sslutil: work around SSLContext.get_ca_certs bug on Windows (
issue5313)
SSLContext.get_ca_certs() can raise
"ssl.SSLError: unknown error (_ssl.c:636)" on Windows. See
https://bugs.python.org/
issue20916 for more info.
We add a try..except that swallows the exception to work around
this bug. If we encounter the bug, we won't print a warning
message about attempting to load CA certificates. This is
unfortunate. But there appears to be little we can do :/
--- a/mercurial/sslutil.py Mon Jul 18 16:25:35 2016 -0500
+++ b/mercurial/sslutil.py Mon Jul 25 12:00:55 2016 -0700
@@ -409,12 +409,18 @@
# a hint to the user.
# Only modern ssl module exposes SSLContext.get_ca_certs() so we can
# only show this warning if modern ssl is available.
- if (caloaded and settings['verifymode'] == ssl.CERT_REQUIRED and
- modernssl and not sslcontext.get_ca_certs()):
- ui.warn(_('(an attempt was made to load CA certificates but none '
- 'were loaded; see '
- 'https://mercurial-scm.org/wiki/SecureConnections for '
- 'how to configure Mercurial to avoid this error)\n'))
+ # The exception handler is here because of
+ # https://bugs.python.org/issue20916.
+ try:
+ if (caloaded and settings['verifymode'] == ssl.CERT_REQUIRED and
+ modernssl and not sslcontext.get_ca_certs()):
+ ui.warn(_('(an attempt was made to load CA certificates but '
+ 'none were loaded; see '
+ 'https://mercurial-scm.org/wiki/SecureConnections '
+ 'for how to configure Mercurial to avoid this '
+ 'error)\n'))
+ except ssl.SSLError:
+ pass
# Try to print more helpful error messages for known failures.
if util.safehasattr(e, 'reason'):
# This error occurs when the client and server don't share a