Mercurial: mercurial/sslutil.py comparison

comparison mercurial/sslutil.py @ 29446:2f7f1e10f840

sslutil: display a better error message when CA file loading fails Before, sslcontext.load_verify_locations() would raise a ssl.SSLError which would be caught further up the stack and converted to a urlerror. By that time, we lost track of what actually errored. Trapping the error here gives users a slightly more actionable error message. The behavior between Python <2.7.9 and Python 2.7.9+ differs. This is because our fake SSLContext class installed on <2.7.9 doesn't actually do anything during load_verify_locations: it defers actions until wrap_socket() time. Unfortunately, a number of errors can occur at wrap_socket() time and we're unable to ascertain what the root cause is. But that shouldn't stop us from providing better error messages to people running a modern and secure Python version.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Wed, 29 Jun 2016 19:37:38 -0700
parents	e1778b9c8d53
children	13edc11eb7b7

comparison

equal deleted inserted replaced

-:072e4a595607
+:2f7f1e10f840
 f = keyfile or certfile
 return ui.getpass(_('passphrase for %s: ') % f, '')
 sslcontext.load_cert_chain(certfile, keyfile, password)
 if settings['cafile'] is not None:
-sslcontext.load_verify_locations(cafile=settings['cafile'])
+try:
+sslcontext.load_verify_locations(cafile=settings['cafile'])
+except ssl.SSLError as e:
+raise error.Abort(_('error loading CA file %s: %s') % (
+settings['cafile'], e.args[1]),
+hint=_('file is empty or malformed?'))
 caloaded = True
 elif settings['allowloaddefaultcerts']:
 # This is a no-op on old Python.
 sslcontext.load_default_certs()
 caloaded = True

Mercurial > hg

comparison mercurial/sslutil.py @ 29446:2f7f1e10f840