Mercurial > hg
changeset 29108:16021d58c5ca
sslutil: make sslkwargs code even more explicit
The ways in which this code can interact with socket wrapping
and validation later are mind numbing. This patch helps make it
even more clear.
The end behavior should be identical.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Thu, 05 May 2016 00:32:43 -0700 |
parents | c8fbfb9163ce |
children | e9ce33c642e8 |
files | mercurial/sslutil.py |
diffstat | 1 files changed, 16 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Wed May 04 23:38:34 2016 -0700 +++ b/mercurial/sslutil.py Thu May 05 00:32:43 2016 -0700 @@ -261,18 +261,26 @@ # No CAs in config. See if we can load defaults. cacerts = _defaultcacerts() + + # We found an alternate CA bundle to use. Load it. if cacerts: ui.debug('using %s to enable OS X system CA\n' % cacerts) - else: - if not _canloaddefaultcerts: - cacerts = '!' + ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') + kws.update({'ca_certs': cacerts, + 'cert_reqs': ssl.CERT_REQUIRED}) + return kws - ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') + # FUTURE this can disappear once wrapsocket() is secure by default. + if _canloaddefaultcerts: + kws['cert_reqs'] = ssl.CERT_REQUIRED + return kws - if cacerts != '!': - kws.update({'ca_certs': cacerts, - 'cert_reqs': ssl.CERT_REQUIRED, - }) + # This is effectively indicating that no CAs can be loaded because + # we can't get here if web.cacerts is set or if we can find + # CA certs elsewhere. Using a config option (which is later + # consulted by validator.__call__ is not very obvious). + # FUTURE fix this + ui.setconfig('web', 'cacerts', '!', 'defaultcacerts') return kws class validator(object):