[PATCH 4 of 8] sslutil: don't attempt to find default CA certs file when told not to

Gregory Szorc gregory.szorc at gmail.com
Fri Jul 1 22:57:40 EDT 2016


# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1467425865 25200
#      Fri Jul 01 19:17:45 2016 -0700
# Node ID ab3d545871efb2e0405d576f3bda1c935d6b6d31
# Parent  dc05122ccfcf77c65984f3196089f86472a6dd17
sslutil: don't attempt to find default CA certs file when told not to

Before, devel.disableloaddefaultcerts only impacted the loading of
default certs via SSLContext. After this patch, the config option also
prevents sslutil._defaultcacerts() from being called.

This config option is meant to be used by tests to force no CA certs
to be loaded. Future patches will enable _defaultcacerts() to have
success more often. Without this change we can't reliably test the
failure to load CA certs. (This patch also likely fixes test failures
on some OS X configurations.)

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -190,17 +190,17 @@ def _hostsettings(ui, hostname):
             # Find global certificates file in config.
             cafile = ui.config('web', 'cacerts')
 
             if cafile:
                 cafile = util.expandpath(cafile)
                 if not os.path.exists(cafile):
                     raise error.Abort(_('could not find web.cacerts: %s') %
                                       cafile)
-            else:
+            elif s['allowloaddefaultcerts']:
                 # CAs not defined in config. Try to find system bundles.
                 cafile = _defaultcacerts(ui)
                 if cafile:
                     ui.debug('using %s for CA file\n' % cafile)
 
             s['cafile'] = cafile
 
         # Require certificate validation if CA certs are being loaded and


More information about the Mercurial-devel mailing list