Mercurial > hg-stable

--- a/mercurial/sslutil.py	Wed May 04 23:01:49 2016 -0700
+++ b/mercurial/sslutil.py	Wed May 04 23:38:34 2016 -0700
@@ -222,14 +222,13 @@
             exe.startswith('/system/library/frameworks/python.framework/'))

 def _defaultcacerts():
-    """return path to CA certificates; None for system's store; ! to disable"""
+    """return path to default CA certificates or None."""
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):
             return dummycert
-    if _canloaddefaultcerts:
-        return None
-    return '!'
+
+    return None

 def sslkwargs(ui, host):
     """Determine arguments to pass to wrapsocket().
@@ -262,8 +261,12 @@

     # No CAs in config. See if we can load defaults.
     cacerts = _defaultcacerts()
-    if cacerts and cacerts != '!':
+    if cacerts:
         ui.debug('using %s to enable OS X system CA\n' % cacerts)
+    else:
+        if not _canloaddefaultcerts:
+            cacerts = '!'
+
     ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')

     if cacerts != '!':
--- a/tests/hghave.py	Wed May 04 23:01:49 2016 -0700
+++ b/tests/hghave.py	Wed May 04 23:38:34 2016 -0700
@@ -416,7 +416,7 @@
 @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
 def has_defaultcacerts():
     from mercurial import sslutil
-    return sslutil._defaultcacerts() != '!'
+    return sslutil._defaultcacerts() or sslutil._canloaddefaultcerts

 @check("windows", "Windows")
 def has_windows():