ssl: load CA certificates from system's store by default on Python 2.7.9
This will make it easy to manage in-house CA certificates, which are often
used in corporate environment and installed into the Windows' certs store.
Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9.
The default web.cacerts will be set as follows:
environment web.cacerts behavior
------------- ----------- -----------------------------------------
Apple Python dummycert fall back to system's store
Python 2.7.8 '!' never use CA certs (show warning instead)
Python 2.7.9+ None load CA certs from system's store
--- a/mercurial/sslutil.py Wed Mar 04 23:27:04 2015 +0900
+++ b/mercurial/sslutil.py Thu Feb 26 22:54:13 2015 +0900
@@ -10,12 +10,16 @@
from mercurial import util
from mercurial.i18n import _
+
+_canloaddefaultcerts = False
try:
# avoid using deprecated/broken FakeSocket in python 2.6
import ssl
CERT_REQUIRED = ssl.CERT_REQUIRED
try:
ssl_context = ssl.SSLContext
+ _canloaddefaultcerts = util.safehasattr(ssl_context,
+ 'load_default_certs')
def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
ca_certs=None, serverhostname=None):
@@ -35,6 +39,8 @@
sslcontext.verify_mode = cert_reqs
if ca_certs is not None:
sslcontext.load_verify_locations(cafile=ca_certs)
+ elif _canloaddefaultcerts:
+ sslcontext.load_default_certs()
sslsocket = sslcontext.wrap_socket(sock,
server_hostname=serverhostname)
@@ -130,10 +136,13 @@
exe.startswith('/system/library/frameworks/python.framework/'))
def _defaultcacerts():
+ """return path to CA certificates; None for system's store; ! to disable"""
if _plainapplepython():
dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
if os.path.exists(dummycert):
return dummycert
+ if _canloaddefaultcerts:
+ return None
return '!'
def sslkwargs(ui, host):