Bug 1355624 - Make Mercurial require TLS 1.2+ connections; r?dustin Mercurial uses the latest version of TLS that is both supported by Python and the server. In automation, the servers we care about should all support TLS 1.2. The Python side is trickier. Modern versions of Python (typically 2.7.9+) support TLS 1.1 and 1.2. Mercurial will default to allowing TLS 1.1+ - explicitly disallowing TLS 1.0. However, legacy versions of Python don't support TLS 1.1+, so Mercurial will allow TLS 1.0+ rather than prevent connections at all. TLS 1.0 is borderline secure these days. I think it is a bug for TLS 1.0 to be used anywhere in the Firefox release process. This simple patch changes our default Mercurial config in TaskCluster to require TLS 1.2+ for all https:// communications. For modern Python versions, this effectively prevents potential downgrade attacks to TLS 1.1 (connections before should have negotiated the use of TLS 1.2). I expect this change to break things. Finding and fixing automation that isn't capable of speaking TLS 1.1+ should be encouraged. MozReview-Commit-ID: 876YpL5vB3T

--- a/taskcluster/docker/recipes/install-mercurial.sh
+++ b/taskcluster/docker/recipes/install-mercurial.sh
@@ -125,16 +125,24 @@ refresh = 1.0
 assume-tty = true
 
 [web]
 cacerts = ${CERT_PATH}
 
 [extensions]
 robustcheckout = /usr/local/mercurial/robustcheckout.py
 
+[hostsecurity]
+# When running a modern Python, Mercurial will default to TLS 1.1+.
+# When running on a legacy Python, Mercurial will default to TLS 1.0+.
+# There is no good reason we shouldn't be running a modern Python
+# capable of speaking TLS 1.2. And the only Mercurial servers we care
+# about should be running TLS 1.2. So make TLS 1.2 the minimum.
+minimumprotocol = tls1.2
+
 # Settings to make 1-click loaners more useful.
 [extensions]
 color =
 histedit =
 pager =
 rebase =
 
 [diff]