##// END OF EJS Templates
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
Yuya Nishihara -
r25415:21b536f0 default
parent child Browse files
Show More
@@ -21,7 +21,8 b' try:'
21 _canloaddefaultcerts = util.safehasattr(ssl_context,
21 _canloaddefaultcerts = util.safehasattr(ssl_context,
22 'load_default_certs')
22 'load_default_certs')
23
23
24 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
24 def ssl_wrap_socket(sock, keyfile, certfile, ui,
25 cert_reqs=ssl.CERT_NONE,
25 ca_certs=None, serverhostname=None):
26 ca_certs=None, serverhostname=None):
26 # Allow any version of SSL starting with TLSv1 and
27 # Allow any version of SSL starting with TLSv1 and
27 # up. Note that specifying TLSv1 here prohibits use of
28 # up. Note that specifying TLSv1 here prohibits use of
@@ -35,7 +36,10 b' try:'
35 sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
36 sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
36 sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
37 sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
37 if certfile is not None:
38 if certfile is not None:
38 sslcontext.load_cert_chain(certfile, keyfile)
39 def password():
40 f = keyfile or certfile
41 return ui.getpass(_('passphrase for %s: ') % f, '')
42 sslcontext.load_cert_chain(certfile, keyfile, password)
39 sslcontext.verify_mode = cert_reqs
43 sslcontext.verify_mode = cert_reqs
40 if ca_certs is not None:
44 if ca_certs is not None:
41 sslcontext.load_verify_locations(cafile=ca_certs)
45 sslcontext.load_verify_locations(cafile=ca_certs)
@@ -51,7 +55,8 b' try:'
51 raise util.Abort(_('ssl connection failed'))
55 raise util.Abort(_('ssl connection failed'))
52 return sslsocket
56 return sslsocket
53 except AttributeError:
57 except AttributeError:
54 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
58 def ssl_wrap_socket(sock, keyfile, certfile, ui,
59 cert_reqs=ssl.CERT_NONE,
55 ca_certs=None, serverhostname=None):
60 ca_certs=None, serverhostname=None):
56 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
61 sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
57 cert_reqs=cert_reqs, ca_certs=ca_certs,
62 cert_reqs=cert_reqs, ca_certs=ca_certs,
@@ -67,7 +72,8 b' except ImportError:'
67
72
68 import socket, httplib
73 import socket, httplib
69
74
70 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=CERT_REQUIRED,
75 def ssl_wrap_socket(sock, keyfile, certfile, ui,
76 cert_reqs=CERT_REQUIRED,
71 ca_certs=None, serverhostname=None):
77 ca_certs=None, serverhostname=None):
72 if not util.safehasattr(socket, 'ssl'):
78 if not util.safehasattr(socket, 'ssl'):
73 raise util.Abort(_('Python SSL support not found'))
79 raise util.Abort(_('Python SSL support not found'))
@@ -146,7 +152,7 b' def _defaultcacerts():'
146 return '!'
152 return '!'
147
153
148 def sslkwargs(ui, host):
154 def sslkwargs(ui, host):
149 kws = {}
155 kws = {'ui': ui}
150 hostfingerprint = ui.config('hostfingerprints', host)
156 hostfingerprint = ui.config('hostfingerprints', host)
151 if hostfingerprint:
157 if hostfingerprint:
152 return kws
158 return kws
@@ -175,7 +175,7 b' class httpconnection(keepalive.HTTPConne'
175 self.sock.connect((self.host, self.port))
175 self.sock.connect((self.host, self.port))
176 if _generic_proxytunnel(self):
176 if _generic_proxytunnel(self):
177 # we do not support client X.509 certificates
177 # we do not support client X.509 certificates
178 self.sock = sslutil.ssl_wrap_socket(self.sock, None, None,
178 self.sock = sslutil.ssl_wrap_socket(self.sock, None, None, None,
179 serverhostname=self.host)
179 serverhostname=self.host)
180 else:
180 else:
181 keepalive.HTTPConnection.connect(self)
181 keepalive.HTTPConnection.connect(self)
@@ -385,10 +385,19 b' with client certificate:'
385 > [auth]
385 > [auth]
386 > l.prefix = localhost
386 > l.prefix = localhost
387 > l.cert = client-cert.pem
387 > l.cert = client-cert.pem
388 > l.key = client-key.pem
388 > EOT
389 > EOT
389
390
390 $ P=`pwd` hg id https://localhost:$HGPORT/ \
391 $ P=`pwd` hg id https://localhost:$HGPORT/ \
391 > --config auth.l.key=client-key-decrypted.pem
392 > --config auth.l.key=client-key-decrypted.pem
392 5fed3813f7f5
393 5fed3813f7f5
393
394
395 $ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \
396 > --config ui.interactive=True --config ui.nontty=True
397 passphrase for client-key.pem: 5fed3813f7f5
398
399 $ env P=`pwd` hg id https://localhost:$HGPORT/
400 abort: error: * (glob)
401 [255]
402
394 #endif
403 #endif
General Comments 0
You need to be logged in to leave comments. Login now