# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1467254304 25200
# Node ID 13edc11eb7b7c524354d112c113ce492bb3d56d9
# Parent  2f7f1e10f840b69fe677711d075755b704cab80d
sslutil: don't load default certificates when they aren't relevant

Before, we would call SSLContext.load_default_certs() when
certificate verification wasn't being used. Since
SSLContext.verify_mode == ssl.CERT_NONE, this would ideally
no-op. However, there is a slim chance the loading of system
certs could cause a failure. Furthermore, this behavior
interfered with a future patch that aims to provide a more
helpful error message when we're unable to load CAs.

The lack of test fallout is hopefully a sign that our
security code and tests are in a relatively good state.

diff -r 2f7f1e10f840 -r 13edc11eb7b7 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Wed Jun 29 19:37:38 2016 -0700
+++ b/mercurial/sslutil.py	Wed Jun 29 19:38:24 2016 -0700
@@ -154,11 +154,13 @@
     # matters. No need to validate CA certs.
     if s['certfingerprints']:
         s['verifymode'] = ssl.CERT_NONE
+        s['allowloaddefaultcerts'] = False
 
     # If --insecure is used, don't take CAs into consideration.
     elif ui.insecureconnections:
         s['disablecertverification'] = True
         s['verifymode'] = ssl.CERT_NONE
+        s['allowloaddefaultcerts'] = False
 
     if ui.configbool('devel', 'disableloaddefaultcerts'):
         s['allowloaddefaultcerts'] = False