sslutil: use certificates provided by certifi if available
The "certifi" Python package provides a distribution of the
Mozilla trusted CA certificates as a Python package. If it is
present, we assume the user intends it to be used and we use
it to provide the default CA certificates when certificates
are otherwise not configured.
It's worth noting that this behavior roughly matches the popular
"requests" package, which also attempts to use "certifi" if
present.
--- a/mercurial/sslutil.py Sun Jul 03 22:28:24 2016 +0530
+++ b/mercurial/sslutil.py Mon Jul 04 09:58:45 2016 -0700
@@ -432,6 +432,16 @@
def _defaultcacerts(ui):
"""return path to default CA certificates or None."""
+ # The "certifi" Python package provides certificates. If it is installed,
+ # assume the user intends it to be used and use it.
+ try:
+ import certifi
+ certs = certifi.where()
+ ui.debug('using ca certificates from certifi\n')
+ return certs
+ except ImportError:
+ pass
+
if _plainapplepython():
dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
if os.path.exists(dummycert):