[PATCH 4 of 5] clonebundles: filter on SNI requirement

Augie Fackler raf at durin42.com
Wed Sep 30 10:37:05 CDT 2015 

On Tue, Sep 29, 2015 at 05:48:47PM -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1443573354 25200
> #      Tue Sep 29 17:35:54 2015 -0700
> # Node ID f59a55d55baa1f96898cc7bd6df29e487327e3cb
> # Parent  2778d6d5213b71319279b82c251d0b43543e9709
> clonebundles: filter on SNI requirement
>
> Server Name Indication (SNI) is commonly used in CDNs and other hosted
> environments. Unfortunately, Python <2.7.9 does not support SNI and when
> these older Python versions attempt to negotiate TLS to an SNI server,
> they raise an opaque error like
> "_ssl.c:507: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure."
>
> diff --git a/hgext/clonebundles.py b/hgext/clonebundles.py
> --- a/hgext/clonebundles.py
> +++ b/hgext/clonebundles.py
> @@ -42,8 +42,21 @@ TYPE
>
>     The actual value doesn't impact client behavior beyond filtering:
>     clients will still sniff the bundle type from downloaded content.
>     We reuse the file header values for consistency.
> +
> +REQUIRESNI
> +   Whether Server Name Indication (SNI) is required to connect to the URL.
> +   SNI allows servers to use multiple certificates on the same IP. It is
> +   somewhat common in CDNs and other hosting providers. Older Python
> +   versions do not support SNI. Defining this attribute enables clients
> +   with older Python versions to filter this entry.
> +
> +   If this is defined, it is important to advertise a non-SNI fallback
> +   URL or clients running old Python releases may not be able to clone
> +   with the clonebundles facility.

Wouldn't the client just fall back to pulling things normally in that
case? I mean, clearly suboptimal, but still workable unless I missed
something.

> +
> +   Value should be "true".
>  """
>
>  from mercurial import (
>      extensions,
> diff --git a/mercurial/exchange.py b/mercurial/exchange.py
> --- a/mercurial/exchange.py
> +++ b/mercurial/exchange.py
> @@ -11,8 +11,9 @@ from node import hex, nullid
>  import errno, urllib, urllib2
>  import util, scmutil, changegroup, base85, error, store
>  import discovery, phases, obsolete, bookmarks as bookmod, bundle2, pushkey
>  import lock as lockmod
> +import sslutil
>  import tags
>  import url as urlmod
>
>  def readbundle(ui, fh, fname, vfs=None):
> @@ -1642,8 +1643,12 @@ def filterclonebundleentries(ui, entries
>              ui.debug('filtering %s because unknown bundle type %s\n' %
>                         (e['URL'], e['TYPE']))
>              continue
>
> +        if 'REQUIRESNI' in e and not sslutil.hassni:
> +            ui.debug('filtering %s because SNI not supported\n' % e['URL'])
> +            continue
> +
>          newentries.append(e)
>
>      return newentries
>
> diff --git a/tests/test-clonebundles.t b/tests/test-clonebundles.t
> --- a/tests/test-clonebundles.t
> +++ b/tests/test-clonebundles.t
> @@ -145,4 +145,38 @@ Automatic fallback when all entries are
>    adding changesets
>    adding manifests
>    adding file changes
>    added 2 changesets with 2 changes to 2 files
> +
> +URLs requiring SNI are filtered in Python <2.7.9
> +
> +  $ cp full.hg sni.hg
> +  $ cat > server/.hg/clonebundles.manifest << EOF
> +  > http://localhost:$HGPORT1/sni.hg REQUIRESNI=true
> +  > http://localhost:$HGPORT1/full.hg
> +  > EOF
> +
> +#if sslcontext
> +Python 2.7.9+ support SNI
> +
> +  $ hg clone -U http://localhost:$HGPORT sni-supported
> +  applying clone bundle from http://localhost:$HGPORT1/sni.hg
> +  adding changesets
> +  adding manifests
> +  adding file changes
> +  added 2 changesets with 2 changes to 2 files
> +  finished applying clone bundle
> +  searching for changes
> +  no changes found
> +#else
> +Python <2.7.9 will filter SNI URLs
> +
> +  $ hg clone -U http://localhost:$HGPORT sni-unsupported
> +  applying clone bundle from http://localhost:$HGPORT1/full.hg
> +  adding changesets
> +  adding manifests
> +  adding file changes
> +  added 2 changesets with 2 changes to 2 files
> +  finished applying clone bundle
> +  searching for changes
> +  no changes found
> +#endif
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at selenic.com
> https://selenic.com/mailman/listinfo/mercurial-devel

More information about the Mercurial-devel mailing list