[PATCH 6 of 8] sslutil: document the Apple Python cert trick
Yuya Nishihara
yuya at tcha.org
Sun Jul 3 06:40:48 EDT 2016
On Fri, 01 Jul 2016 19:57:42 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1467427907 25200
> # Fri Jul 01 19:51:47 2016 -0700
> # Node ID 17d67895b215c5c977d2b446611abb219160a6f9
> # Parent 101e040f8b014fe938803c68b502e7b72b4726f8
> sslutil: document the Apple Python cert trick
>
> This is sort of documented in _plainapplypython()'s docstring. But
> it helps to be explicit in security code.
>
> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
> @@ -438,16 +438,19 @@ def _defaultcacerts(ui):
> with demandimport.deactivated():
> try:
> import certifi
> ui.debug('using ca certificates from certifi\n')
> return certifi.where()
> except Exception:
> pass
>
> + # Apple's Python has patches that allow a specially constructed certificate
> + # to load the system CA store. If we're running on Apple Python, use this
> + # trick.
IIRC, Python isn't patched, but OpenSSL is, and Apple Python doesn't provide
a sane way to load certificates from the patched OpenSSL. I don't know that
makes a difference on OS X, though.
More information about the Mercurial-devel
mailing list