sslutil: use certificates provided by certifi if available
authorGregory Szorc <gregory.szorc@gmail.com>
Mon, 04 Jul 2016 09:58:45 -0700
changeset 29486 a62c00f6dd04
parent 29485 6a98f9408a50
child 29487 cdcb5747dc88
sslutil: use certificates provided by certifi if available The "certifi" Python package provides a distribution of the Mozilla trusted CA certificates as a Python package. If it is present, we assume the user intends it to be used and we use it to provide the default CA certificates when certificates are otherwise not configured. It's worth noting that this behavior roughly matches the popular "requests" package, which also attempts to use "certifi" if present.
mercurial/sslutil.py
--- a/mercurial/sslutil.py	Sun Jul 03 22:28:24 2016 +0530
+++ b/mercurial/sslutil.py	Mon Jul 04 09:58:45 2016 -0700
@@ -432,6 +432,16 @@
 
 def _defaultcacerts(ui):
     """return path to default CA certificates or None."""
+    # The "certifi" Python package provides certificates. If it is installed,
+    # assume the user intends it to be used and use it.
+    try:
+        import certifi
+        certs = certifi.where()
+        ui.debug('using ca certificates from certifi\n')
+        return certs
+    except ImportError:
+        pass
+
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):