Using client certificates for authentication seems to cause the underlying SSL library to create a password prompt. This breaks TortoiseHg (which sits waiting patiently forever when you try push/pull) at the very least.
"If the password argument is not specified and a password is required, OpenSSL’s built-in password prompting mechanism will be used to interactively prompt the user for a password." - https://docs.python.org/2/library/ssl.html We don't pass a password callback to load_cert_chain, so the commandserver breaks. Related: https://bitbucket.org/tortoisehg/thg/issue/4144/basic-autnentication-is-only-weakly-secure
I'll take a look at this. BTW, on Python 2.7.9, I got password prompt twice, one by httplib.HTTPSConnection, another by sslutil.ssl_wrap_socket.
Fixed by https://selenic.com/repo/hg/rev/21b536f01eda Yuya Nishihara <yuya@tcha.org> ssl: prompt passphrase of client key file via ui.getpass() (issue4648) This is necessary to communicate with third-party tools through command-server channel. This requires SSLContext backported to Python 2.7.9+. It doesn't look nice to pass ui by sslkwargs, but I think it is the only way to do without touching various client codes including httpclient (aka http2). ui is mandatory if certfile is specified, so it has no default value. BTW, test-check-commit-hg.t complains that ssl_wrap_socket() has foo_bar naming. Should I bulk-replace it to sslwrapsocket() ? (please test the fix)
Bug was set to TESTING for 8 days, resolving