[PATCH 4 of 4] ssl: use included dummy cert on OS X to trigger use of the system CA storage

Mads Kiilerich mads at kiilerich.com
Thu Sep 25 10:53:10 CDT 2014


On 09/25/2014 04:36 PM, Augie Fackler wrote:
> On Thu, Sep 25, 2014 at 03:33:05AM +0200, Mads Kiilerich wrote:
>> # HG changeset patch
>> # User Mads Kiilerich <madski at unity3d.com>
>> # Date 1411608721 -7200
>> #      Thu Sep 25 03:32:01 2014 +0200
>> # Node ID 5a2e3a66b5a93e17eb6ab4ee2ee713e1dcfb39eb
>> # Parent  a2f00946b45a9dc002578c1782ab36b7cc659d14
>> ssl: use included dummy cert on OS X to trigger use of the system CA storage
>>
>> This give pretty much sane behaviour out of the box without any configuration.
>>
>> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
>> --- a/mercurial/sslutil.py
>> +++ b/mercurial/sslutil.py
>> @@ -6,7 +6,7 @@
>>   #
>>   # This software may be used and distributed according to the terms of the
>>   # GNU General Public License version 2 or any later version.
>> -import os
>> +import os, sys
>>
>>   from mercurial import util
>>   from mercurial.i18n import _
>> @@ -90,6 +90,11 @@ def _verifycert(cert, hostname):
>>
>>   def sslkwargs(ui, host):
>>       cacerts = ui.config('web', 'cacerts')
>> +    if not cacerts and sys.platform == 'darwin':
>> +        # use certificate in this file that triggers use of system certs
>> +        cacerts = __file__.rstrip('c')
> Should also rstrip o in case someone uses -O?

Right ... even though I kind of would expect that the pem parser would 
ignore all junk and find the string even in pyc and pyo. Apparently it 
doesn't.

I guess there also could be some "frozen" scenarios where __file__ is 
different ... but I doubt forzen ever is used on OS X?

Btw:  This trick only works on 10.6+ ... but IIRC 10.5 used Python 2.5 
where SSL support was very rudimental so I don't think we have to 
consider that.

>> +        ui.debug('using dummy cert in %s to use OS X system store\n' % cacerts)
>> +        ui.setconfig('web', 'cacerts', cacerts, 'dummy')
>>       forcetls = ui.configbool('ui', 'tls', default=True)
>>       if forcetls:
>>           ssl_version = PROTOCOL_TLSv1
>> @@ -168,3 +173,37 @@ class validator(object):
>>                              'verified (check hostfingerprints or web.cacerts '
>>                              'config setting)\n') %
>>                            (host, nicefingerprint))
>> +
>> +
>> +"""
>> +A dummy certificate for OS X 10.6+:
>> +
>> +-----BEGIN CERTIFICATE-----
>> +MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
>> +LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
>> +MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
>> +mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
>> +CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
>> +IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
>> +aKdQRekuMQ==
>> +-----END CERTIFICATE-----
> So, huh. You just inline the .pem and it works? I guess that makes
> sense, but it's kind of kooky feeling.

Yes. It is a workaround for deficiencies in code so I think it kind of 
make sense to do it code. We could of course also store the certificate 
in a data file somewhere next the source as we do with templates and 
help ... or my initial plan of just making it a config option in a hgrc 
file that we install by default.

/Mads


More information about the Mercurial-devel mailing list