changeset 29499:9c5325c79683

sslutil: issue warning when unable to load certificates on OS X Previously, failure to load system certificates on OS X would lead to a certificate verify failure and that's it. We now print a warning message with a URL that will contain information on how to configure certificates on OS X. As the inline comment states, there is room to improve here. I think we could try harder to detect Homebrew and MacPorts installed certificate files, for example. It's worth noting that Homebrew's openssl package uses `security find-certificate -a -p` during package installation to export the system keychain root CAs to etc/openssl/cert.pem. This is something we could consider adding to setup.py. We could also encourage packagers to do this. For now, I'd just like to get this warning (which matches Windows behavior) landed. We should have time to improve things before release.
author Gregory Szorc <gregory.szorc@gmail.com>
date Wed, 06 Jul 2016 20:46:05 -0700
parents 1b38cfde9530
children 4b16a5bd9948
files mercurial/sslutil.py tests/test-https.t tests/test-patchbomb-tls.t
diffstat 3 files changed, 22 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Thu Jun 30 08:38:19 2016 -0700
+++ b/mercurial/sslutil.py	Wed Jul 06 20:46:05 2016 -0700
@@ -468,6 +468,18 @@
         if os.path.exists(dummycert):
             return dummycert
 
+    # The Apple OpenSSL trick isn't available to us. If Python isn't able to
+    # load system certs, we're out of luck.
+    if sys.platform == 'darwin':
+        # FUTURE Consider looking for Homebrew or MacPorts installed certs
+        # files. Also consider exporting the keychain certs to a file during
+        # Mercurial install.
+        if not _canloaddefaultcerts:
+            ui.warn(_('(unable to load CA certificates; see '
+                      'https://mercurial-scm.org/wiki/SecureConnections for '
+                      'how to configure Mercurial to avoid this message)\n'))
+        return None
+
     return None
 
 def validatesocket(sock):
--- a/tests/test-https.t	Thu Jun 30 08:38:19 2016 -0700
+++ b/tests/test-https.t	Wed Jul 06 20:46:05 2016 -0700
@@ -67,6 +67,14 @@
   [255]
 #endif
 
+#if no-sslcontext osx
+  $ hg clone https://localhost:$HGPORT/ copy-pull
+  (unable to load CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
+  abort: localhost certificate error: no certificate received
+  (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
+  [255]
+#endif
+
 #if defaultcacertsloaded
   $ hg clone https://localhost:$HGPORT/ copy-pull
   abort: error: *certificate verify failed* (glob)
@@ -75,6 +83,7 @@
 
 #if no-defaultcacerts
   $ hg clone https://localhost:$HGPORT/ copy-pull
+  (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
   abort: localhost certificate error: no certificate received
   (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
   [255]
--- a/tests/test-patchbomb-tls.t	Thu Jun 30 08:38:19 2016 -0700
+++ b/tests/test-patchbomb-tls.t	Wed Jul 06 20:46:05 2016 -0700
@@ -77,6 +77,7 @@
   this patch series consists of 1 patches.
   
   
+  (unable to load * certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
   abort: localhost certificate error: no certificate received
   (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
   [255]