[PATCH STABLE] commands: print security protocol support in debuginstall

Augie Fackler raf at durin42.com
Thu Oct 20 10:26:20 EDT 2016 

On Wed, Oct 19, 2016 at 03:16:15PM -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1476914831 25200
> #      Wed Oct 19 15:07:11 2016 -0700
> # Branch stable
> # Node ID 37eaf6c2b4ac3c1015965676db89e435a79b45ee
> # Parent  e478f11e418288b8308457303d3ddf6a23f874f8
> commands: print security protocol support in debuginstall

I'm going to give this an enthusiastic +1. It's probably a little
sketchy to take it during the freeze, but I agree we should just do
it. If I don't hear objections before the end of my workday on Friday,
I'll take this.

>
> Over the past ~48 hours I've had to instruct multiple people to run
> Python code to query the ssl module to see what TLS protocol support
> is present. I think it would be useful for `hg debuginstall` to print
> this info to make it easier to access and debug why Mercurial is
> complaining about using an insecure TLS 1.0 protocol.
>
> Ideally we'd also print the path to the CA cert bundle. But the APIs
> for querying that in sslutil can emit warnings, making it slightly
> more difficult to integrate into `hg debuginstall`. That work will
> have to wait for another day.
>
> Yes, I realize it is feature freeze. But I think this is useful to
> have in the release and it only changes a debug* command, so it
> shouldn't be that risky.
>
> diff --git a/mercurial/commands.py b/mercurial/commands.py
> --- a/mercurial/commands.py
> +++ b/mercurial/commands.py
> @@ -63,16 +63,17 @@ from . import (
>      pvec,
>      repair,
>      revlog,
>      revset,
>      scmutil,
>      setdiscovery,
>      simplemerge,
>      sshserver,
> +    sslutil,
>      streamclone,
>      templatekw,
>      templater,
>      treediscovery,
>      ui as uimod,
>      util,
>  )
>
> @@ -2698,16 +2699,34 @@ def debuginstall(ui, **opts):
>      # Python
>      fm.write('pythonexe', _("checking Python executable (%s)\n"),
>               sys.executable)
>      fm.write('pythonver', _("checking Python version (%s)\n"),
>               ("%s.%s.%s" % sys.version_info[:3]))
>      fm.write('pythonlib', _("checking Python lib (%s)...\n"),
>               os.path.dirname(os.__file__))
>
> +    security = set(sslutil.supportedprotocols)
> +    if sslutil.hassni:
> +        security.add('sni')
> +
> +    fm.write('pythonsecurity', _("checking Python security support (%s)\n"),
> +             ', '.join(sorted(security)))
> +
> +    # These are warnings, not errors. So don't increment problem count. This
> +    # may change in the future.
> +    fm.condwrite('tls1.2' not in security, 'tlswarning', '  %s\n',
> +                 _('TLS 1.2 not supported by Python install; '
> +                   'network connections lack modern security'))
> +    fm.condwrite('sni' not in security, 'sniwarning', '  %s\n',
> +                 _('SNI not supported by Python install; may have '
> +                   'connectivity issues with some servers'))
> +
> +    # TODO print CA cert info
> +
>      # hg version
>      hgver = util.version()
>      fm.write('hgver', _("checking Mercurial version (%s)\n"),
>               hgver.split('+')[0])
>      fm.write('hgverextra', _("checking Mercurial custom build (%s)\n"),
>               '+'.join(hgver.split('+')[1:]))
>
>      # compiled modules
> diff --git a/tests/test-install.t b/tests/test-install.t
> --- a/tests/test-install.t
> +++ b/tests/test-install.t
> @@ -1,14 +1,17 @@
>  hg debuginstall
>    $ hg debuginstall
>    checking encoding (ascii)...
>    checking Python executable (*) (glob)
>    checking Python version (2.*) (glob)
>    checking Python lib (*lib*)... (glob)
> +  checking Python security support (*) (glob)
> +    TLS 1.2 not supported by Python install; network connections lack modern security (?)
> +    SNI not supported by Python install; may have connectivity issues with some servers (?)
>    checking Mercurial version (*) (glob)
>    checking Mercurial custom build (*) (glob)
>    checking module policy (*) (glob)
>    checking installed modules (*mercurial)... (glob)
>    checking templates (*mercurial?templates)... (glob)
>    checking default template (*mercurial?templates?map-cmdline.default) (glob)
>    checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
>    checking username (test)
> @@ -28,30 +31,36 @@ hg debuginstall JSON
>      "extensionserror": null,
>      "hgmodulepolicy": "*", (glob)
>      "hgmodules": "*mercurial", (glob)
>      "hgver": "*", (glob)
>      "hgverextra": "*", (glob)
>      "problems": 0,
>      "pythonexe": "*", (glob)
>      "pythonlib": "*", (glob)
> +    "pythonsecurity": "*", (glob)
>      "pythonver": "*.*.*", (glob)
> +    "sniwarning": "SNI not supported by Python install; may have connectivity issues with some servers",
>      "templatedirs": "*mercurial?templates", (glob)
> +    "tlswarning": "TLS 1.2 not supported by Python install; network connections lack modern security",
>      "username": "test",
>      "usernameerror": null,
>      "vinotfound": false
>     }
>    ]
>
>  hg debuginstall with no username
>    $ HGUSER= hg debuginstall
>    checking encoding (ascii)...
>    checking Python executable (*) (glob)
>    checking Python version (2.*) (glob)
>    checking Python lib (*lib*)... (glob)
> +  checking Python security support (*) (glob)
> +    TLS 1.2 not supported by Python install; network connections lack modern security (?)
> +    SNI not supported by Python install; may have connectivity issues with some servers (?)
>    checking Mercurial version (*) (glob)
>    checking Mercurial custom build (*) (glob)
>    checking module policy (*) (glob)
>    checking installed modules (*mercurial)... (glob)
>    checking templates (*mercurial?templates)... (glob)
>    checking default template (*mercurial?templates?map-cmdline.default) (glob)
>    checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
>    checking username...
> @@ -66,16 +75,19 @@ path variables are expanded (~ is the sa
>  #if execbit
>    $ chmod 755 tools/testeditor.exe
>  #endif
>    $ hg debuginstall --config ui.editor=~/tools/testeditor.exe
>    checking encoding (ascii)...
>    checking Python executable (*) (glob)
>    checking Python version (*) (glob)
>    checking Python lib (*lib*)... (glob)
> +  checking Python security support (*) (glob)
> +    TLS 1.2 not supported by Python install; network connections lack modern security (?)
> +    SNI not supported by Python install; may have connectivity issues with some servers (?)
>    checking Mercurial version (*) (glob)
>    checking Mercurial custom build (*) (glob)
>    checking module policy (*) (glob)
>    checking installed modules (*mercurial)... (glob)
>    checking templates (*mercurial?templates)... (glob)
>    checking default template (*mercurial?templates?map-cmdline.default) (glob)
>    checking commit editor... (* -c "import sys; sys.exit(0)") (glob)
>    checking username (test)
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

More information about the Mercurial-devel mailing list