Mercurial > hg

--- a/mercurial/dispatch.py	Wed Mar 04 22:41:48 2015 +0900
+++ b/mercurial/dispatch.py	Wed Mar 04 23:27:04 2015 +0900
@@ -826,7 +826,7 @@

     if cmdoptions.get('insecure', False):
         for ui_ in uis:
-            ui_.setconfig('web', 'cacerts', '', '--insecure')
+            ui_.setconfig('web', 'cacerts', '!', '--insecure')

     if options['version']:
         return commands.version_(ui)
--- a/mercurial/hg.py	Wed Mar 04 22:41:48 2015 +0900
+++ b/mercurial/hg.py	Wed Mar 04 23:27:04 2015 +0900
@@ -672,7 +672,9 @@
         for key, val in src.configitems(sect):
             dst.setconfig(sect, key, val, 'copied')
     v = src.config('web', 'cacerts')
-    if v:
+    if v == '!':
+        dst.setconfig('web', 'cacerts', v, 'copied')
+    elif v:
         dst.setconfig('web', 'cacerts', util.expandpath(v), 'copied')

     return dst
--- a/mercurial/sslutil.py	Wed Mar 04 22:41:48 2015 +0900
+++ b/mercurial/sslutil.py	Wed Mar 04 23:27:04 2015 +0900
@@ -134,7 +134,7 @@
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):
             return dummycert
-    return None
+    return '!'

 def sslkwargs(ui, host):
     kws = {}
@@ -142,17 +142,18 @@
     if hostfingerprint:
         return kws
     cacerts = ui.config('web', 'cacerts')
-    if cacerts:
+    if cacerts == '!':
+        pass
+    elif cacerts:
         cacerts = util.expandpath(cacerts)
         if not os.path.exists(cacerts):
             raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
-    elif cacerts is None:
-        dummycert = _defaultcacerts()
-        if dummycert:
-            ui.debug('using %s to enable OS X system CA\n' % dummycert)
-            ui.setconfig('web', 'cacerts', dummycert, 'dummy')
-            cacerts = dummycert
-    if cacerts:
+    else:
+        cacerts = _defaultcacerts()
+        if cacerts and cacerts != '!':
+            ui.debug('using %s to enable OS X system CA\n' % cacerts)
+        ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+    if cacerts != '!':
         kws.update({'ca_certs': cacerts,
                     'cert_reqs': CERT_REQUIRED,
                     })
@@ -201,7 +202,7 @@
                                  hint=_('check hostfingerprint configuration'))
             self.ui.debug('%s certificate matched fingerprint %s\n' %
                           (host, nicefingerprint))
-        elif cacerts:
+        elif cacerts != '!':
             msg = _verifycert(peercert2, host)
             if msg:
                 raise util.Abort(_('%s certificate error: %s') % (host, msg),
--- a/tests/hghave.py	Wed Mar 04 22:41:48 2015 +0900
+++ b/tests/hghave.py	Wed Mar 04 23:27:04 2015 +0900
@@ -323,7 +323,7 @@
 @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
 def has_defaultcacerts():
     from mercurial import sslutil
-    return sslutil._defaultcacerts()
+    return sslutil._defaultcacerts() != '!'

 @check("windows", "Windows")
 def has_windows():
--- a/tests/test-https.t	Wed Mar 04 22:41:48 2015 +0900
+++ b/tests/test-https.t	Wed Mar 04 23:27:04 2015 +0900
@@ -124,7 +124,7 @@
   abort: error: *certificate verify failed* (glob)
   [255]

-  $ DISABLEOSXDUMMYCERT="--config=web.cacerts="
+  $ DISABLEOSXDUMMYCERT="--config=web.cacerts=!"
 #endif

 clone via pull
@@ -240,7 +240,7 @@
   $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc

 - works without cacerts
-  $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
+  $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=!
   5fed3813f7f5

 - fails when cert doesn't match hostname (port is ignored)