Mercurial > hg
comparison mercurial/sslutil.py @ 29631:387bdd53c77e stable
sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313)
SSLContext.get_ca_certs() can raise
"ssl.SSLError: unknown error (_ssl.c:636)" on Windows. See
https://bugs.python.org/issue20916 for more info.
We add a try..except that swallows the exception to work around
this bug. If we encounter the bug, we won't print a warning
message about attempting to load CA certificates. This is
unfortunate. But there appears to be little we can do :/
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Mon, 25 Jul 2016 12:00:55 -0700 |
| parents | 53e80179bd6a |
| children | 799e36749f1a |
comparison
equal
deleted
inserted
replaced
| 29630:67b180c0e263 | 29631:387bdd53c77e |
|---|---|
| 407 # If we're doing certificate verification and no CA certs are loaded, | 407 # If we're doing certificate verification and no CA certs are loaded, |
| 408 # that is almost certainly the reason why verification failed. Provide | 408 # that is almost certainly the reason why verification failed. Provide |
| 409 # a hint to the user. | 409 # a hint to the user. |
| 410 # Only modern ssl module exposes SSLContext.get_ca_certs() so we can | 410 # Only modern ssl module exposes SSLContext.get_ca_certs() so we can |
| 411 # only show this warning if modern ssl is available. | 411 # only show this warning if modern ssl is available. |
| 412 if (caloaded and settings['verifymode'] == ssl.CERT_REQUIRED and | 412 # The exception handler is here because of |
| 413 modernssl and not sslcontext.get_ca_certs()): | 413 # https://bugs.python.org/issue20916. |
| 414 ui.warn(_('(an attempt was made to load CA certificates but none ' | 414 try: |
| 415 'were loaded; see ' | 415 if (caloaded and settings['verifymode'] == ssl.CERT_REQUIRED and |
| 416 'https://mercurial-scm.org/wiki/SecureConnections for ' | 416 modernssl and not sslcontext.get_ca_certs()): |
| 417 'how to configure Mercurial to avoid this error)\n')) | 417 ui.warn(_('(an attempt was made to load CA certificates but ' |
| 418 'none were loaded; see ' | |
| 419 'https://mercurial-scm.org/wiki/SecureConnections ' | |
| 420 'for how to configure Mercurial to avoid this ' | |
| 421 'error)\n')) | |
| 422 except ssl.SSLError: | |
| 423 pass | |
| 418 # Try to print more helpful error messages for known failures. | 424 # Try to print more helpful error messages for known failures. |
| 419 if util.safehasattr(e, 'reason'): | 425 if util.safehasattr(e, 'reason'): |
| 420 # This error occurs when the client and server don't share a | 426 # This error occurs when the client and server don't share a |
| 421 # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 | 427 # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 |
| 422 # outright. Hopefully the reason for this error is that we require | 428 # outright. Hopefully the reason for this error is that we require |