[PATCH 2 of 4 V2] sslutil: document the Apple OpenSSL cert trick
Gregory Szorc
gregory.szorc at gmail.com
Mon Jul 4 13:04:38 EDT 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1467651656 25200
# Mon Jul 04 10:00:56 2016 -0700
# Node ID 5502ac4d0b7380e1f666a3a5a6cc5f4319c4ed73
# Parent 21168a74003cc690f9a2ef7059e382996965247d
sslutil: document the Apple OpenSSL cert trick
This is sort of documented in _plainapplypython()'s docstring. But
it helps to be explicit in security code.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -437,16 +437,19 @@ def _defaultcacerts(ui):
try:
import certifi
certs = certifi.where()
ui.debug('using ca certificates from certifi\n')
return certs
except ImportError:
pass
+ # Apple's OpenSSL has patches that allow a specially constructed certificate
+ # to load the system CA store. If we're running on Apple Python, use this
+ # trick.
if _plainapplepython():
dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
if os.path.exists(dummycert):
return dummycert
return None
def validatesocket(sock):
More information about the Mercurial-devel
mailing list