certificate-based authentication for https hgwebdir clients

Benoit Boissinot benoit.boissinot at ens-lyon.org
Tue Jan 6 16:27:27 CST 2009

On Tue, Jan 06, 2009 at 12:16:00PM -0600, Matt Mackall wrote:
> On Tue, 2009-01-06 at 16:31 +0200, Dimitris Glynos wrote:
> > Hello all,
> > 
> > I'm attaching a patch that enables hgwebdir to do basic certicate-based
> > authentication for clients, in https mode. By 'basic' I mean that the
> > client's certificate is checked against a list of registered certificates
> > and if it is not found in the list (or is invalid), the SSL session is
> > terminated.
> This patch requires having the Python OpenSSL bindings installed, yes?
> That's a little unfortunate. Calling out to the openssl executable (one
> dependency which most people already have) might actually be preferable
> to adding a library (one more dependency).

The dependency already exists for some SSL features in hgweb/server.py:
if ssl_cert:
        from OpenSSL import SSL
        ctx = SSL.Context(SSL.SSLv23_METHOD)
    except ImportError:
        raise util.Abort(_("SSL support is unavailable"))

Maybe we should add an alternate method for python2.6, since the ssl
library was integrated there: http://docs.python.org/library/ssl.html




More information about the Mercurial-devel mailing list