[PATCH v2] ssl: only use the dummy cert hack if using an Apple Python (issue4410)
mads at kiilerich.com
Sat Oct 18 05:45:31 CDT 2014
On 10/18/2014 03:46 AM, Gregory Szorc wrote:
> Looking into this some more, the ssl package in Python 2.7.9 (which
> isn't even released yet!) has an SSLContext class
> (https://docs.python.org/2/library/ssl.html#ssl-contexts) that allows
> you to read CA info. We could conceivably use this (if available) to
> determine whether the CA store is empty and whether applying the dummy
> cert hack is necessary. http://bugs.python.org/issue21308 tracked this
> backport. It's quite possible they also fixed CA discovery on OS X - I
> haven't looked into the details too much. But we still have to support
> the masses that won't be on 2.7.9, and this includes not having the
> ssl package on <2.6.
Yes, we should support the new "2.8" APIs too. That is not implemented
yet. So far it is more important to support >= 2.6.
Python (and thus Mercurial) do not really have ssl support before 2.6.
> There's probably room for a follow-up to make `hg debuginstall` check
> the state of the system CA certs by performing a request to a
> well-known hostname like www.mozilla.org and recommending actions if
> certificate verification fails.
That might be a good idea.
Some might dislike that it connects to 3rd party sites without asking
for permission, so it should perhaps not be the default.
Also, if we could give a good advice, we could just as well automate it
and ship the curl/mozilla ca cert list as fall back. That would take
most users from "insecure, but not our fault" to "mostly secure, but our
fault when not really secure anyway".
(Btw: it would be very nice if Mozilla could provide their trusted CA
certs directly as PEMs so people didn't have to visit haxx and decide if
they trust them.)
> Speaking of 2.4, weren't we going to drop support for it and 2.5...
So far that is wishful thinking.
One of the major reasons to keep it supported has been weakened by 'make
docker-centos5' creating EL5 rpms that contains their own Python 2.7.x.
More information about the Mercurial-devel