how to set-up HTTPS authentication with client certificate and passwords

Paul van der Linden paul at soulbase.nl
Tue Nov 3 11:29:52 CST 2009 

On Mon, 02 Nov 2009 22:16:53 +0100, Henrik Stuart <hg at hstuart.dk> wrote:

>
> It is correct that you will need to input the PEM password multiple
> times when connecting upstream. This is largely due to an inefficiency
> in urllib2 and occasionally there are factors that make it impossible
> for connections to be reused (I haven't looked too closely at this). For
> the typical hg command it might require several over the wire commands
> and this is why the password must be entered repeatedly. Currently it is
> urllib2 prompting for the password so we're reliant on when it wants to
> ask for it, which is whenever a new connection is made, unfortunately.
>
> The only real alternative is to rip out the use of urllib2 and roll our
> own thing, which will probably not be something that happens lightly.
>
> The PEM certificate support is fairly new (it only arrived in 1.3). If
> Eclipse and TortoiseHg do not work with it, please raise issues on their
> respective issue trackers.
>
> This is where we're at currently, and I'm afraid that there's no easy
> way to help solve your problem with client certificates.
>

It looks to me like there is nothing wrong with the urllib2, at least for  
normal passwords and for normal reusing of connections.
The connection reusing won't be able to do it's job because some servers  
are not configured to do keepalive (the standard package of red hat  
enterprise for example).
The problem is that when I put in a password (for http authentication), it  
won't get used like normally when I put it in a configuration file. I  
would like to type it only once per command (just like putting it in the  
configuration file, except it doesn't get stored on disk). I don't like  
storing passwords on disk, as you would understand.

The PEM password problem is more complicated but doesn't require to not  
use the urllib2 library. The problem is the ssl module (which is used to  
wrap the socket) which doesn't give any possibility for a callback for PEM  
passwords. It looks like the library which is used by the ssl module  
(OpenSSL) *does* provide this functionality. I will look for it but I  
think there is no easy solution.

For the Eclipse Plugin & TortoiseHg: I've reported these issue indeed.

More information about the Mercurial mailing list