[PATCH 4 of 4] ssl: use included dummy cert on OS X to trigger use of the system CA storage
mads at kiilerich.com
Thu Sep 25 10:53:10 CDT 2014
On 09/25/2014 04:36 PM, Augie Fackler wrote:
> On Thu, Sep 25, 2014 at 03:33:05AM +0200, Mads Kiilerich wrote:
>> # HG changeset patch
>> # User Mads Kiilerich <madski at unity3d.com>
>> # Date 1411608721 -7200
>> # Thu Sep 25 03:32:01 2014 +0200
>> # Node ID 5a2e3a66b5a93e17eb6ab4ee2ee713e1dcfb39eb
>> # Parent a2f00946b45a9dc002578c1782ab36b7cc659d14
>> ssl: use included dummy cert on OS X to trigger use of the system CA storage
>> This give pretty much sane behaviour out of the box without any configuration.
>> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
>> --- a/mercurial/sslutil.py
>> +++ b/mercurial/sslutil.py
>> @@ -6,7 +6,7 @@
>> # This software may be used and distributed according to the terms of the
>> # GNU General Public License version 2 or any later version.
>> -import os
>> +import os, sys
>> from mercurial import util
>> from mercurial.i18n import _
>> @@ -90,6 +90,11 @@ def _verifycert(cert, hostname):
>> def sslkwargs(ui, host):
>> cacerts = ui.config('web', 'cacerts')
>> + if not cacerts and sys.platform == 'darwin':
>> + # use certificate in this file that triggers use of system certs
>> + cacerts = __file__.rstrip('c')
> Should also rstrip o in case someone uses -O?
Right ... even though I kind of would expect that the pem parser would
ignore all junk and find the string even in pyc and pyo. Apparently it
I guess there also could be some "frozen" scenarios where __file__ is
different ... but I doubt forzen ever is used on OS X?
Btw: This trick only works on 10.6+ ... but IIRC 10.5 used Python 2.5
where SSL support was very rudimental so I don't think we have to
>> + ui.debug('using dummy cert in %s to use OS X system store\n' % cacerts)
>> + ui.setconfig('web', 'cacerts', cacerts, 'dummy')
>> forcetls = ui.configbool('ui', 'tls', default=True)
>> if forcetls:
>> ssl_version = PROTOCOL_TLSv1
>> @@ -168,3 +173,37 @@ class validator(object):
>> 'verified (check hostfingerprints or web.cacerts '
>> 'config setting)\n') %
>> (host, nicefingerprint))
>> +A dummy certificate for OS X 10.6+:
>> +-----BEGIN CERTIFICATE-----
>> +-----END CERTIFICATE-----
> So, huh. You just inline the .pem and it works? I guess that makes
> sense, but it's kind of kooky feeling.
Yes. It is a workaround for deficiencies in code so I think it kind of
make sense to do it code. We could of course also store the certificate
in a data file somewhere next the source as we do with templates and
help ... or my initial plan of just making it a config option in a hgrc
file that we install by default.
More information about the Mercurial-devel