[PATCH 4 of 4] ssl: use included dummy cert on OS X to trigger use of the system CA storage

Mads Kiilerich mads at kiilerich.com
Wed Sep 24 20:33:05 CDT 2014 

# HG changeset patch
# User Mads Kiilerich <madski at unity3d.com>
# Date 1411608721 -7200
#      Thu Sep 25 03:32:01 2014 +0200
# Node ID 5a2e3a66b5a93e17eb6ab4ee2ee713e1dcfb39eb
# Parent  a2f00946b45a9dc002578c1782ab36b7cc659d14
ssl: use included dummy cert on OS X to trigger use of the system CA storage

This give pretty much sane behaviour out of the box without any configuration.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -6,7 +6,7 @@
 #
 # This software may be used and distributed according to the terms of the
 # GNU General Public License version 2 or any later version.
-import os
+import os, sys
 
 from mercurial import util
 from mercurial.i18n import _
@@ -90,6 +90,11 @@ def _verifycert(cert, hostname):
 
 def sslkwargs(ui, host):
     cacerts = ui.config('web', 'cacerts')
+    if not cacerts and sys.platform == 'darwin':
+        # use certificate in this file that triggers use of system certs
+        cacerts = __file__.rstrip('c')
+        ui.debug('using dummy cert in %s to use OS X system store\n' % cacerts)
+        ui.setconfig('web', 'cacerts', cacerts, 'dummy')
     forcetls = ui.configbool('ui', 'tls', default=True)
     if forcetls:
         ssl_version = PROTOCOL_TLSv1
@@ -168,3 +173,37 @@ class validator(object):
                            'verified (check hostfingerprints or web.cacerts '
                            'config setting)\n') %
                          (host, nicefingerprint))
+
+
+"""
+A dummy certificate for OS X 10.6+:
+
+-----BEGIN CERTIFICATE-----
+MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
+LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
+MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
+mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
+CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
+IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
+aKdQRekuMQ==
+-----END CERTIFICATE-----
+
+This certificate was generated to be syntactically valid but never be usable;
+it expired before it became valid.
+
+Created as:
+
+  $ cat > cn.conf << EOT
+  > [req]
+  > distinguished_name = req_distinguished_name
+  > [req_distinguished_name]
+  > commonName = Common Name
+  > commonName_default = no.example.com
+  > EOT
+  $ openssl req -nodes -new -x509 -keyout /dev/null \
+  >   -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'
+
+To verify the content of this certificate:
+
+  $ openssl x509 -in sslutil.py -noout -text
+"""

More information about the Mercurial-devel mailing list