Require TLS 1.2 for Mercurial operations

RESOLVED FIXED in mozilla55

Status

task
RESOLVED FIXED
2 years ago
Last year

People

(Reporter: gps, Assigned: gps)

Tracking

unspecified
mozilla55
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Patch and commit message explaining this to follow.
Summary: Require modern TLS for Mercurial operations → Require TLS 1.2 for Mercurial operations
Comment on attachment 8857212 [details]
Bug 1355624 - Make Mercurial require TLS 1.2+ connections;

https://reviewboard.mozilla.org/r/129142/#review131660

::: commit-message-abf14:22
(Diff revision 1)
> +TLS 1.2+ for all https:// communications. For modern Python versions,
> +this effectively prevents potential downgrade attacks to TLS 1.1
> +(connections before should have negotiated the use of TLS 1.2).
> +
> +I expect this change to break things. Finding and fixing automation
> +that isn't capable of speaking TLS 1.1+ should be encouraged.

It's hard to r+ a commit with this message!  I assume testing in try is sufficient, or do you need to land and see what breaks?
Attachment #8857212 - Flags: review?(dustin) → review+
Comment on attachment 8857212 [details]
Bug 1355624 - Make Mercurial require TLS 1.2+ connections;

https://reviewboard.mozilla.org/r/129142/#review131660

> It's hard to r+ a commit with this message!  I assume testing in try is sufficient, or do you need to land and see what breaks?

I would hope Try would catch most things. But we may need to just land and see what breaks in case there are random one-off tasks not captured as part of my Try push. Every failure does represent a potential security issue. So I say let's flush 'em out!

FWIW, I expect most tasks that use this code to "just work." The troublemakers will be Windows, not-TC, and TC images not using install-mercurial.sh.

Anyway, my Try push looks surprisingly green. So I'm going to land this and see what happens. I imagine a sheriff won't hesitate to back me out.
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/26b7053440a5
Make Mercurial require TLS 1.2+ connections; r=dustin
https://hg.mozilla.org/mozilla-central/rev/26b7053440a5
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Blocks: 1370964
Product: TaskCluster → Firefox Build System
You need to log in before you can comment on or make changes to this bug.