Show More
@@ -21,7 +21,8 b' try:' | |||
|
21 | 21 | _canloaddefaultcerts = util.safehasattr(ssl_context, |
|
22 | 22 | 'load_default_certs') |
|
23 | 23 | |
|
24 |
def ssl_wrap_socket(sock, keyfile, certfile, |
|
|
24 | def ssl_wrap_socket(sock, keyfile, certfile, ui, | |
|
25 | cert_reqs=ssl.CERT_NONE, | |
|
25 | 26 | ca_certs=None, serverhostname=None): |
|
26 | 27 | # Allow any version of SSL starting with TLSv1 and |
|
27 | 28 | # up. Note that specifying TLSv1 here prohibits use of |
@@ -35,7 +36,10 b' try:' | |||
|
35 | 36 | sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
|
36 | 37 | sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3 |
|
37 | 38 | if certfile is not None: |
|
38 | sslcontext.load_cert_chain(certfile, keyfile) | |
|
39 | def password(): | |
|
40 | f = keyfile or certfile | |
|
41 | return ui.getpass(_('passphrase for %s: ') % f, '') | |
|
42 | sslcontext.load_cert_chain(certfile, keyfile, password) | |
|
39 | 43 | sslcontext.verify_mode = cert_reqs |
|
40 | 44 | if ca_certs is not None: |
|
41 | 45 | sslcontext.load_verify_locations(cafile=ca_certs) |
@@ -51,7 +55,8 b' try:' | |||
|
51 | 55 | raise util.Abort(_('ssl connection failed')) |
|
52 | 56 | return sslsocket |
|
53 | 57 | except AttributeError: |
|
54 |
def ssl_wrap_socket(sock, keyfile, certfile, |
|
|
58 | def ssl_wrap_socket(sock, keyfile, certfile, ui, | |
|
59 | cert_reqs=ssl.CERT_NONE, | |
|
55 | 60 | ca_certs=None, serverhostname=None): |
|
56 | 61 | sslsocket = ssl.wrap_socket(sock, keyfile, certfile, |
|
57 | 62 | cert_reqs=cert_reqs, ca_certs=ca_certs, |
@@ -67,7 +72,8 b' except ImportError:' | |||
|
67 | 72 | |
|
68 | 73 | import socket, httplib |
|
69 | 74 | |
|
70 |
def ssl_wrap_socket(sock, keyfile, certfile, |
|
|
75 | def ssl_wrap_socket(sock, keyfile, certfile, ui, | |
|
76 | cert_reqs=CERT_REQUIRED, | |
|
71 | 77 | ca_certs=None, serverhostname=None): |
|
72 | 78 | if not util.safehasattr(socket, 'ssl'): |
|
73 | 79 | raise util.Abort(_('Python SSL support not found')) |
@@ -146,7 +152,7 b' def _defaultcacerts():' | |||
|
146 | 152 | return '!' |
|
147 | 153 | |
|
148 | 154 | def sslkwargs(ui, host): |
|
149 | kws = {} | |
|
155 | kws = {'ui': ui} | |
|
150 | 156 | hostfingerprint = ui.config('hostfingerprints', host) |
|
151 | 157 | if hostfingerprint: |
|
152 | 158 | return kws |
@@ -175,7 +175,7 b' class httpconnection(keepalive.HTTPConne' | |||
|
175 | 175 | self.sock.connect((self.host, self.port)) |
|
176 | 176 | if _generic_proxytunnel(self): |
|
177 | 177 | # we do not support client X.509 certificates |
|
178 | self.sock = sslutil.ssl_wrap_socket(self.sock, None, None, | |
|
178 | self.sock = sslutil.ssl_wrap_socket(self.sock, None, None, None, | |
|
179 | 179 | serverhostname=self.host) |
|
180 | 180 | else: |
|
181 | 181 | keepalive.HTTPConnection.connect(self) |
@@ -385,10 +385,19 b' with client certificate:' | |||
|
385 | 385 | > [auth] |
|
386 | 386 | > l.prefix = localhost |
|
387 | 387 | > l.cert = client-cert.pem |
|
388 | > l.key = client-key.pem | |
|
388 | 389 | > EOT |
|
389 | 390 | |
|
390 | 391 | $ P=`pwd` hg id https://localhost:$HGPORT/ \ |
|
391 | 392 | > --config auth.l.key=client-key-decrypted.pem |
|
392 | 393 | 5fed3813f7f5 |
|
393 | 394 | |
|
395 | $ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \ | |
|
396 | > --config ui.interactive=True --config ui.nontty=True | |
|
397 | passphrase for client-key.pem: 5fed3813f7f5 | |
|
398 | ||
|
399 | $ env P=`pwd` hg id https://localhost:$HGPORT/ | |
|
400 | abort: error: * (glob) | |
|
401 | [255] | |
|
402 | ||
|
394 | 403 | #endif |
General Comments 0
You need to be logged in to leave comments.
Login now