[PATCH v2] ssl: only use the dummy cert hack if using an Apple Python (issue4410)

Gregory Szorc gregory.szorc at gmail.com
Fri Oct 17 21:08:29 CDT 2014

> On Oct 17, 2014, at 18:46, Gregory Szorc <gregory.szorc at gmail.com> wrote:
>> On 10/17/14 9:57 AM, Mads Kiilerich wrote:
>> # HG changeset patch
>> # User Mads Kiilerich <madski at unity3d.com>
>> # Date 1413564972 -7200
>> #      Fri Oct 17 18:56:12 2014 +0200
>> # Node ID 4495fd290ef36d4cd65f4b613e9b3da7f87aff15
>> # Parent  840be5ca03e1db16ba994e55597771c418166c97
>> ssl: only use the dummy cert hack if using an Apple Python (issue4410)
>> The hack for using certificate store in addition to the provided CAs resides in
>> Apple's OpenSSL. Apple's own Pythons will use it, but other custom built
>> Pythons might use a custom built OpenSSL without that hack and will fail when
>> exposed to the dummy cacert introduced in d7f7f1860f00.
>> There do not seem to be a simple way to check from Python if we are using a
>> patched OpenSSL or if it is an Apple OpenSSL.
>> Instead, check if the Python executable resides in /usr/bin/python* or in
>> /System/Library/Frameworks/Python.framework/ and assume that all Pythons found
>> there will be native Pythons using the patched OpenSSL.
>> Custom built Pythons will not get the benefit of using the CAs from the
>> certificate store.
> Looking into this some more, the ssl package in Python 2.7.9 (which isn't even released yet!) has an SSLContext class (https://docs.python.org/2/library/ssl.html#ssl-contexts) that allows you to read CA info. We could conceivably use this (if available) to determine whether the CA store is empty and whether applying the dummy cert hack is necessary. http://bugs.python.org/issue21308 tracked this backport. It's quite possible they also fixed CA discovery on OS X - I haven't looked into the details too much. But we still have to support the masses that won't be on 2.7.9, and this includes not having the ssl package on <2.6.
> There's probably room for a follow-up to make `hg debuginstall` check the state of the system CA certs by performing a request to a well-known hostname like www.mozilla.org and recommending actions if certificate verification fails. Do the APIs in Python 2.4 even expose these kinds of failure details? IIRC they don't: 2.4 did TLS in a non-visible manner in C land.

Ignore this last bit. I should not even try to use my brain when I take a day off.

> Speaking of 2.4, weren't we going to drop support for it and 2.5...

More information about the Mercurial-devel mailing list