1. Marcin Kuzminski
  2. RhodeCode
  3. Issues


Issue #509 resolved

Perform "push requires ssl" check before authentication

Anonymous created an issue

If administrator enables "push requires ssl" option, RhodeCode refuses push over http after asking authentication details. For more secure setup, it should refuse pushing over http before authentication.

Most practical use of "push requires ssl" option is securing the HTTP authentication with the help of SSL. If this is the case, then RhodeCode should not allow someone to sent username/password in clear-text form just to print "requires ssl".

Comments (3)

  1. Marcin Kuzminski repo owner
    • changed milestone to 1.4

    The issue is here this check is done by mercurial, and it's after basic auth. I totally agree this should be changed to verify ssl as initially first step.

  2. Log in to comment