Mercurial > hg-stable
changeset 24291:760a86865f80
ssl: load CA certificates from system's store by default on Python 2.7.9
This will make it easy to manage in-house CA certificates, which are often
used in corporate environment and installed into the Windows' certs store.
Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9.
The default web.cacerts will be set as follows:
environment web.cacerts behavior
------------- ----------- -----------------------------------------
Apple Python dummycert fall back to system's store
Python 2.7.8 '!' never use CA certs (show warning instead)
Python 2.7.9+ None load CA certs from system's store
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Thu, 26 Feb 2015 22:54:13 +0900 |
parents | b76d8c641746 |
children | b7add2ebef9e |
files | mercurial/sslutil.py |
diffstat | 1 files changed, 9 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Wed Mar 04 23:27:04 2015 +0900 +++ b/mercurial/sslutil.py Thu Feb 26 22:54:13 2015 +0900 @@ -10,12 +10,16 @@ from mercurial import util from mercurial.i18n import _ + +_canloaddefaultcerts = False try: # avoid using deprecated/broken FakeSocket in python 2.6 import ssl CERT_REQUIRED = ssl.CERT_REQUIRED try: ssl_context = ssl.SSLContext + _canloaddefaultcerts = util.safehasattr(ssl_context, + 'load_default_certs') def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE, ca_certs=None, serverhostname=None): @@ -35,6 +39,8 @@ sslcontext.verify_mode = cert_reqs if ca_certs is not None: sslcontext.load_verify_locations(cafile=ca_certs) + elif _canloaddefaultcerts: + sslcontext.load_default_certs() sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname) @@ -130,10 +136,13 @@ exe.startswith('/system/library/frameworks/python.framework/')) def _defaultcacerts(): + """return path to CA certificates; None for system's store; ! to disable""" if _plainapplepython(): dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') if os.path.exists(dummycert): return dummycert + if _canloaddefaultcerts: + return None return '!' def sslkwargs(ui, host):