Mercurial > hg

--- a/mercurial/hgweb/server.py	Thu Jul 14 20:14:19 2016 -0700
+++ b/mercurial/hgweb/server.py	Tue Jul 12 23:12:03 2016 -0700
@@ -224,15 +224,23 @@
     @staticmethod
     def preparehttpserver(httpserver, ui):
         try:
-            import ssl
-            ssl.wrap_socket
+            from .. import sslutil
+            sslutil.modernssl
         except ImportError:
             raise error.Abort(_("SSL support is unavailable"))

         certfile = ui.config('web', 'certificate')
-        httpserver.socket = ssl.wrap_socket(
-            httpserver.socket, server_side=True,
-            certfile=certfile, ssl_version=ssl.PROTOCOL_TLSv1)
+
+        # These config options are currently only meant for testing. Use
+        # at your own risk.
+        cafile = ui.config('devel', 'servercafile')
+        reqcert = ui.configbool('devel', 'serverrequirecert')
+
+        httpserver.socket = sslutil.wrapserversocket(httpserver.socket,
+                                                     ui,
+                                                     certfile=certfile,
+                                                     cafile=cafile,
+                                                     requireclientcert=reqcert)

     def setup(self):
         self.connection = self.request
--- a/tests/test-https.t	Thu Jul 14 20:14:19 2016 -0700
+++ b/tests/test-https.t	Tue Jul 12 23:12:03 2016 -0700
@@ -397,27 +397,11 @@

 #if sslcontext

-Start patched hgweb that requires client certificates:
+Start hgweb that requires client certificates:

-  $ cat << EOT > reqclientcert.py
-  > import ssl
-  > from mercurial.hgweb import server
-  > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
-  >     @staticmethod
-  >     def preparehttpserver(httpserver, ui):
-  >         certfile = ui.config('web', 'certificate')
-  >         sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-  >         sslcontext.verify_mode = ssl.CERT_REQUIRED
-  >         sslcontext.load_cert_chain(certfile)
-  >         # verify clients by server certificate
-  >         sslcontext.load_verify_locations(certfile)
-  >         httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
-  >                                                    server_side=True)
-  > server._httprequesthandlerssl = _httprequesthandlersslclientcert
-  > EOT
   $ cd test
   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
-  > --config extensions.reqclientcert=../reqclientcert.py
+  > --config devel.servercafile=$PRIV --config devel.serverrequirecert=true
   $ cat ../hg0.pid >> $DAEMON_PIDS
   $ cd ..