[PATCH 4 of 4] ssl: use included dummy cert on OS X to trigger use of the system CA storage

Mads Kiilerich mads at kiilerich.com
Thu Sep 25 12:30:59 CDT 2014 

On 09/25/2014 07:11 PM, Augie Fackler wrote:
> On Thu, Sep 25, 2014 at 11:53 AM, Mads Kiilerich <mads at kiilerich.com> wrote:
>> On 09/25/2014 04:36 PM, Augie Fackler wrote:
>>> On Thu, Sep 25, 2014 at 03:33:05AM +0200, Mads Kiilerich wrote:
>>>> # HG changeset patch
>>>> # User Mads Kiilerich <madski at unity3d.com>
>>>> # Date 1411608721 -7200
>>>> #      Thu Sep 25 03:32:01 2014 +0200
>>>> # Node ID 5a2e3a66b5a93e17eb6ab4ee2ee713e1dcfb39eb
>>>> # Parent  a2f00946b45a9dc002578c1782ab36b7cc659d14
>>>> ssl: use included dummy cert on OS X to trigger use of the system CA
>>>> storage
>>>>
>>>> This give pretty much sane behaviour out of the box without any
>>>> configuration.
>>>>
>>>> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
>>>> --- a/mercurial/sslutil.py
>>>> +++ b/mercurial/sslutil.py
>>>> @@ -6,7 +6,7 @@
>>>>    #
>>>>    # This software may be used and distributed according to the terms of
>>>> the
>>>>    # GNU General Public License version 2 or any later version.
>>>> -import os
>>>> +import os, sys
>>>>
>>>>    from mercurial import util
>>>>    from mercurial.i18n import _
>>>> @@ -90,6 +90,11 @@ def _verifycert(cert, hostname):
>>>>
>>>>    def sslkwargs(ui, host):
>>>>        cacerts = ui.config('web', 'cacerts')
>>>> +    if not cacerts and sys.platform == 'darwin':
>>>> +        # use certificate in this file that triggers use of system certs
>>>> +        cacerts = __file__.rstrip('c')
>>> Should also rstrip o in case someone uses -O?
>>
>> Right ... even though I kind of would expect that the pem parser would
>> ignore all junk and find the string even in pyc and pyo. Apparently it
>> doesn't.
>>
>> I guess there also could be some "frozen" scenarios where __file__ is
>> different ... but I doubt forzen ever is used on OS X?
>>
>> Btw:  This trick only works on 10.6+ ... but IIRC 10.5 used Python 2.5 where
>> SSL support was very rudimental so I don't think we have to consider that.
> Hm. We should probably sniff for Python 2.6+ as well as darwin then?

We already have

    # CERT_REQUIRED means fetch the cert from the server all the time AND
    # validate it against the CA store provided in web.cacerts.
    #
    # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
    # busted on those versions.


so I think we should be home free.

/Mads

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://selenic.com/pipermail/mercurial-devel/attachments/20140925/8a13bee7/attachment.html>

More information about the Mercurial-devel mailing list