upstream/mercurial-mirror Commit - r29555:121d1181

hgweb: use sslutil.wrapserversocket()...

Gregory Szorc -

r29555:121d1181 default

parent child

mercurial/hgweb/server.py

0 +13 -5

             # hgweb/server.py - The standalone hg web server.
             #
             # Copyright 21 May 2005 - (c) 2005 Jake Edge <jake@edge2.net>
             # Copyright 2005-2007 Matt Mackall <mpm@selenic.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             from __future__ import absolute_import
             import BaseHTTPServer
             import errno
             import os
             import socket
             import sys
             import traceback
             from ..i18n import _
             from .. import (
                 error,
                 util,
             )
             socketserver = util.socketserver
             urlerr = util.urlerr
             urlreq = util.urlreq
             from . import (
                 common,
             )
             def _splitURI(uri):
                 """Return path and query that has been split from uri
                 Just like CGI environment, the path is unquoted, the query is
                 not.
                 """
                 if '?' in uri:
                     path, query = uri.split('?', 1)
                 else:
                     path, query = uri, ''
                 return urlreq.unquote(path), query
             class _error_logger(object):
                 def __init__(self, handler):
                     self.handler = handler
                 def flush(self):
                     pass
                 def write(self, str):
                     self.writelines(str.split('\n'))
                 def writelines(self, seq):
                     for msg in seq:
                         self.handler.log_error("HG error:  %s", msg)
             class _httprequesthandler(BaseHTTPServer.BaseHTTPRequestHandler):
                 url_scheme = 'http'
                 @staticmethod
                 def preparehttpserver(httpserver, ui):
                     """Prepare .socket of new HTTPServer instance"""
                     pass
                 def __init__(self, *args, **kargs):
                     self.protocol_version = 'HTTP/1.1'
                     BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args, **kargs)
                 def _log_any(self, fp, format, *args):
                     fp.write("%s - - [%s] %s\n" % (self.client_address[0],
                                                    self.log_date_time_string(),
                                                    format % args))
                     fp.flush()
                 def log_error(self, format, *args):
                     self._log_any(self.server.errorlog, format, *args)
                 def log_message(self, format, *args):
                     self._log_any(self.server.accesslog, format, *args)
                 def log_request(self, code='-', size='-'):
                     xheaders = []
                     if util.safehasattr(self, 'headers'):
                         xheaders = [h for h in self.headers.items()
                                     if h[0].startswith('x-')]
                     self.log_message('"%s" %s %s%s',
                                      self.requestline, str(code), str(size),
                                      ''.join([' %s:%s' % h for h in sorted(xheaders)]))
                 def do_write(self):
                     try:
                         self.do_hgweb()
                     except socket.error as inst:
                         if inst[0] != errno.EPIPE:
                             raise
                 def do_POST(self):
                     try:
                         self.do_write()
                     except Exception:
                         self._start_response("500 Internal Server Error", [])
                         self._write("Internal Server Error")
                         self._done()
                         tb = "".join(traceback.format_exception(*sys.exc_info()))
                         self.log_error("Exception happened during processing "
                                        "request '%s':\n%s", self.path, tb)
                 def do_GET(self):
                     self.do_POST()
                 def do_hgweb(self):
                     path, query = _splitURI(self.path)
                     env = {}
                     env['GATEWAY_INTERFACE'] = 'CGI/1.1'
                     env['REQUEST_METHOD'] = self.command
                     env['SERVER_NAME'] = self.server.server_name
                     env['SERVER_PORT'] = str(self.server.server_port)
                     env['REQUEST_URI'] = self.path
                     env['SCRIPT_NAME'] = self.server.prefix
                     env['PATH_INFO'] = path[len(self.server.prefix):]
                     env['REMOTE_HOST'] = self.client_address[0]
                     env['REMOTE_ADDR'] = self.client_address[0]
                     if query:
                         env['QUERY_STRING'] = query
                     if self.headers.typeheader is None:
                         env['CONTENT_TYPE'] = self.headers.type
                     else:
                         env['CONTENT_TYPE'] = self.headers.typeheader
                     length = self.headers.getheader('content-length')
                     if length:
                         env['CONTENT_LENGTH'] = length
                     for header in [h for h in self.headers.keys()
                                    if h not in ('content-type', 'content-length')]:
                         hkey = 'HTTP_' + header.replace('-', '_').upper()
                         hval = self.headers.getheader(header)
                         hval = hval.replace('\n', '').strip()
                         if hval:
                             env[hkey] = hval
                     env['SERVER_PROTOCOL'] = self.request_version
                     env['wsgi.version'] = (1, 0)
                     env['wsgi.url_scheme'] = self.url_scheme
                     if env.get('HTTP_EXPECT', '').lower() == '100-continue':
                         self.rfile = common.continuereader(self.rfile, self.wfile.write)
                     env['wsgi.input'] = self.rfile
                     env['wsgi.errors'] = _error_logger(self)
                     env['wsgi.multithread'] = isinstance(self.server,
                                                          socketserver.ThreadingMixIn)
                     env['wsgi.multiprocess'] = isinstance(self.server,
                                                           socketserver.ForkingMixIn)
                     env['wsgi.run_once'] = 0
                     self.saved_status = None
                     self.saved_headers = []
                     self.sent_headers = False
                     self.length = None
                     self._chunked = None
                     for chunk in self.server.application(env, self._start_response):
                         self._write(chunk)
                     if not self.sent_headers:
                         self.send_headers()
                     self._done()
                 def send_headers(self):
                     if not self.saved_status:
                         raise AssertionError("Sending headers before "
                                              "start_response() called")
                     saved_status = self.saved_status.split(None, 1)
                     saved_status[0] = int(saved_status[0])
                     self.send_response(*saved_status)
                     self.length = None
                     self._chunked = False
                     for h in self.saved_headers:
                         self.send_header(*h)
                         if h[0].lower() == 'content-length':
                             self.length = int(h[1])
                     if (self.length is None and
                         saved_status[0] != common.HTTP_NOT_MODIFIED):
                         self._chunked = (not self.close_connection and
                                          self.request_version == "HTTP/1.1")
                         if self._chunked:
                             self.send_header('Transfer-Encoding', 'chunked')
                         else:
                             self.send_header('Connection', 'close')
                     self.end_headers()
                     self.sent_headers = True
                 def _start_response(self, http_status, headers, exc_info=None):
                     code, msg = http_status.split(None, 1)
                     code = int(code)
                     self.saved_status = http_status
                     bad_headers = ('connection', 'transfer-encoding')
                     self.saved_headers = [h for h in headers
                                           if h[0].lower() not in bad_headers]
                     return self._write
                 def _write(self, data):
                     if not self.saved_status:
                         raise AssertionError("data written before start_response() called")
                     elif not self.sent_headers:
                         self.send_headers()
                     if self.length is not None:
                         if len(data) > self.length:
                             raise AssertionError("Content-length header sent, but more "
                                                  "bytes than specified are being written.")
                         self.length = self.length - len(data)
                     elif self._chunked and data:
                         data = '%x\r\n%s\r\n' % (len(data), data)
                     self.wfile.write(data)
                     self.wfile.flush()
                 def _done(self):
                     if self._chunked:
                         self.wfile.write('0\r\n\r\n')
                         self.wfile.flush()
             class _httprequesthandlerssl(_httprequesthandler):
                 """HTTPS handler based on Python's ssl module"""
                 url_scheme = 'https'
                 @staticmethod
                 def preparehttpserver(httpserver, ui):
                     try:
-                        import ssl
+                        from .. import sslutil
-                        ssl.wrap_socket
+                        sslutil.modernssl
                     except ImportError:
                         raise error.Abort(_("SSL support is unavailable"))
                     certfile = ui.config('web', 'certificate')
-                    httpserver.socket = ssl.wrap_socket(
-                        httpserver.socket, server_side=True,
+                    # These config options are currently only meant for testing. Use
-                        certfile=certfile, ssl_version=ssl.PROTOCOL_TLSv1)
+                    # at your own risk.
+                    cafile = ui.config('devel', 'servercafile')
+                    reqcert = ui.configbool('devel', 'serverrequirecert')
+                    httpserver.socket = sslutil.wrapserversocket(httpserver.socket,
+                                                                 ui,
+                                                                 certfile=certfile,
+                                                                 cafile=cafile,
+                                                                 requireclientcert=reqcert)
                 def setup(self):
                     self.connection = self.request
                     self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
                     self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
             try:
                 import threading
                 threading.activeCount() # silence pyflakes and bypass demandimport
                 _mixin = socketserver.ThreadingMixIn
             except ImportError:
                 if util.safehasattr(os, "fork"):
                     _mixin = socketserver.ForkingMixIn
                 else:
                     class _mixin(object):
                         pass
             def openlog(opt, default):
                 if opt and opt != '-':
                     return open(opt, 'a')
                 return default
             class MercurialHTTPServer(object, _mixin, BaseHTTPServer.HTTPServer):
                 # SO_REUSEADDR has broken semantics on windows
                 if os.name == 'nt':
                     allow_reuse_address = 0
                 def __init__(self, ui, app, addr, handler, **kwargs):
                     BaseHTTPServer.HTTPServer.__init__(self, addr, handler, **kwargs)
                     self.daemon_threads = True
                     self.application = app
                     handler.preparehttpserver(self, ui)
                     prefix = ui.config('web', 'prefix', '')
                     if prefix:
                         prefix = '/' + prefix.strip('/')
                     self.prefix = prefix
                     alog = openlog(ui.config('web', 'accesslog', '-'), sys.stdout)
                     elog = openlog(ui.config('web', 'errorlog', '-'), sys.stderr)
                     self.accesslog = alog
                     self.errorlog = elog
                     self.addr, self.port = self.socket.getsockname()[0:2]
                     self.fqaddr = socket.getfqdn(addr[0])
             class IPv6HTTPServer(MercurialHTTPServer):
                 address_family = getattr(socket, 'AF_INET6', None)
                 def __init__(self, *args, **kwargs):
                     if self.address_family is None:
                         raise error.RepoError(_('IPv6 is not available on this system'))
                     super(IPv6HTTPServer, self).__init__(*args, **kwargs)
             def create_server(ui, app):
                 if ui.config('web', 'certificate'):
                     handler = _httprequesthandlerssl
                 else:
                     handler = _httprequesthandler
                 if ui.configbool('web', 'ipv6'):
                     cls = IPv6HTTPServer
                 else:
                     cls = MercurialHTTPServer
                 # ugly hack due to python issue5853 (for threaded use)
                 try:
                     import mimetypes
                     mimetypes.init()
                 except UnicodeDecodeError:
                     # Python 2.x's mimetypes module attempts to decode strings
                     # from Windows' ANSI APIs as ascii (fail), then re-encode them
                     # as ascii (clown fail), because the default Python Unicode
                     # codec is hardcoded as ascii.
                     sys.argv # unwrap demand-loader so that reload() works
                     reload(sys) # resurrect sys.setdefaultencoding()
                     oldenc = sys.getdefaultencoding()
                     sys.setdefaultencoding("latin1") # or any full 8-bit encoding
                     mimetypes.init()
                     sys.setdefaultencoding(oldenc)
                 address = ui.config('web', 'address', '')
                 port = util.getport(ui.config('web', 'port', 8000))
                 try:
                     return cls(ui, app, (address, port), handler)
                 except socket.error as inst:
                     raise error.Abort(_("cannot start server at '%s:%d': %s")
                                      % (address, port, inst.args[1]))

tests/test-https.t

0 +2 -18

             #require serve ssl
             Proper https client requires the built-in ssl from Python 2.6.
             Make server certificates:
               $ CERTSDIR="$TESTDIR/sslcerts"
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
               $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
             #if windows
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT':
               [255]
             #else
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
             #endif
               $ cd ..
             Our test cert is not signed by a trusted CA. It should fail to verify if
             we are able to load CA certs.
             #if sslcontext defaultcacerts no-defaultcacertsloaded
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             #if no-sslcontext defaultcacerts
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             #if no-sslcontext windows
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             #if no-sslcontext osx
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
               abort: localhost certificate error: no certificate received
               (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
               [255]
             #endif
             #if defaultcacertsloaded
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             #if no-defaultcacerts
               $ hg clone https://localhost:$HGPORT/ copy-pull
               (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
               abort: localhost certificate error: no certificate received
               (set hostsecurity.localhost:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely)
               [255]
             #endif
             Specifying a per-host certificate file that doesn't exist will abort
               $ hg --config hostsecurity.localhost:verifycertsfile=/does/not/exist clone https://localhost:$HGPORT/
               abort: path specified by hostsecurity.localhost:verifycertsfile does not exist: /does/not/exist
               [255]
             A malformed per-host certificate file will raise an error
               $ echo baddata > badca.pem
             #if sslcontext
               $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
               abort: error loading CA file badca.pem: * (glob)
               (file is empty or malformed?)
               [255]
             #else
               $ hg --config hostsecurity.localhost:verifycertsfile=badca.pem clone https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif
             A per-host certificate mismatching the server will fail verification
             (modern ssl is able to discern whether the loaded cert is a CA cert)
             #if sslcontext
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
               (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
               abort: error: *certificate verify failed* (glob)
               [255]
             #else
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/client-cert.pem" clone https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
             #endif
             A per-host certificate matching the server's cert will be accepted
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" clone -U https://localhost:$HGPORT/ perhostgood1
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
             A per-host certificate with multiple certs and one matching will be accepted
               $ cat "$CERTSDIR/client-cert.pem" "$CERTSDIR/pub.pem" > perhost.pem
               $ hg --config hostsecurity.localhost:verifycertsfile=perhost.pem clone -U https://localhost:$HGPORT/ perhostgood2
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
             Defining both per-host certificate and a fingerprint will print a warning
               $ hg --config hostsecurity.localhost:verifycertsfile="$CERTSDIR/pub.pem" --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03 clone -U https://localhost:$HGPORT/ caandfingerwarning
               (hostsecurity.localhost:verifycertsfile ignored when host fingerprints defined; using host fingerprints for verification)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
             Inability to verify peer certificate will result in abort
               $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
               abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
               (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
               [255]
               $ hg clone --insecure https://localhost:$HGPORT/ copy-pull
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
               $ hg pull $DISABLECACERTS
               pulling from https://localhost:$HGPORT/
               abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect
               (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server)
               [255]
               $ hg pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P="$CERTSDIR" hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P="$CERTSDIR" hg -R copy-pull pull --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             empty cacert file
               $ touch emptycafile
             #if sslcontext
               $ hg --config web.cacerts=emptycafile -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               abort: error loading CA file emptycafile: * (glob)
               (file is empty or malformed?)
               [255]
             #else
               $ hg --config web.cacerts=emptycafile -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/ (glob)
               abort: 127.0.0.1 certificate error: certificate is for localhost (glob)
               (set hostsecurity.127.0.0.1:certfingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e config setting or use --insecure to connect insecurely) (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
               > https://127.0.0.1:$HGPORT/ --insecure
               pulling from https://127.0.0.1:$HGPORT/ (glob)
               warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering (glob)
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
               > --insecure
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
               > https://localhost:$HGPORT1/
               pulling from https://localhost:$HGPORT1/
               abort: error: *certificate verify failed* (glob)
               [255]
             Test server cert which no longer is valid
               $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
               > https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
             Fingerprints
             - works without cacerts (hostkeyfingerprints)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
 fed3813f7f5
             - works without cacerts (hostsecurity)
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
 fed3813f7f5
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e
 fed3813f7f5
             - multiple fingerprints specified and first matches
               $ hg --config 'hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             - multiple fingerprints specified and last matches
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/ --insecure
 fed3813f7f5
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03' -R copy-pull id https://localhost:$HGPORT/
 fed3813f7f5
             - multiple fingerprints specified and none match
               $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
               abort: certificate for localhost has unexpected fingerprint ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
               (check hostfingerprint configuration)
               [255]
               $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
               abort: certificate for localhost has unexpected fingerprint sha1:ec:d8:7c:d6:b3:86:d0:4f:c1:b8:b4:1c:9d:8f:5e:16:8e:ef:1c:03
               (check hostsecurity configuration)
               [255]
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
               abort: certificate for localhost has unexpected fingerprint f4:2f:5a:0c:3e:52:5b:db:e7:24:a8:32:1d:18:97:6d:69:b5:87:84
               (check hostfingerprint configuration)
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
 fed3813f7f5
             HGPORT1 is reused below for tinyproxy tests. Kill that server.
               $ killdaemons.py hg1.pid
             Prepare for connecting through proxy
               $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
               $ while [ ! -f proxy.pid ]; do sleep 0; done
               $ cat proxy.pid >> $DAEMON_PIDS
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
               pulling from https://localhost:$HGPORT/
               warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub.pem"
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=ecd87cd6b386d04fc1b8b41c9d8f5e168eef1c03
               pulling from https://127.0.0.1:$HGPORT/ (glob)
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-other.pem"
               pulling from https://localhost:$HGPORT/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
               > --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
               pulling from https://localhost:$HGPORT2/
               abort: error: *certificate verify failed* (glob)
               [255]
               $ killdaemons.py hg0.pid
             #if sslcontext
-            Start patched hgweb that requires client certificates:
+            Start hgweb that requires client certificates:
-              $ cat << EOT > reqclientcert.py
-              > import ssl
-              > from mercurial.hgweb import server
-              > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
-              >     @staticmethod
-              >     def preparehttpserver(httpserver, ui):
-              >         certfile = ui.config('web', 'certificate')
-              >         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-              >         sslcontext.verify_mode = ssl.CERT_REQUIRED
-              >         sslcontext.load_cert_chain(certfile)
-              >         # verify clients by server certificate
-              >         sslcontext.load_verify_locations(certfile)
-              >         httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
-              >                                                    server_side=True)
-              > server._httprequesthandlerssl = _httprequesthandlersslclientcert
-              > EOT
               $ cd test
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
-              > --config extensions.reqclientcert=../reqclientcert.py
+              > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
               $ cat ../hg0.pid >> $DAEMON_PIDS
               $ cd ..
             without client certificate:
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: *handshake failure* (glob)
               [255]
             with client certificate:
               $ cat << EOT >> $HGRCPATH
               > [auth]
               > l.prefix = localhost
               > l.cert = $CERTSDIR/client-cert.pem
               > l.key = $CERTSDIR/client-key.pem
               > EOT
               $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
 fed3813f7f5
               $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
               > --config ui.interactive=True --config ui.nontty=True
               passphrase for */client-key.pem: 5fed3813f7f5 (glob)
               $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
               abort: error: * (glob)
               [255]
             #endif

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages