# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1462433563 25200
# Node ID 16021d58c5ca44d6fa64f1a8e15edf05181aad17
# Parent  c8fbfb9163ce786d0feee162365bd5353d6dbe20
sslutil: make sslkwargs code even more explicit

The ways in which this code can interact with socket wrapping
and validation later are mind numbing. This patch helps make it
even more clear.

The end behavior should be identical.

diff -r c8fbfb9163ce -r 16021d58c5ca mercurial/sslutil.py
--- a/mercurial/sslutil.py	Wed May 04 23:38:34 2016 -0700
+++ b/mercurial/sslutil.py	Thu May 05 00:32:43 2016 -0700
@@ -261,18 +261,26 @@
 
     # No CAs in config. See if we can load defaults.
     cacerts = _defaultcacerts()
+
+    # We found an alternate CA bundle to use. Load it.
     if cacerts:
         ui.debug('using %s to enable OS X system CA\n' % cacerts)
-    else:
-        if not _canloaddefaultcerts:
-            cacerts = '!'
+        ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+        kws.update({'ca_certs': cacerts,
+                    'cert_reqs': ssl.CERT_REQUIRED})
+        return kws
 
-    ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+    # FUTURE this can disappear once wrapsocket() is secure by default.
+    if _canloaddefaultcerts:
+        kws['cert_reqs'] = ssl.CERT_REQUIRED
+        return kws
 
-    if cacerts != '!':
-        kws.update({'ca_certs': cacerts,
-                    'cert_reqs': ssl.CERT_REQUIRED,
-                    })
+    # This is effectively indicating that no CAs can be loaded because
+    # we can't get here if web.cacerts is set or if we can find
+    # CA certs elsewhere. Using a config option (which is later
+    # consulted by validator.__call__ is not very obvious).
+    # FUTURE fix this
+    ui.setconfig('web', 'cacerts', '!', 'defaultcacerts')
     return kws
 
 class validator(object):