From f216fb3af54cb1c46b66434889b2f34426620cb9 Mon Sep 17 00:00:00 2001 From: Gregory Szorc Date: Mon, 7 Dec 2015 13:15:24 -0800 Subject: [PATCH] Bug 1231192 - Only install host fingerprints if not running secure Python+hg; r=smacleod See inline comment. --- tools/mercurial/hgsetup/wizard.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tools/mercurial/hgsetup/wizard.py b/tools/mercurial/hgsetup/wizard.py index 49adb238840..77df4974164 100644 --- a/tools/mercurial/hgsetup/wizard.py +++ b/tools/mercurial/hgsetup/wizard.py @@ -8,6 +8,7 @@ import difflib import errno import os import shutil +import ssl import stat import sys import subprocess @@ -466,7 +467,15 @@ class MercurialSetupWizard(object): print('Cleaning up old repository: %s' % path) shutil.rmtree(path) - c.add_mozilla_host_fingerprints() + # Python + Mercurial didn't have terrific TLS handling until Python + # 2.7.9 and Mercurial 3.4. For this reason, it was recommended to pin + # certificates in Mercurial config files. In modern versions of + # Mercurial, the system CA store is used and old, legacy TLS protocols + # are disabled. The default connection/security setting should + # be sufficient and pinning certificates is no longer needed. + have_modern_ssl = hasattr(ssl.SSLContext, 'load_default_certs') + if hg_version < LooseVersion('3.4') or not have_modern_ssl: + c.add_mozilla_host_fingerprints() # References to multiple version-control-tools checkouts can confuse # version-control-tools, since various Mercurial extensions resolve