428 return False |
428 return False |
429 exe = os.path.realpath(sys.executable).lower() |
429 exe = os.path.realpath(sys.executable).lower() |
430 return (exe.startswith('/usr/bin/python') or |
430 return (exe.startswith('/usr/bin/python') or |
431 exe.startswith('/system/library/frameworks/python.framework/')) |
431 exe.startswith('/system/library/frameworks/python.framework/')) |
432 |
432 |
|
433 _systemcacertpaths = [ |
|
434 # RHEL, CentOS, and Fedora |
|
435 '/etc/pki/tls/certs/ca-bundle.trust.crt', |
|
436 # Debian, Ubuntu, Gentoo |
|
437 '/etc/ssl/certs/ca-certificates.crt', |
|
438 ] |
|
439 |
433 def _defaultcacerts(ui): |
440 def _defaultcacerts(ui): |
434 """return path to default CA certificates or None. |
441 """return path to default CA certificates or None. |
435 |
442 |
436 It is assumed this function is called when the returned certificates |
443 It is assumed this function is called when the returned certificates |
437 file will actually be used to validate connections. Therefore this |
444 file will actually be used to validate connections. Therefore this |
438 function may print warnings or debug messages assuming this usage. |
445 function may print warnings or debug messages assuming this usage. |
|
446 |
|
447 We don't print a message when the Python is able to load default |
|
448 CA certs because this scenario is detected at socket connect time. |
439 """ |
449 """ |
440 # The "certifi" Python package provides certificates. If it is installed, |
450 # The "certifi" Python package provides certificates. If it is installed, |
441 # assume the user intends it to be used and use it. |
451 # assume the user intends it to be used and use it. |
442 try: |
452 try: |
443 import certifi |
453 import certifi |
478 ui.warn(_('(unable to load CA certificates; see ' |
488 ui.warn(_('(unable to load CA certificates; see ' |
479 'https://mercurial-scm.org/wiki/SecureConnections for ' |
489 'https://mercurial-scm.org/wiki/SecureConnections for ' |
480 'how to configure Mercurial to avoid this message)\n')) |
490 'how to configure Mercurial to avoid this message)\n')) |
481 return None |
491 return None |
482 |
492 |
|
493 # Try to find CA certificates in well-known locations. We print a warning |
|
494 # when using a found file because we don't want too much silent magic |
|
495 # for security settings. The expectation is that proper Mercurial |
|
496 # installs will have the CA certs path defined at install time and the |
|
497 # installer/packager will make an appropriate decision on the user's |
|
498 # behalf. We only get here and perform this setting as a feature of |
|
499 # last resort. |
|
500 if not _canloaddefaultcerts: |
|
501 for path in _systemcacertpaths: |
|
502 if os.path.isfile(path): |
|
503 ui.warn(_('(using CA certificates from %s; if you see this ' |
|
504 'message, your Mercurial install is not properly ' |
|
505 'configured; see ' |
|
506 'https://mercurial-scm.org/wiki/SecureConnections ' |
|
507 'for how to configure Mercurial to avoid this ' |
|
508 'message)\n') % path) |
|
509 return path |
|
510 |
|
511 ui.warn(_('(unable to load CA certificates; see ' |
|
512 'https://mercurial-scm.org/wiki/SecureConnections for ' |
|
513 'how to configure Mercurial to avoid this message)\n')) |
|
514 |
483 return None |
515 return None |
484 |
516 |
485 def validatesocket(sock): |
517 def validatesocket(sock): |
486 """Validate a socket meets security requiremnets. |
518 """Validate a socket meets security requiremnets. |
487 |
519 |