# HG changeset patch # User Yuya Nishihara # Date 1424958853 -32400 # Node ID 760a86865f806024af5f4ec45ab7b96e334122dc # Parent b76d8c641746fd19caf5762ca73c4c24a124ea3e ssl: load CA certificates from system's store by default on Python 2.7.9 This will make it easy to manage in-house CA certificates, which are often used in corporate environment and installed into the Windows' certs store. Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9. The default web.cacerts will be set as follows: environment web.cacerts behavior ------------- ----------- ----------------------------------------- Apple Python dummycert fall back to system's store Python 2.7.8 '!' never use CA certs (show warning instead) Python 2.7.9+ None load CA certs from system's store diff -r b76d8c641746 -r 760a86865f80 mercurial/sslutil.py --- a/mercurial/sslutil.py Wed Mar 04 23:27:04 2015 +0900 +++ b/mercurial/sslutil.py Thu Feb 26 22:54:13 2015 +0900 @@ -10,12 +10,16 @@ from mercurial import util from mercurial.i18n import _ + +_canloaddefaultcerts = False try: # avoid using deprecated/broken FakeSocket in python 2.6 import ssl CERT_REQUIRED = ssl.CERT_REQUIRED try: ssl_context = ssl.SSLContext + _canloaddefaultcerts = util.safehasattr(ssl_context, + 'load_default_certs') def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE, ca_certs=None, serverhostname=None): @@ -35,6 +39,8 @@ sslcontext.verify_mode = cert_reqs if ca_certs is not None: sslcontext.load_verify_locations(cafile=ca_certs) + elif _canloaddefaultcerts: + sslcontext.load_default_certs() sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname) @@ -130,10 +136,13 @@ exe.startswith('/system/library/frameworks/python.framework/')) def _defaultcacerts(): + """return path to CA certificates; None for system's store; ! to disable""" if _plainapplepython(): dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') if os.path.exists(dummycert): return dummycert + if _canloaddefaultcerts: + return None return '!' def sslkwargs(ui, host):