upstream/mercurial-mirror Commit - r29555:121d1181

hgweb: use sslutil.wrapserversocket()...

Gregory Szorc -

r29555:121d1181 default

parent child

mercurial/hgweb/server.py

0 +13 -5

                 @staticmethod
                 def preparehttpserver(httpserver, ui):
                     try:
-                        import ssl
+                        from .. import sslutil
-                        ssl.wrap_socket
+                        sslutil.modernssl
                     except ImportError:
                         raise error.Abort(_("SSL support is unavailable"))
                     certfile = ui.config('web', 'certificate')
-                    httpserver.socket = ssl.wrap_socket(
-                        httpserver.socket, server_side=True,
+                    # These config options are currently only meant for testing. Use
-                        certfile=certfile, ssl_version=ssl.PROTOCOL_TLSv1)
+                    # at your own risk.
+                    cafile = ui.config('devel', 'servercafile')
+                    reqcert = ui.configbool('devel', 'serverrequirecert')
+                    httpserver.socket = sslutil.wrapserversocket(httpserver.socket,
+                                                                 ui,
+                                                                 certfile=certfile,
+                                                                 cafile=cafile,
+                                                                 requireclientcert=reqcert)
                 def setup(self):
                     self.connection = self.request

tests/test-https.t

0 +2 -18

@@ -397,27 +397,11 Test https with cert problems through pr
397		397
398	#if sslcontext	398	#if sslcontext
399		399
400	Start ~~patched~~ hgweb that requires client certificates:	400	Start hgweb that requires client certificates:
401		401
402	$ cat << EOT > reqclientcert.py
403	> import ssl
404	> from mercurial.hgweb import server
405	> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
406	> @staticmethod
407	> def preparehttpserver(httpserver, ui):
408	> certfile = ui.config('web', 'certificate')
409	> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
410	> sslcontext.verify_mode = ssl.CERT_REQUIRED
411	> sslcontext.load_cert_chain(certfile)
412	> # verify clients by server certificate
413	> sslcontext.load_verify_locations(certfile)
414	> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
415	> server_side=True)
416	> server._httprequesthandlerssl = _httprequesthandlersslclientcert
417	> EOT
418	$ cd test	402	$ cd test
419	$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \	403	$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
420	> --config extensions.reqclientcert=../reqclientcert.py	404	> --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
421	$ cat ../hg0.pid >> $DAEMON_PIDS	405	$ cat ../hg0.pid >> $DAEMON_PIDS
422	$ cd ..	406	$ cd ..
423		407

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages