Mercurial > hg-stable
view tests/cgienv @ 29334:ecc9b788fd69
sslutil: per-host config option to define certificates
Recent work has introduced the [hostsecurity] config section for
defining per-host security settings. This patch builds on top
of this foundation and implements the ability to define a per-host
path to a file containing certificates used for verifying the server
certificate. It is logically a per-host web.cacerts setting.
This patch also introduces a warning when both per-host
certificates and fingerprints are defined. These are mutually
exclusive for host verification and I think the user should be
alerted when security settings are ambiguous because, well,
security is important.
Tests validating the new behavior have been added.
I decided against putting "ca" in the option name because a
non-CA certificate can be specified and used to validate the server
certificate (commonly this will be the exact public certificate
used by the server). It's worth noting that the underlying
Python API used is load_verify_locations(cafile=X) and it calls
into OpenSSL's SSL_CTX_load_verify_locations(). Even OpenSSL's
documentation seems to omit that the file can contain a non-CA
certificate if it matches the server's certificate exactly. I
thought a CA certificate was a special kind of x509 certificate.
Perhaps I'm wrong and any x509 certificate can be used as a
CA certificate [as far as OpenSSL is concerned]. In any case,
I thought it best to drop "ca" from the name because this reflects
reality.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Tue, 07 Jun 2016 20:29:54 -0700 |
parents | aa3f726a2bdb |
children |
line wrap: on
line source
DOCUMENT_ROOT="/var/www/hg"; export DOCUMENT_ROOT GATEWAY_INTERFACE="CGI/1.1"; export GATEWAY_INTERFACE HTTP_ACCEPT="text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"; export HTTP_ACCEPT HTTP_ACCEPT_CHARSET="ISO-8859-1,utf-8;q=0.7,*;q=0.7"; export HTTP_ACCEPT_CHARSET HTTP_ACCEPT_ENCODING="gzip,deflate"; export HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE="en-us,en;q=0.5"; export HTTP_ACCEPT_LANGUAGE HTTP_CACHE_CONTROL="max-age=0"; export HTTP_CACHE_CONTROL HTTP_CONNECTION="keep-alive"; export HTTP_CONNECTION HTTP_HOST="hg.omnifarious.org"; export HTTP_HOST HTTP_KEEP_ALIVE="300"; export HTTP_KEEP_ALIVE HTTP_USER_AGENT="Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.4) Gecko/20060608 Ubuntu/dapper-security Firefox/1.5.0.4"; export HTTP_USER_AGENT PATH_INFO="/"; export PATH_INFO PATH_TRANSLATED="/var/www/hg/index.html"; export PATH_TRANSLATED QUERY_STRING=""; export QUERY_STRING REMOTE_ADDR="127.0.0.2"; export REMOTE_ADDR REMOTE_PORT="44703"; export REMOTE_PORT REQUEST_METHOD="GET"; export REQUEST_METHOD REQUEST_URI="/test/"; export REQUEST_URI SCRIPT_FILENAME="/home/hopper/hg_public/test.cgi"; export SCRIPT_FILENAME SCRIPT_NAME="/test"; export SCRIPT_NAME SCRIPT_URI="http://hg.omnifarious.org/test/"; export SCRIPT_URI SCRIPT_URL="/test/"; export SCRIPT_URL SERVER_ADDR="127.0.0.1"; export SERVER_ADDR SERVER_ADMIN="eric@localhost"; export SERVER_ADMIN SERVER_NAME="hg.omnifarious.org"; export SERVER_NAME SERVER_PORT="80"; export SERVER_PORT SERVER_PROTOCOL="HTTP/1.1"; export SERVER_PROTOCOL SERVER_SIGNATURE="<address>Apache/2.0.53 (Fedora) Server at hg.omnifarious.org Port 80</address>"; export SERVER_SIGNATURE SERVER_SOFTWARE="Apache/2.0.53 (Fedora)"; export SERVER_SOFTWARE