<div dir="ltr"><div><div><div><div>This series includes patches that have already landed on the committed repo. The first two patches shouldn't be controversial. They are included in case it is decided to wipe out all my draft changesets currently on the committed repo.<br><br></div>Patches 3 to 7 are a refactor what has already landed on the committed repo to avoid create_default_context. They should be an easy review.<br><br></div>Patches 8 and 9 seem to have already had eyeballs on them and should hopefully sail through pretty easy. I think I fixed Pierre-Yves's reported test failure by reordering tests to avoid killing tinyproxy.py.<br><br></div>Patches 10 and 11 are a bit more controversial. They are purposefully at the end of the series because they are the least reviewed and they may get dropped if we're not willing to make the commitment to dropping TLS 1.0.<br><br></div>After this series, I'm considering my work on overhauling the security code complete. Just in time for the 3.9 freeze too...<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 14, 2016 at 9:09 PM, Gregory Szorc <span dir="ltr"><<a href="mailto:gregory.szorc@gmail.com" target="_blank">gregory.szorc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"># HG changeset patch<br>
# User Gregory Szorc <<a href="mailto:gregory.szorc@gmail.com">gregory.szorc@gmail.com</a>><br>
# Date 1468394090 25200<br>
# Wed Jul 13 00:14:50 2016 -0700<br>
# Node ID 9e91be071422676679cdef44e74f4ea34dd81be1<br>
# Parent 9d02bed8477bec7f679d6aeb5b1dd8bcdb80f64d<br>
hgweb: pass ui into preparehttpserver<br>
<br>
Upcoming patches will need the built-in HTTPS server to be more<br>
configurable.<br>
<br>
diff --git a/mercurial/hgweb/server.py b/mercurial/hgweb/server.py<br>
--- a/mercurial/hgweb/server.py<br>
+++ b/mercurial/hgweb/server.py<br>
@@ -53,17 +53,17 @@ class _error_logger(object):<br>
for msg in seq:<br>
self.handler.log_error("HG error: %s", msg)<br>
<br>
class _httprequesthandler(BaseHTTPServer.BaseHTTPRequestHandler):<br>
<br>
url_scheme = 'http'<br>
<br>
@staticmethod<br>
- def preparehttpserver(httpserver, ssl_cert):<br>
+ def preparehttpserver(httpserver, ui):<br>
"""Prepare .socket of new HTTPServer instance"""<br>
pass<br>
<br>
def __init__(self, *args, **kargs):<br>
self.protocol_version = 'HTTP/1.1'<br>
BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args, **kargs)<br>
<br>
def _log_any(self, fp, format, *args):<br>
@@ -217,25 +217,27 @@ class _httprequesthandler(BaseHTTPServer<br>
self.wfile.flush()<br>
<br>
class _httprequesthandlerssl(_httprequesthandler):<br>
"""HTTPS handler based on Python's ssl module"""<br>
<br>
url_scheme = 'https'<br>
<br>
@staticmethod<br>
- def preparehttpserver(httpserver, ssl_cert):<br>
+ def preparehttpserver(httpserver, ui):<br>
try:<br>
import ssl<br>
ssl.wrap_socket<br>
except ImportError:<br>
raise error.Abort(_("SSL support is unavailable"))<br>
+<br>
+ certfile = ui.config('web', 'certificate')<br>
httpserver.socket = ssl.wrap_socket(<br>
httpserver.socket, server_side=True,<br>
- certfile=ssl_cert, ssl_version=ssl.PROTOCOL_TLSv1)<br>
+ certfile=certfile, ssl_version=ssl.PROTOCOL_TLSv1)<br>
<br>
def setup(self):<br>
self.connection = self.request<br>
self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)<br>
self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)<br>
<br>
try:<br>
import threading<br>
@@ -259,17 +261,17 @@ class MercurialHTTPServer(object, _mixin<br>
if <a href="http://os.name" rel="noreferrer" target="_blank">os.name</a> == 'nt':<br>
allow_reuse_address = 0<br>
<br>
def __init__(self, ui, app, addr, handler, **kwargs):<br>
BaseHTTPServer.HTTPServer.__init__(self, addr, handler, **kwargs)<br>
self.daemon_threads = True<br>
self.application = app<br>
<br>
- handler.preparehttpserver(self, ui.config('web', 'certificate'))<br>
+ handler.preparehttpserver(self, ui)<br>
<br>
prefix = ui.config('web', 'prefix', '')<br>
if prefix:<br>
prefix = '/' + prefix.strip('/')<br>
self.prefix = prefix<br>
<br>
alog = openlog(ui.config('web', 'accesslog', '-'), sys.stdout)<br>
elog = openlog(ui.config('web', 'errorlog', '-'), sys.stderr)<br>
diff --git a/tests/test-https.t b/tests/test-https.t<br>
--- a/tests/test-https.t<br>
+++ b/tests/test-https.t<br>
@@ -399,22 +399,23 @@ Test https with cert problems through pr<br>
<br>
Start patched hgweb that requires client certificates:<br>
<br>
$ cat << EOT > reqclientcert.py<br>
> import ssl<br>
> from mercurial.hgweb import server<br>
> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):<br>
> @staticmethod<br>
- > def preparehttpserver(httpserver, ssl_cert):<br>
+ > def preparehttpserver(httpserver, ui):<br>
+ > certfile = ui.config('web', 'certificate')<br>
> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)<br>
> sslcontext.verify_mode = ssl.CERT_REQUIRED<br>
- > sslcontext.load_cert_chain(ssl_cert)<br>
+ > sslcontext.load_cert_chain(certfile)<br>
> # verify clients by server certificate<br>
- > sslcontext.load_verify_locations(ssl_cert)<br>
+ > sslcontext.load_verify_locations(certfile)<br>
> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,<br>
> server_side=True)<br>
> server._httprequesthandlerssl = _httprequesthandlersslclientcert<br>
> EOT<br>
$ cd test<br>
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \<br>
> --config extensions.reqclientcert=../reqclientcert.py<br>
$ cat ../hg0.pid >> $DAEMON_PIDS<br>
</blockquote></div><br></div>