[PATCH 4 of 4] ssl: use included dummy cert on OS X to trigger use of the system CA storage
Mads Kiilerich
mads at kiilerich.com
Wed Sep 24 20:33:05 CDT 2014
# HG changeset patch
# User Mads Kiilerich <madski at unity3d.com>
# Date 1411608721 -7200
# Thu Sep 25 03:32:01 2014 +0200
# Node ID 5a2e3a66b5a93e17eb6ab4ee2ee713e1dcfb39eb
# Parent a2f00946b45a9dc002578c1782ab36b7cc659d14
ssl: use included dummy cert on OS X to trigger use of the system CA storage
This give pretty much sane behaviour out of the box without any configuration.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -6,7 +6,7 @@
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
-import os
+import os, sys
from mercurial import util
from mercurial.i18n import _
@@ -90,6 +90,11 @@ def _verifycert(cert, hostname):
def sslkwargs(ui, host):
cacerts = ui.config('web', 'cacerts')
+ if not cacerts and sys.platform == 'darwin':
+ # use certificate in this file that triggers use of system certs
+ cacerts = __file__.rstrip('c')
+ ui.debug('using dummy cert in %s to use OS X system store\n' % cacerts)
+ ui.setconfig('web', 'cacerts', cacerts, 'dummy')
forcetls = ui.configbool('ui', 'tls', default=True)
if forcetls:
ssl_version = PROTOCOL_TLSv1
@@ -168,3 +173,37 @@ class validator(object):
'verified (check hostfingerprints or web.cacerts '
'config setting)\n') %
(host, nicefingerprint))
+
+
+"""
+A dummy certificate for OS X 10.6+:
+
+-----BEGIN CERTIFICATE-----
+MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
+LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
+MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
+mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
+CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
+IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
+aKdQRekuMQ==
+-----END CERTIFICATE-----
+
+This certificate was generated to be syntactically valid but never be usable;
+it expired before it became valid.
+
+Created as:
+
+ $ cat > cn.conf << EOT
+ > [req]
+ > distinguished_name = req_distinguished_name
+ > [req_distinguished_name]
+ > commonName = Common Name
+ > commonName_default = no.example.com
+ > EOT
+ $ openssl req -nodes -new -x509 -keyout /dev/null \
+ > -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'
+
+To verify the content of this certificate:
+
+ $ openssl x509 -in sslutil.py -noout -text
+"""
More information about the Mercurial-devel
mailing list