Mercurial > hg

diff mercurial/sslutil.py @ 29447:13edc11eb7b7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: don't load default certificates when they aren't relevant Before, we would call SSLContext.load_default_certs() when certificate verification wasn't being used. Since SSLContext.verify_mode == ssl.CERT_NONE, this would ideally no-op. However, there is a slim chance the loading of system certs could cause a failure. Furthermore, this behavior interfered with a future patch that aims to provide a more helpful error message when we're unable to load CAs. The lack of test fallout is hopefully a sign that our security code and tests are in a relatively good state.
author Gregory Szorc <gregory.szorc@gmail.com>
date Wed, 29 Jun 2016 19:38:24 -0700
parents 2f7f1e10f840
children 5b71a8d7f7ff
line wrap: on
line diff
--- a/mercurial/sslutil.py	Wed Jun 29 19:37:38 2016 -0700
+++ b/mercurial/sslutil.py	Wed Jun 29 19:38:24 2016 -0700
@@ -154,11 +154,13 @@
     # matters. No need to validate CA certs.
     if s['certfingerprints']:
         s['verifymode'] = ssl.CERT_NONE
+        s['allowloaddefaultcerts'] = False
 
     # If --insecure is used, don't take CAs into consideration.
     elif ui.insecureconnections:
         s['disablecertverification'] = True
         s['verifymode'] = ssl.CERT_NONE
+        s['allowloaddefaultcerts'] = False
 
     if ui.configbool('devel', 'disableloaddefaultcerts'):
         s['allowloaddefaultcerts'] = False