Mercurial > public > mercurial-scm > hg

comparison mercurial/hgweb/server.py @ 29555:121d11814c62

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: use sslutil.wrapserversocket() This patch transitions the built-in HTTPS server to use sslutil for creating the server socket. As part of this transition, we implement developer-only config options to control CA loading and whether to require client certificates. This eliminates the need for the custom extension in test-https.t to define these. There is a slight change in behavior with regards to protocol selection. Before, we would always use the TLS 1.0 constant to define the protocol version. This would *only* use TLS 1.0. sslutil defaults to TLS 1.0+. So this patch improves the security of `hg serve` out of the box by allowing it to use TLS 1.1 and 1.2 (if available).
author Gregory Szorc <gregory.szorc@gmail.com>
date Tue, 12 Jul 2016 23:12:03 -0700
parents cd3e58862cab
children 075146e85bb6
comparison
equal deleted inserted replaced
29554:4a7b0c696fbc 29555:121d11814c62
222 url_scheme = 'https' 222 url_scheme = 'https'
223 223
224 @staticmethod 224 @staticmethod
225 def preparehttpserver(httpserver, ui): 225 def preparehttpserver(httpserver, ui):
226 try: 226 try:
227 import ssl 227 from .. import sslutil
228 ssl.wrap_socket 228 sslutil.modernssl
229 except ImportError: 229 except ImportError:
230 raise error.Abort(_("SSL support is unavailable")) 230 raise error.Abort(_("SSL support is unavailable"))
231 231
232 certfile = ui.config('web', 'certificate') 232 certfile = ui.config('web', 'certificate')
233 httpserver.socket = ssl.wrap_socket( 233
234 httpserver.socket, server_side=True, 234 # These config options are currently only meant for testing. Use
235 certfile=certfile, ssl_version=ssl.PROTOCOL_TLSv1) 235 # at your own risk.
236 cafile = ui.config('devel', 'servercafile')
237 reqcert = ui.configbool('devel', 'serverrequirecert')
238
239 httpserver.socket = sslutil.wrapserversocket(httpserver.socket,
240 ui,
241 certfile=certfile,
242 cafile=cafile,
243 requireclientcert=reqcert)
236 244
237 def setup(self): 245 def setup(self):
238 self.connection = self.request 246 self.connection = self.request
239 self.rfile = socket._fileobject(self.request, "rb", self.rbufsize) 247 self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
240 self.wfile = socket._fileobject(self.request, "wb", self.wbufsize) 248 self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)