Mercurial > hg
comparison mercurial/sslutil.py @ 23042:2cd3fa4412dc
ssl: only use the dummy cert hack if using an Apple Python (issue4410)
The hack for using certificate store in addition to the provided CAs resides in
Apple's OpenSSL. Apple's own Pythons will use it, but other custom built
Pythons might use a custom built OpenSSL without that hack and will fail when
exposed to the dummy cacert introduced in d7f7f1860f00.
There do not seem to be a simple way to check from Python if we are using a
patched OpenSSL or if it is an Apple OpenSSL.
Instead, check if the Python executable resides in /usr/bin/python* or in
/System/Library/Frameworks/Python.framework/ and assume that all Pythons found
there will be native Pythons using the patched OpenSSL.
Custom built Pythons will not get the benefit of using the CAs from the
certificate store.
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Fri, 17 Oct 2014 18:56:12 +0200 |
| parents | d7f7f1860f00 |
| children | 22db405536be |
comparison
equal
deleted
inserted
replaced
| 23041:a36625ef1f35 | 23042:2cd3fa4412dc |
|---|---|
| 86 # validate it against the CA store provided in web.cacerts. | 86 # validate it against the CA store provided in web.cacerts. |
| 87 # | 87 # |
| 88 # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally | 88 # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally |
| 89 # busted on those versions. | 89 # busted on those versions. |
| 90 | 90 |
| 91 def _plainapplepython(): | |
| 92 """return true if this seems to be a pure Apple Python that | |
| 93 * is unfrozen and presumably has the whole mercurial module in the file | |
| 94 system | |
| 95 * presumably is an Apple Python that uses Apple OpenSSL which has patches | |
| 96 for using system certificate store CAs in addition to the provided | |
| 97 cacerts file | |
| 98 """ | |
| 99 if sys.platform != 'darwin' or util.mainfrozen(): | |
| 100 return False | |
| 101 exe = (sys.executable or '').lower() | |
| 102 return (exe.startswith('/usr/bin/python') or | |
| 103 exe.startswith('/system/library/frameworks/python.framework/')) | |
| 104 | |
| 91 def sslkwargs(ui, host): | 105 def sslkwargs(ui, host): |
| 92 forcetls = ui.configbool('ui', 'tls', default=True) | 106 forcetls = ui.configbool('ui', 'tls', default=True) |
| 93 if forcetls: | 107 if forcetls: |
| 94 ssl_version = PROTOCOL_TLSv1 | 108 ssl_version = PROTOCOL_TLSv1 |
| 95 else: | 109 else: |
| 102 cacerts = ui.config('web', 'cacerts') | 116 cacerts = ui.config('web', 'cacerts') |
| 103 if cacerts: | 117 if cacerts: |
| 104 cacerts = util.expandpath(cacerts) | 118 cacerts = util.expandpath(cacerts) |
| 105 if not os.path.exists(cacerts): | 119 if not os.path.exists(cacerts): |
| 106 raise util.Abort(_('could not find web.cacerts: %s') % cacerts) | 120 raise util.Abort(_('could not find web.cacerts: %s') % cacerts) |
| 107 elif cacerts is None and sys.platform == 'darwin' and not util.mainfrozen(): | 121 elif cacerts is None and _plainapplepython(): |
| 108 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') | 122 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') |
| 109 if os.path.exists(dummycert): | 123 if os.path.exists(dummycert): |
| 110 ui.debug('using %s to enable OS X system CA\n' % dummycert) | 124 ui.debug('using %s to enable OS X system CA\n' % dummycert) |
| 111 ui.setconfig('web', 'cacerts', dummycert, 'dummy') | 125 ui.setconfig('web', 'cacerts', dummycert, 'dummy') |
| 112 cacerts = dummycert | 126 cacerts = dummycert |