зеркало из https://github.com/mozilla/gecko-dev.git
5094da93bf
Mercurial uses the latest version of TLS that is both supported by Python and the server. In automation, the servers we care about should all support TLS 1.2. The Python side is trickier. Modern versions of Python (typically 2.7.9+) support TLS 1.1 and 1.2. Mercurial will default to allowing TLS 1.1+ - explicitly disallowing TLS 1.0. However, legacy versions of Python don't support TLS 1.1+, so Mercurial will allow TLS 1.0+ rather than prevent connections at all. TLS 1.0 is borderline secure these days. I think it is a bug for TLS 1.0 to be used anywhere in the Firefox release process. This simple patch changes our default Mercurial config in TaskCluster to require TLS 1.2+ for all https:// communications. For modern Python versions, this effectively prevents potential downgrade attacks to TLS 1.1 (connections before should have negotiated the use of TLS 1.2). I expect this change to break things. Finding and fixing automation that isn't capable of speaking TLS 1.1+ should be encouraged. MozReview-Commit-ID: 876YpL5vB3T --HG-- extra : rebase_source : 69c33c195f736a98b67d771e7364b6db28900ff4 |
||
---|---|---|
.. | ||
actions | ||
ci | ||
docker | ||
docs | ||
scripts | ||
taskgraph | ||
mach_commands.py | ||
moz.build |