[PATCH 4 of 4 V2] ssl: load CA certificates from system's store by default on Python 2.7.9

Yuya Nishihara yuya at tcha.org
Thu Mar 12 10:41:57 CDT 2015 

# HG changeset patch
# User Yuya Nishihara <yuya at tcha.org>
# Date 1424958853 -32400
#      Thu Feb 26 22:54:13 2015 +0900
# Node ID 4a831146e17df61f30573d852bba9062883791d6
# Parent  aa314d9b7beae9d6bdc9f939615edf5a18c17144
ssl: load CA certificates from system's store by default on Python 2.7.9

This will make it easy to manage in-house CA certificates, which are often
used in corporate environment and installed into the Windows' certs store.

Unlike Apple python, the dummycert trick isn't necessary on Python 2.7.9.
The default web.cacerts will be set as follows:

  environment    web.cacerts  behavior
  -------------  -----------  -----------------------------------------
  Apple Python   dummycert    fall back to system's store
  Python 2.7.8   '!'          never use CA certs (show warning instead)
  Python 2.7.9+  None         load CA certs from system's store

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -10,12 +10,16 @@ import os, sys
 
 from mercurial import util
 from mercurial.i18n import _
+
+_canloaddefaultcerts = False
 try:
     # avoid using deprecated/broken FakeSocket in python 2.6
     import ssl
     CERT_REQUIRED = ssl.CERT_REQUIRED
     try:
         ssl_context = ssl.SSLContext
+        _canloaddefaultcerts = util.safehasattr(ssl_context,
+                                                'load_default_certs')
 
         def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
                             ca_certs=None, serverhostname=None):
@@ -35,6 +39,8 @@ try:
             sslcontext.verify_mode = cert_reqs
             if ca_certs is not None:
                 sslcontext.load_verify_locations(cafile=ca_certs)
+            elif _canloaddefaultcerts:
+                sslcontext.load_default_certs()
 
             sslsocket = sslcontext.wrap_socket(sock,
                                                server_hostname=serverhostname)
@@ -130,10 +136,13 @@ def _plainapplepython():
             exe.startswith('/system/library/frameworks/python.framework/'))
 
 def _defaultcacerts():
+    """return path to CA certificates; None for system's store; ! to disable"""
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):
             return dummycert
+    if _canloaddefaultcerts:
+        return None
     return '!'
 
 def sslkwargs(ui, host):

More information about the Mercurial-devel mailing list