http: drop custom http client logic Eight and a half years ago, as my starter bug on code.google.com, I investigated a mysterious "broken pipe" error from seemingly random clients[0]. That investigation revealed a tragic story: the Python standard library's httplib was (and remains) barely functional. During large POSTs, if a server responds early with an error (even a permission denied error!) the client only notices that the server closed the connection and everything breaks. Such server behavior is implicitly legal under RFC 2616 (the latest HTTP RFC as of when I was last working on this), and my understanding is that later RFCs have made it explicitly legal to respond early with any status code outside the 2xx range. I embarked, probably foolishly, on a journey to write a new http library with better overall behavior. The http library appears to work well in most cases, but it can get confused in the presence of proxies, and it depends on select(2) which limits its utility if a lot of file descriptors are open. I haven't touched the http library in almost two years, and in the interim the Python community has discovered a better way[1] of writing network code. In theory some day urllib3 will have its own home-grown http library built on h11[2], or we could do that. Either way, it's time to declare our current confusingly-named "http2" client logic and move on. I do hope to revisit this some day: it's still garbage that we can't even respond with a 401 or 403 without reading the entire POST body from the client, but the goalposts on writing a new http client library have moved substantially. We're almost certainly better off just switching to requests and eventually picking up their http fixes than trying to live with something that realistically only we'll ever use. Another approach would be to write an adapter so that Mercurial can use pycurl if it's installed. Neither of those approaches seem like they should be investigated prior to a release of Mercurial that works on Python 3: that's where the mindshare is going to be for any improvements to the state of the http client art. 0: http://web.archive.org/web/20130501031801/http://code.google.com/p/support/issues/detail?id=2716 1: http://sans-io.readthedocs.io/ 2: https://github.com/njsmith/h11 Differential Revision: https://phab.mercurial-scm.org/D2444

A dummy certificate that will make OS X 10.6+ Python use the system CA
certificate store:

-----BEGIN CERTIFICATE-----
MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
aKdQRekuMQ==
-----END CERTIFICATE-----

This certificate was generated to be syntactically valid but never be usable;
it expired before it became valid.

Created as:

  $ cat > cn.conf << EOT
  > [req]
  > distinguished_name = req_distinguished_name
  > [req_distinguished_name]
  > commonName = Common Name
  > commonName_default = no.example.com
  > EOT
  $ openssl req -nodes -new -x509 -keyout /dev/null \
  >   -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'

To verify the content of this certificate:

  $ openssl x509 -in dummycert.pem -noout -text
  Certificate:
      Data:
          Version: 1 (0x0)
          Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166)
      Signature Algorithm: sha1WithRSAEncryption
          Issuer: CN=hg.example.com
          Validity
              Not Before: Aug 30 08:45:59 2014 GMT
              Not After : Aug 29 08:45:59 2014 GMT
          Subject: CN=hg.example.com
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
                  Public-Key: (512 bit)
                  Modulus:
                      00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58:
                      19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2:
                      51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77:
                      f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7:
                      a4:05:81:60:29
                  Exponent: 65537 (0x10001)
      Signature Algorithm: sha1WithRSAEncryption
           17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1:
           5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1:
           f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd:
           27:b5:9e:68:a7:50:45:e9:2e:31