IIS 7.5 Mercurial设置忽略maxAllowedContentLength

Question

我正在尝试在IIS 7.5上设置Mercurial.我有一个web.config用于忽略该maxAllowedContentLength属性的应用程序目录,我根本无法让IIS接受它!我在全球,本地和各个层面尝试过千种不同的方式.它默认为30MB并且拒绝让我推动大于此的变更集.它甚至没有关闭连接,它只是达到30MB并完全停止.这不是超时问题,我尝试从本地计算机推送到其IP地址.

这到底是怎么回事？

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <add name="Python" path="*.cgi" verb="*" modules="CgiModule" scriptProcessor="C:\Python27\python.exe -u &quot;%s&quot;" resourceType="Unspecified" requireAccess="Script" />
        </handlers>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="1073741824" />
            </requestFiltering>
        </security>
        <rewrite>
            <rules>
                <rule name="rewrite to hgwebdir" patternSyntax="Wildcard">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="hgweb.cgi/{R:1}" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>

    <!-- I don't know if this is supposed to work... it doesn't matter where I put the settings. -->        
    <location path="*">
      <system.web>
        <!-- maxRequestLength is in kilobytes (KB)  -->
        <httpRuntime maxRequestLength="1048576" /> <!-- 1GB -->
      </system.web>
      <system.webServer>
        <security>
          <requestFiltering>
            <!-- maxAllowedContentLength is in bytes (B)  -->
            <requestLimits maxAllowedContentLength="1073741824"/> <!-- 1GB -->
          </requestFiltering>
        </security>
      </system.webServer>
    </location>
</configuration>

Answer 1

我找到了几种处理这个问题的方法:

要在IIS中修复此服务器端,请下载并安装https://www.nartac.com/Products/IISCrypto/Default.aspx并单击BEAST按钮,或通过禁用其他协议强制使用SSL3.0.

如果您无权访问IIS服务器,则可以通过将Python回滚到2.7.2或更早版本来修复它.

如果您喜欢冒险,可以修改sslutil.py中的mercurial源,靠近顶部,更改线

sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
            cert_reqs=cert_reqs, ca_certs=ca_certs)

至

from _ssl import PROTOCOL_SSLv3
sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
            cert_reqs=cert_reqs, ca_certs=ca_certs, ssl_version=PROTOCOL_SSLv3)

这将解决问题并修复IIS后面的mercurial推送限制.

如果您对Python 2.7.3打破此问题感兴趣,请查看 http://bugs.python.org/issue13885以获取解释(与安全相关).如果要修改Python本身,请在Modules/_ssl.c中更改该行

SSL_CTX_set_options(self->ctx,
                    SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

回到2.7.3之前的情况:

SSL_CTX_set_options(self->ctx, SSL_OP_ALL);

编译并重新安装python等.如果我正确理解OpenSSL文档,这会增加更多的SSL兼容性,代价是潜在的安全风险.