sniwarning', ' %s\n',
+ _('SNI not supported by Python install; may have '
+ 'connectivity issues with some servers'))
+
+ # TODO print CA cert info
+
# hg version
hgver = util.version()
fm.write('hgver', _("checking Mercurial version (%s)\n"),
hgver.split('+')[0])
fm.write('hgverextra', _("checking Mercurial custom build (%s)\n"),
'+'.join(hgver.split('+')[1:]))
# compiled modules
diff --git a/tests/test-install.t b/tests/test-install.t
--- a/tests/test-install.t
+++ b/tests/test-install.t
@@ -1,14 +1,17 @@
hg debuginstall
$ hg debuginstall
checking encoding (ascii)...
checking Python executable (*) (glob)
checking Python version (2.*) (glob)
checking Python lib (*lib*)... (glob)
+ checking Python security support (*) (glob)
+ TLS 1.2 not supported by Python install; network connections lack modern security (?)
+ SNI not supported by Python install; may have connectivity issues with some servers (?)
checking Mercurial version (*) (glob)
checking Mercurial custom build (*) (glob)
checking module policy (*) (glob)
checking installed modules (*mercurial)... (glob)
checking templates (*mercurial?templates)... (glob)
checking default template (*mercurial?templates?map-cmdline.default) (glob)
checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
checking username (test)
@@ -28,30 +31,36 @@ hg debuginstall JSON
"extensionserror": null,
"hgmodulepolicy": "*", (glob)
"hgmodules": "*mercurial", (glob)
"hgver": "*", (glob)
"hgverextra": "*", (glob)
"problems": 0,
"pythonexe": "*", (glob)
"pythonlib": "*", (glob)
+ "pythonsecurity": "*", (glob)
"pythonver": "*.*.*", (glob)
+ "sniwarning": "SNI not supported by Python install; may have connectivity issues with some servers",
"templatedirs": "*mercurial?templates", (glob)
+ "tlswarning": "TLS 1.2 not supported by Python install; network connections lack modern security",
"username": "test",
"usernameerror": null,
"vinotfound": false
}
]
hg debuginstall with no username
$ HGUSER= hg debuginstall
checking encoding (ascii)...
checking Python executable (*) (glob)
checking Python version (2.*) (glob)
checking Python lib (*lib*)... (glob)
+ checking Python security support (*) (glob)
+ TLS 1.2 not supported by Python install; network connections lack modern security (?)
+ SNI not supported by Python install; may have connectivity issues with some servers (?)
checking Mercurial version (*) (glob)
checking Mercurial custom build (*) (glob)
checking module policy (*) (glob)
checking installed modules (*mercurial)... (glob)
checking templates (*mercurial?templates)... (glob)
checking default template (*mercurial?templates?map-cmdline.default) (glob)
checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
checking username...
@@ -66,16 +75,19 @@ path variables are expanded (~ is the sa
#if execbit
$ chmod 755 tools/testeditor.exe
#endif
$ hg debuginstall --config ui.editor=~/tools/testeditor.exe
checking encoding (ascii)...
checking Python executable (*) (glob)
checking Python version (*) (glob)
checking Python lib (*lib*)... (glob)
+ checking Python security support (*) (glob)
+ TLS 1.2 not supported by Python install; network connections lack modern security (?)
+ SNI not supported by Python install; may have connectivity issues with some servers (?)
checking Mercurial version (*) (glob)
checking Mercurial custom build (*) (glob)
checking module policy (*) (glob)
checking installed modules (*mercurial)... (glob)
checking templates (*mercurial?templates)... (glob)
checking default template (*mercurial?templates?map-cmdline.default) (glob)
checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
checking username (test)
More information about the Mercurial-devel
mailing list