certificate-based authentication for https hgwebdir clients
Matt Mackall
mpm at selenic.com
Tue Jan 6 18:23:58 CST 2009
On Wed, 2009-01-07 at 00:39 +0200, Dimitris Glynos wrote:
> >> A few words about the patch:
> >>
> >> * A new option, '--require-client-cert', has been added to 'hg serve'.
> >> This turns on the client-authenticated handshake mode of SSL.
> >
> > Hmm, what about hgweb? We pretty much have to support everything that hg
> > serve can do in hgweb.
>
> The only reason I touched the code of hgwebdir was because I needed
> a place to store the 'registered certificates' information...
>
> In reality, this information has nothing to do neither with hgweb nor
> hgwebdir. It is solely an 'hg serve' thing.
And I'm saying that's not allowed. Every feature of 'hg serve' needs to
be in hgweb because *hgweb* is the full-featured solution. If we have
feature A only in one and feature B only in the other, people who want A
and B together will be out of luck. (and hgweb here really means hgweb
+hgwebdir)
> Does 'hg serve' have a
> configuration file I could use?
Yes, it can use both hgrc files and hgwebdir-style config files.
> BTW, once 'hg serve' gets the certificate info from a neutral config-file
> (i.e. not hgweb/hgwebdir-specific) the authentication scheme will be
> effective for BOTH hgweb and hgwebdir.
>
> >> [https_clients]
> >> joe = 0F:12:42:32:42:24:12:12:12:12:45:23:24:23:24:25:23:23:23:11
> >> amy = 11:23:23:11:42:42:16:11:AE:15:A8:11:23:82:00:02:08:15:23:43
> >
> > You apparently haven't heard about my hatred of underbars. This could
> > use a better name, but I'm not sure what.
>
> I can change them, no problem. It's a small patch after all :-)
>
> > ...
> > it's probably sufficient to add something like the above hashes to
> > ~/.hgrc on the client. Thoughts?
>
> I can do a separate patch for this if you like. I assume that if a
> repository fails on the digest check, the default client behaviour
> would be to exit with an error. Is a --no-digest-check option
> also required?
The logic should be something like:
if have-signature(site):
if not digest-check(site):
fail
elif require-signatures(): # defaults to off
fail
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list