how to set-up HTTPS authentication with client certificate and passwords

> Hi All,
>
> We are setting up a repo served by hgwebdir over https. Apache
> requires client to have certificate issued by this server.
>
> I have .pam file that I've imported into firefox and are able to access repo.
>
> Now I want to clone repo using hg (or use existing repo and
> authenticate to this repo).
>
>>From docs, I've seen that [auth] section should be used:
>
> [paths]
> default = https://<server>/<repo>
>
> [auth]
> rc.prefix = <server>
> rc.username = <username>
> rc.password = <password>
> rc.key = <key>
> rc.cert = <cert>
> rc.schemes = https
>
> where <key> is .pam file I've also imported to FF and <cert> is
> authority cerfiticate I've accepted in FF and exported for HG to use.
>
> However, it seams [auth] section is ignored (or at least not working
> with this configuration):
>
> $ hg --traceback pull
> Traceback (most recent call last):
>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 43,
> in _runcatch
>     return _dispatch(ui, args)
>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 449,
> in _dispatch
>     return runcommand(lui, repo, cmd, fullargs, ui, options, d)
>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 317,
> in runcommand
>     ret = _runcommand(ui, options, cmd, d)
>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 501,
> in _runcommand
>     return checkargs()
>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 454,
> in checkargs
>     return cmdfunc()
>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 448,
> in <lambda>
>     d = lambda: util.checksignature(func)(ui, *args, **cmdoptions)
>   File "/usr/lib/pymodules/python2.6/mercurial/util.py", line 402, in check
>     return func(*args, **kwargs)
>   File "/usr/lib/pymodules/python2.6/mercurial/commands.py", line 2287, in pull
>     other = hg.repository(cmdutil.remoteui(repo, opts), source)
>   File "/usr/lib/pymodules/python2.6/mercurial/hg.py", line 63, in repository
>     repo = _lookup(path).instance(ui, path, create)
>   File "/usr/lib/pymodules/python2.6/mercurial/httprepo.py", line 254,
> in instance
>     inst.between([(nullid, nullid)])
>   File "/usr/lib/pymodules/python2.6/mercurial/httprepo.py", line 175,
> in between
>     d = self.do_read("between", pairs=n)
>   File "/usr/lib/pymodules/python2.6/mercurial/httprepo.py", line 126,
> in do_read
>     fp = self.do_cmd(cmd, **args)
>   File "/usr/lib/pymodules/python2.6/mercurial/httprepo.py", line 79, in do_cmd
>     resp = self.urlopener.open(urllib2.Request(cu, data, headers))
>   File "/usr/lib/python2.6/urllib2.py", line 389, in open
>     response = self._open(req, data)
>   File "/usr/lib/python2.6/urllib2.py", line 407, in _open
>     '_open', req)
>   File "/usr/lib/python2.6/urllib2.py", line 367, in _call_chain
>     result = func(*args)
>   File "/usr/lib/pymodules/python2.6/mercurial/url.py", line 425, in https_open
>     return self.do_open(self._makeconnection, req)
>   File "/usr/lib/pymodules/python2.6/mercurial/keepalive.py", line
> 248, in do_open
>     raise urllib2.URLError(err)
> URLError: <urlopen error [Errno 1] _ssl.c:480: error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure>
> abort: error: _ssl.c:480: error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>
>
>
> Running 1.3.1 on kubuntu karmic:
>
> $ hg --version
> Mercurial Distributed SCM (version 1.3.1)
>
> Copyright (C) 2005-2009 Matt Mackall <mpm@...> and others
> This is free software; see the source for copying conditions. There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> $ uname -a
> Linux arrow 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:05:01 UTC
> 2009 x86_64 GNU/Linux
>
> Any ideas?
>
> Regards,
> Igor
> _______________________________________________
> Mercurial mailing list
> Mercurial@...
> http://selenic.com/mailman/listinfo/mercurial

> I have a working repo over https. All I need to do is to put in the
> [paths] section and it works. But to be honest, the certificate part is
> not dealt with by myself, so maybe that makes a difference.
>
> Looking at the traceback I suspect the problem is not in the [auth]
> section, but in a wrong path. You wrote a http-url there. I think you
> need to write a directory on the server there, eg I have:
>
>  repo = /data/users/<username>/<path to repository>
>
> Greetsz, Jakob
>
>
> Igor Lautar wrote:
>> Hi All,
>>
>> We are setting up a repo served by hgwebdir over https. Apache
>> requires client to have certificate issued by this server.
>>
>> I have .pam file that I've imported into firefox and are able to access repo.
>>
>> Now I want to clone repo using hg (or use existing repo and
>> authenticate to this repo).
>>
>>>From docs, I've seen that [auth] section should be used:
>>
>> [paths]
>> default = https://<server>/<repo>
>>
>> [auth]
>> rc.prefix = <server>
>> rc.username = <username>
>> rc.password = <password>
>> rc.key = <key>
>> rc.cert = <cert>
>> rc.schemes = https
>>
>> where <key> is .pam file I've also imported to FF and <cert> is
>> authority cerfiticate I've accepted in FF and exported for HG to use.
>>
>> However, it seams [auth] section is ignored (or at least not working
>> with this configuration):
>>
>> $ hg --traceback pull
>> Traceback (most recent call last):
>>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 43,
>> in _runcatch
>>     return _dispatch(ui, args)
>>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 449,
>> in _dispatch
>>     return runcommand(lui, repo, cmd, fullargs, ui, options, d)
>>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 317,
>> in runcommand
>>     ret = _runcommand(ui, options, cmd, d)
>>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 501,
>> in _runcommand
>>     return checkargs()
>>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 454,
>> in checkargs
>>     return cmdfunc()
>>   File "/usr/lib/pymodules/python2.6/mercurial/dispatch.py", line 448,
>> in <lambda>
>>     d = lambda: util.checksignature(func)(ui, *args, **cmdoptions)
>>   File "/usr/lib/pymodules/python2.6/mercurial/util.py", line 402, in check
>>     return func(*args, **kwargs)
>>   File "/usr/lib/pymodules/python2.6/mercurial/commands.py", line 2287, in pull
>>     other = hg.repository(cmdutil.remoteui(repo, opts), source)
>>   File "/usr/lib/pymodules/python2.6/mercurial/hg.py", line 63, in repository
>>     repo = _lookup(path).instance(ui, path, create)
>>   File "/usr/lib/pymodules/python2.6/mercurial/httprepo.py", line 254,
>> in instance
>>     inst.between([(nullid, nullid)])
>>   File "/usr/lib/pymodules/python2.6/mercurial/httprepo.py", line 175,
>> in between
>>     d = self.do_read("between", pairs=n)
>>   File "/usr/lib/pymodules/python2.6/mercurial/httprepo.py", line 126,
>> in do_read
>>     fp = self.do_cmd(cmd, **args)
>>   File "/usr/lib/pymodules/python2.6/mercurial/httprepo.py", line 79, in do_cmd
>>     resp = self.urlopener.open(urllib2.Request(cu, data, headers))
>>   File "/usr/lib/python2.6/urllib2.py", line 389, in open
>>     response = self._open(req, data)
>>   File "/usr/lib/python2.6/urllib2.py", line 407, in _open
>>     '_open', req)
>>   File "/usr/lib/python2.6/urllib2.py", line 367, in _call_chain
>>     result = func(*args)
>>   File "/usr/lib/pymodules/python2.6/mercurial/url.py", line 425, in https_open
>>     return self.do_open(self._makeconnection, req)
>>   File "/usr/lib/pymodules/python2.6/mercurial/keepalive.py", line
>> 248, in do_open
>>     raise urllib2.URLError(err)
>> URLError: <urlopen error [Errno 1] _ssl.c:480: error:14094410:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure>
>> abort: error: _ssl.c:480: error:14094410:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>>
>>
>>
>> Running 1.3.1 on kubuntu karmic:
>>
>> $ hg --version
>> Mercurial Distributed SCM (version 1.3.1)
>>
>> Copyright (C) 2005-2009 Matt Mackall <mpm@...> and others
>> This is free software; see the source for copying conditions. There is NO
>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>>
>> $ uname -a
>> Linux arrow 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:05:01 UTC
>> 2009 x86_64 GNU/Linux
>>
>> Any ideas?
>>
>> Regards,
>> Igor
>> _______________________________________________
>> Mercurial mailing list
>> Mercurial@...
>> http://selenic.com/mailman/listinfo/mercurial
>

> Hi All,
>
> We are setting up a repo served by hgwebdir over https. Apache
> requires client to have certificate issued by this server.
>
> I have .pam file that I've imported into firefox and are able to access  
> repo.
>
> Now I want to clone repo using hg (or use existing repo and
> authenticate to this repo).
>
> From docs, I've seen that [auth] section should be used:
>
> [paths]
> default = https://<server>/<repo>
>
> [auth]
> rc.prefix = <server>
> rc.username = <username>
> rc.password = <password>
> rc.key = <key>
> rc.cert = <cert>
> rc.schemes = https
>
> etc...

> On Thu, Oct 29, 2009 at 7:50 AM, Igor Lautar <igor.lautar@...> wrote:
>> It would be great if you can check it out. I can also give you a hand.
>> However, I'm not 100% sure it didn't work in the past. Somebody had to
>> put those [auth] section stuff in.
>
>> [...]
>> Seams HTTPS client cert support was added with 7951f385fcb7.
>
> Indeed. I must have overlooked it. Thanks for the hint.
>

> "Paul van der Linden" <paul@...> writes:
>
> Hi Paul
>
> I'm CC'ing our HTTPS expert, perhaps he can help.
>
>> It looks like the security support in mercurial is not very complete.
>> The gui client for windows (tortoisehg) and the eclipse client both
>> just hangs when a PEM certificate with passphrase is used.
>> And the same problem with repeatedly inputting passwords within one
>> command happens when using http authentication. I think Mercurial
>> needs some improvement there.
>
> Have you seen the [auth] section in the hgrc man page:
>
>  http://www.selenic.com/mercurial/hgrc.5.html#auth
>
> That will allow you to specify username and password for HTTP.
>
> It also says something about PEM encoded certificates, but I don't
> anything about those.

> Hi,
>
> On Mon, Nov 2, 2009 at 7:22 PM, Martin Geisler <mg@...> wrote:
>> "Paul van der Linden" <paul@...> writes:
>>
>> Hi Paul
>>
>> I'm CC'ing our HTTPS expert, perhaps he can help.
>>
>>> It looks like the security support in mercurial is not very complete.
>>> The gui client for windows (tortoisehg) and the eclipse client both
>>> just hangs when a PEM certificate with passphrase is used.
>>> And the same problem with repeatedly inputting passwords within one
>>> command happens when using http authentication. I think Mercurial
>>> needs some improvement there.
>> Have you seen the [auth] section in the hgrc man page:
>>
>>  http://www.selenic.com/mercurial/hgrc.5.html#auth
>>
>> That will allow you to specify username and password for HTTP.
>>
>> It also says something about PEM encoded certificates, but I don't
>> anything about those.
>
> If you take a look towards the beginning of this thread, there is a
> lot of talk about that auth section.
>
> There are 2 things:
> * http[s] authentication
> * client certificate and stuff that goes with it (private key,
> certificate, passphrase)
>
> First one is clear. You can also specify username (and pwd, but thats
> not good idea) as part of URL.
> However, for second one, you have to specify passphrase multiple times
> during single session, which is sub-optimal (annoying and breaks
> workflow).
>
> Will try the keep alive trick.

>
> It is correct that you will need to input the PEM password multiple
> times when connecting upstream. This is largely due to an inefficiency
> in urllib2 and occasionally there are factors that make it impossible
> for connections to be reused (I haven't looked too closely at this). For
> the typical hg command it might require several over the wire commands
> and this is why the password must be entered repeatedly. Currently it is
> urllib2 prompting for the password so we're reliant on when it wants to
> ask for it, which is whenever a new connection is made, unfortunately.
>
> The only real alternative is to rip out the use of urllib2 and roll our
> own thing, which will probably not be something that happens lightly.
>
> The PEM certificate support is fairly new (it only arrived in 1.3). If
> Eclipse and TortoiseHg do not work with it, please raise issues on their
> respective issue trackers.
>
> This is where we're at currently, and I'm afraid that there's no easy
> way to help solve your problem with client certificates.
>