Mercurial Mercurial > hg-stable / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mercurial/sslutil.py
changeset 29557 53de8255ec4e
parent 29554 4a7b0c696fbc
child 29558 a935cd7d51a6 
--- a/mercurial/sslutil.py	Wed Jul 13 20:41:07 2016 -0700
+++ b/mercurial/sslutil.py	Thu Jul 14 19:56:39 2016 -0700
@@ -264,7 +264,13 @@
 
     settings = _hostsettings(ui, serverhostname)
 
-    # TODO use ssl.create_default_context() on modernssl.
+    # We can't use ssl.create_default_context() because it calls
+    # load_default_certs() unless CA arguments are passed to it. We want to
+    # have explicit control over CA loading because implicitly loading
+    # CAs may undermine the user's intent. For example, a user may define a CA
+    # bundle with a specific CA cert removed. If the system/default CA bundle
+    # is loaded and contains that removed CA, you've just undone the user's
+    # choice.
     sslcontext = SSLContext(settings['protocol'])
 
     # This is a no-op unless using modern ssl.
hg-stable