Mercurial > hg
diff mercurial/hgweb/server.py @ 29555:121d11814c62
hgweb: use sslutil.wrapserversocket()
This patch transitions the built-in HTTPS server to use sslutil for
creating the server socket.
As part of this transition, we implement developer-only config options
to control CA loading and whether to require client certificates. This
eliminates the need for the custom extension in test-https.t to define
these.
There is a slight change in behavior with regards to protocol
selection. Before, we would always use the TLS 1.0 constant to define
the protocol version. This would *only* use TLS 1.0. sslutil defaults
to TLS 1.0+. So this patch improves the security of `hg serve` out of
the box by allowing it to use TLS 1.1 and 1.2 (if available).
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Tue, 12 Jul 2016 23:12:03 -0700 |
| parents | cd3e58862cab |
| children | 075146e85bb6 |
line wrap: on
line diff
--- a/mercurial/hgweb/server.py Thu Jul 14 20:14:19 2016 -0700 +++ b/mercurial/hgweb/server.py Tue Jul 12 23:12:03 2016 -0700 @@ -224,15 +224,23 @@ @staticmethod def preparehttpserver(httpserver, ui): try: - import ssl - ssl.wrap_socket + from .. import sslutil + sslutil.modernssl except ImportError: raise error.Abort(_("SSL support is unavailable")) certfile = ui.config('web', 'certificate') - httpserver.socket = ssl.wrap_socket( - httpserver.socket, server_side=True, - certfile=certfile, ssl_version=ssl.PROTOCOL_TLSv1) + + # These config options are currently only meant for testing. Use + # at your own risk. + cafile = ui.config('devel', 'servercafile') + reqcert = ui.configbool('devel', 'serverrequirecert') + + httpserver.socket = sslutil.wrapserversocket(httpserver.socket, + ui, + certfile=certfile, + cafile=cafile, + requireclientcert=reqcert) def setup(self): self.connection = self.request