how to set-up HTTPS authentication with client certificate and passwords

[Paul van der Linden]

On Fri, 30 Oct 2009 15:29:54 +0100, Igor Lautar <igor.lautar at gmail.com>  
wrote:

> * cutout *
> Well, I have (sort of) managed to get it going (w/o code changes).
>
> First of all, it seams that user-wide hgrc (as pointed out in one of
> previous posts) must be used for this to work.
> - additionally, PEM private key file should not be protected by  
> passphrase
>   - if it is, hg asks for pass many times during operation, and stalls
> at some point waiting for ssh handshake

There are 2 ways to solve this:
     - If you have control over the server: be sure to activate keep alive  
on the server
	This will solve the many asks per command.
     - The other one is not easy, will add some dependencies, has to be  
accepted with the developers of mercurial, and maybe is very safe:
	We have to rewrite some code, the standard ssl support for python not  
very complete. It will need something like pyopenssl to override the  
standard passphrase callback of openssl, so we can store the passphrase  
somewhere in memory. So the callback can provide it again within the same  
hg instance.
	
>   - it seams it only stalls when there is a delay in writing password
> (like few secs, which is not really enough time to write it)
> * backtrace *

I've not had the stall problem, so I don't know how to solve this, this  
works normally here.

>
>
> It would be also good if one could provide PEM passphrase to hg, and
> hg remembers it for future uses. Can this be done now (haven't found
> any clues in docs)?

This doesn't seem like a good idea, that looks the same to me as putting  
the unencrypted/unprotected version of the private key on disk.