certificate-based authentication for https hgwebdir clients

Dimitris Glynos dimitris at census-labs.com
Tue Jan 6 16:39:28 CST 2009


On Tue, 6 Jan 2009, Matt Mackall wrote:
> On Tue, 2009-01-06 at 16:31 +0200, Dimitris Glynos wrote:
>> ...
>> I'm attaching a patch that enables hgwebdir to do basic certicate-based
>> authentication for clients, in https mode.
>> ...
>
> This patch requires having the Python OpenSSL bindings installed, yes?

This patch does NOT introduce any new dependencies to hg.

hg requires PyOpenSSL when serving https content (and this patch
does not change anything to that respect). Of course, https-based
authentication needs ...https, so the administrator that requires
the functionality added by this patch, will also have PyOpenSSL
installed.

> Calling out to the openssl executable (one
> dependency which most people already have) might actually be preferable
> to adding a library (one more dependency).

As I said, no new dependencies are introduced by applying this patch.
Since hg already uses PyOpenSSL for SSL, we don't need to call
another application.

>> A few words about the patch:
>>
>> * A new option, '--require-client-cert', has been added to 'hg serve'.
>>    This turns on the client-authenticated handshake mode of SSL.
>
> Hmm, what about hgweb? We pretty much have to support everything that hg
> serve can do in hgweb.

The only reason I touched the code of hgwebdir was because I needed
a place to store the 'registered certificates' information...

In reality, this information has nothing to do neither with hgweb nor 
hgwebdir. It is solely an 'hg serve' thing. Does 'hg serve' have a
configuration file I could use?

BTW, once 'hg serve' gets the certificate info from a neutral config-file
(i.e. not hgweb/hgwebdir-specific) the authentication scheme will be
effective for BOTH hgweb and hgwebdir.

>>    [https_clients]
>>    joe = 0F:12:42:32:42:24:12:12:12:12:45:23:24:23:24:25:23:23:23:11
>>    amy = 11:23:23:11:42:42:16:11:AE:15:A8:11:23:82:00:02:08:15:23:43
>
> You apparently haven't heard about my hatred of underbars. This could
> use a better name, but I'm not sure what.

I can change them, no problem. It's a small patch after all :-)

> ...
> it's probably sufficient to add something like the above hashes to
> ~/.hgrc on the client. Thoughts?

I can do a separate patch for this if you like. I assume that if a 
repository fails on the digest check, the default client behaviour
would be to exit with an error. Is a --no-digest-check option
also required?

--
dimitris


More information about the Mercurial-devel mailing list