how to set-up HTTPS authentication with client certificate and passwords

Henrik Stuart hg at hstuart.dk
Mon Nov 2 15:16:53 CST 2009 

Igor Lautar wrote:
> Hi,
> 
> On Mon, Nov 2, 2009 at 7:22 PM, Martin Geisler <mg at lazybytes.net> wrote:
>> "Paul van der Linden" <paul at soulbase.nl> writes:
>>
>> Hi Paul
>>
>> I'm CC'ing our HTTPS expert, perhaps he can help.
>>
>>> It looks like the security support in mercurial is not very complete.
>>> The gui client for windows (tortoisehg) and the eclipse client both
>>> just hangs when a PEM certificate with passphrase is used.
>>> And the same problem with repeatedly inputting passwords within one
>>> command happens when using http authentication. I think Mercurial
>>> needs some improvement there.
>> Have you seen the [auth] section in the hgrc man page:
>>
>>  http://www.selenic.com/mercurial/hgrc.5.html#auth
>>
>> That will allow you to specify username and password for HTTP.
>>
>> It also says something about PEM encoded certificates, but I don't
>> anything about those.
> 
> If you take a look towards the beginning of this thread, there is a
> lot of talk about that auth section.
> 
> There are 2 things:
> * http[s] authentication
> * client certificate and stuff that goes with it (private key,
> certificate, passphrase)
> 
> First one is clear. You can also specify username (and pwd, but thats
> not good idea) as part of URL.
> However, for second one, you have to specify passphrase multiple times
> during single session, which is sub-optimal (annoying and breaks
> workflow).
> 
> Will try the keep alive trick.

It is correct that you will need to input the PEM password multiple
times when connecting upstream. This is largely due to an inefficiency
in urllib2 and occasionally there are factors that make it impossible
for connections to be reused (I haven't looked too closely at this). For
the typical hg command it might require several over the wire commands
and this is why the password must be entered repeatedly. Currently it is
urllib2 prompting for the password so we're reliant on when it wants to
ask for it, which is whenever a new connection is made, unfortunately.

The only real alternative is to rip out the use of urllib2 and roll our
own thing, which will probably not be something that happens lightly.

The PEM certificate support is fairly new (it only arrived in 1.3). If
Eclipse and TortoiseHg do not work with it, please raise issues on their
respective issue trackers.

This is where we're at currently, and I'm afraid that there's no easy
way to help solve your problem with client certificates.

-- 
Kind regards,
  Henrik Stuart

More information about the Mercurial mailing list