1355624 - Require TLS 1.2 for Mercurial operations

Status: RESOLVED FIXED

(Firefox Build System :: Task Configuration, task)

Description

[Gregory Szorc [:gps]]

Patch and commit message explaining this to follow.

Comment 1

[Gregory Szorc [:gps]]

Attachment: Bug 1355624 - Make Mercurial require TLS 1.2+ connections;

Mercurial uses the latest version of TLS that is both supported by
Python and the server.

In automation, the servers we care about should all support TLS 1.2.

The Python side is trickier. Modern versions of Python (typically 2.7.9+)
support TLS 1.1 and 1.2. Mercurial will default to allowing TLS 1.1+ -
explicitly disallowing TLS 1.0. However, legacy versions of Python
don't support TLS 1.1+, so Mercurial will allow TLS 1.0+ rather than
prevent connections at all.

TLS 1.0 is borderline secure these days. I think it is a bug for TLS
1.0 to be used anywhere in the Firefox release process. This simple
patch changes our default Mercurial config in TaskCluster to require
TLS 1.2+ for all https:// communications. For modern Python versions,
this effectively prevents potential downgrade attacks to TLS 1.1
(connections before should have negotiated the use of TLS 1.2).

I expect this change to break things. Finding and fixing automation
that isn't capable of speaking TLS 1.1+ should be encouraged.

Review commit: https://reviewboard.mozilla.org/r/129142/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/129142/

Comment 2

[Dustin J. Mitchell [:dustin] (he/him)]

Comment on attachment 8857212 [details]
Bug 1355624 - Make Mercurial require TLS 1.2+ connections;

https://reviewboard.mozilla.org/r/129142/#review131660

::: commit-message-abf14:22
(Diff revision 1)
> +TLS 1.2+ for all https:// communications. For modern Python versions,
> +this effectively prevents potential downgrade attacks to TLS 1.1
> +(connections before should have negotiated the use of TLS 1.2).
> +
> +I expect this change to break things. Finding and fixing automation
> +that isn't capable of speaking TLS 1.1+ should be encouraged.

It's hard to r+ a commit with this message!  I assume testing in try is sufficient, or do you need to land and see what breaks?

Comment 3

[Gregory Szorc [:gps]]

Comment on attachment 8857212 [details]
Bug 1355624 - Make Mercurial require TLS 1.2+ connections;

https://reviewboard.mozilla.org/r/129142/#review131660

> It's hard to r+ a commit with this message!  I assume testing in try is sufficient, or do you need to land and see what breaks?

I would hope Try would catch most things. But we may need to just land and see what breaks in case there are random one-off tasks not captured as part of my Try push. Every failure does represent a potential security issue. So I say let's flush 'em out!

FWIW, I expect most tasks that use this code to "just work." The troublemakers will be Windows, not-TC, and TC images not using install-mercurial.sh.

Anyway, my Try push looks surprisingly green. So I'm going to land this and see what happens. I imagine a sheriff won't hesitate to back me out.

Comment 4

[Pulsebot]

Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/26b7053440a5
Make Mercurial require TLS 1.2+ connections; r=dustin

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/26b7053440a5

Comment 6

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/9bd10c7f6217

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr52/rev/154327e98878