[PATCH v2] ssl: only use the dummy cert hack if using an Apple Python (issue4410)

Mads Kiilerich mads at kiilerich.com
Sat Oct 18 05:45:31 CDT 2014

On 10/18/2014 03:46 AM, Gregory Szorc wrote:
> Looking into this some more, the ssl package in Python 2.7.9 (which 
> isn't even released yet!) has an SSLContext class 
> (https://docs.python.org/2/library/ssl.html#ssl-contexts) that allows 
> you to read CA info. We could conceivably use this (if available) to 
> determine whether the CA store is empty and whether applying the dummy 
> cert hack is necessary. http://bugs.python.org/issue21308 tracked this 
> backport. It's quite possible they also fixed CA discovery on OS X - I 
> haven't looked into the details too much. But we still have to support 
> the masses that won't be on 2.7.9, and this includes not having the 
> ssl package on <2.6.

Yes, we should support the new "2.8" APIs too. That is not implemented 
yet. So far it is more important to support >= 2.6.

Python (and thus Mercurial) do not really have ssl support before 2.6.

> There's probably room for a follow-up to make `hg debuginstall` check 
> the state of the system CA certs by performing a request to a 
> well-known hostname like www.mozilla.org and recommending actions if 
> certificate verification fails.

That might be a good idea.

Some might dislike that it connects to 3rd party sites without asking 
for permission, so it should perhaps not be the default.

Also, if we could give a good advice, we could just as well automate it 
and ship the curl/mozilla ca cert list as fall back. That would take 
most users from "insecure, but not our fault" to "mostly secure, but our 
fault when not really secure anyway".

(Btw: it would be very nice if Mozilla could provide their trusted CA 
certs directly as PEMs so people didn't have to visit haxx and decide if 
they trust them.)

> Speaking of 2.4, weren't we going to drop support for it and 2.5...

So far that is wishful thinking.

One of the major reasons to keep it supported has been weakened by 'make 
docker-centos5' creating EL5 rpms that contains their own Python 2.7.x.


More information about the Mercurial-devel mailing list