Mercurial > public > mercurial-scm > hg

diff tests/test-https.t @ 29555:121d11814c62

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: use sslutil.wrapserversocket() This patch transitions the built-in HTTPS server to use sslutil for creating the server socket. As part of this transition, we implement developer-only config options to control CA loading and whether to require client certificates. This eliminates the need for the custom extension in test-https.t to define these. There is a slight change in behavior with regards to protocol selection. Before, we would always use the TLS 1.0 constant to define the protocol version. This would *only* use TLS 1.0. sslutil defaults to TLS 1.0+. So this patch improves the security of `hg serve` out of the box by allowing it to use TLS 1.1 and 1.2 (if available).
author Gregory Szorc <gregory.szorc@gmail.com>
date Tue, 12 Jul 2016 23:12:03 -0700
parents cd3e58862cab
children 7dec5e441bf7
line wrap: on
line diff
--- a/tests/test-https.t	Thu Jul 14 20:14:19 2016 -0700
+++ b/tests/test-https.t	Tue Jul 12 23:12:03 2016 -0700
@@ -397,27 +397,11 @@
 
 #if sslcontext
 
-Start patched hgweb that requires client certificates:
+Start hgweb that requires client certificates:
 
-  $ cat << EOT > reqclientcert.py
-  > import ssl
-  > from mercurial.hgweb import server
-  > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
-  >     @staticmethod
-  >     def preparehttpserver(httpserver, ui):
-  >         certfile = ui.config('web', 'certificate')
-  >         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-  >         sslcontext.verify_mode = ssl.CERT_REQUIRED
-  >         sslcontext.load_cert_chain(certfile)
-  >         # verify clients by server certificate
-  >         sslcontext.load_verify_locations(certfile)
-  >         httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
-  >                                                    server_side=True)
-  > server._httprequesthandlerssl = _httprequesthandlersslclientcert
-  > EOT
   $ cd test
   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
-  > --config extensions.reqclientcert=../reqclientcert.py
+  > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
   $ cat ../hg0.pid >> $DAEMON_PIDS
   $ cd ..