upstream/mercurial-mirror Commit - r29555:121d1181

hgweb: use sslutil.wrapserversocket()...

Gregory Szorc -

r29555:121d1181 default

parent child

mercurial/hgweb/server.py

0 +13 -5

                  @staticmethod
                  def preparehttpserver(httpserver, ui):
                      try:
-                         import ssl
-                         ssl.wrap_socket
+                         from .. import sslutil
+                         sslutil.modernssl
                      except ImportError:
                          raise error.Abort(_("SSL support is unavailable"))
                      certfile = ui.config('web', 'certificate')
-                     httpserver.socket = ssl.wrap_socket(
-                         httpserver.socket, server_side=True,
-                         certfile=certfile, ssl_version=ssl.PROTOCOL_TLSv1)
+                     # These config options are currently only meant for testing. Use
+                     # at your own risk.
+                     cafile = ui.config('devel', 'servercafile')
+                     reqcert = ui.configbool('devel', 'serverrequirecert')
+                     httpserver.socket = sslutil.wrapserversocket(httpserver.socket,
+                                                                  ui,
+                                                                  certfile=certfile,
+                                                                  cafile=cafile,
+                                                                  requireclientcert=reqcert)
                  def setup(self):
                      self.connection = self.request

tests/test-https.t

0 +2 -18

              #if sslcontext
-             Start patched hgweb that requires client certificates:
+             Start hgweb that requires client certificates:
-               $ cat << EOT > reqclientcert.py
-               > import ssl
-               > from mercurial.hgweb import server
-               > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
-               >     @staticmethod
-               >     def preparehttpserver(httpserver, ui):
-               >         certfile = ui.config('web', 'certificate')
-               >         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-               >         sslcontext.verify_mode = ssl.CERT_REQUIRED
-               >         sslcontext.load_cert_chain(certfile)
-               >         # verify clients by server certificate
-               >         sslcontext.load_verify_locations(certfile)
-               >         httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
-               >                                                    server_side=True)
-               > server._httprequesthandlerssl = _httprequesthandlersslclientcert
-               > EOT
                $ cd test
                $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
-               > --config extensions.reqclientcert=../reqclientcert.py
+               > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
                $ cat ../hg0.pid >> $DAEMON_PIDS
                $ cd ..

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages