# HG changeset patch
# User Gábor Stefanik <gabor.stefanik@nng.com>
# Date 1476893174 -7200
# Node ID b9f7b0c10027764cee77f9c6d61877fcffea837f
# Parent  5ee944b9c750acce1ae6a8bc6011343499a30a5d
sslutil: guard against broken certifi installations (issue5406)

Certifi is currently incompatible with py2exe; the Python code for certifi gets
included in library.zip, but not the cacert.pem file - and even if it were
included, SSLContext can't load a cacert.pem file from library.zip.
This currently makes it impossible to build a standalone Windows version of
Mercurial.

Guard against this, and possibly other situations where a module with the name
"certifi" exists, but is not usable.

diff -r 5ee944b9c750 -r b9f7b0c10027 mercurial/sslutil.py
--- a/mercurial/sslutil.py	Tue Oct 25 18:56:27 2016 +0200
+++ b/mercurial/sslutil.py	Wed Oct 19 18:06:14 2016 +0200
@@ -690,14 +690,15 @@
     We don't print a message when the Python is able to load default
     CA certs because this scenario is detected at socket connect time.
     """
-    # The "certifi" Python package provides certificates. If it is installed,
-    # assume the user intends it to be used and use it.
+    # The "certifi" Python package provides certificates. If it is installed
+    # and usable, assume the user intends it to be used and use it.
     try:
         import certifi
         certs = certifi.where()
-        ui.debug('using ca certificates from certifi\n')
-        return certs
-    except ImportError:
+        if os.path.exists(certs):
+            ui.debug('using ca certificates from certifi\n')
+            return certs
+    except (ImportError, AttributeError):
         pass
 
     # On Windows, only the modern ssl module is capable of loading the system