[PATCH 4 of 4 V2] sslutil: handle default CA certificate loading on Windows
Gregory Szorc
gregory.szorc at gmail.com
Mon Jul 4 13:04:40 EDT 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1467651851 25200
# Mon Jul 04 10:04:11 2016 -0700
# Node ID 827341bc9df5e0d5546980d7f7fd7d518c1ca716
# Parent 4254ad0849ba9b8191147f485afdcd93d8a935a5
sslutil: handle default CA certificate loading on Windows
See the inline comment for what's going on here.
There is magic built into the "ssl" module that ships with modern
CPython that knows how to load the system CA certificates on
Windows. Since we're not shipping a CA bundle with Mercurial,
if we're running on legacy CPython there's nothing we can do
to load CAs on Windows, so it makes sense to print a warning.
I don't anticipate many people will see this warning because
the official (presumed popular) Mercurial distributions on
Windows bundle Python and should be distributing a modern Python
capable of loading system CA certs.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -442,16 +442,29 @@ def _defaultcacerts(ui):
try:
import certifi
certs = certifi.where()
ui.debug('using ca certificates from certifi\n')
return certs
except ImportError:
pass
+ # On Windows, only the modern ssl module is capable of loading the system
+ # CA certificates. If we're not capable of doing that, emit a warning
+ # because we'll get a certificate verification error later and the lack
+ # of loaded CA certificates will be the reason why.
+ # Assertion: this code is only called if certificates are being verified.
+ if os.name == 'nt':
+ if not _canloaddefaultcerts:
+ ui.warn(_('(unable to load Windows CA certificates; see '
+ 'https://mercurial-scm.org/wiki/SecureConnections for '
+ 'how to configure Mercurial to avoid this message)\n'))
+
+ return None
+
# Apple's OpenSSL has patches that allow a specially constructed certificate
# to load the system CA store. If we're running on Apple Python, use this
# trick.
if _plainapplepython():
dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
if os.path.exists(dummycert):
return dummycert
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -55,16 +55,23 @@ we are able to load CA certs.
#endif
#if no-sslcontext defaultcacerts
$ hg clone https://localhost:$HGPORT/ copy-pull
abort: error: *certificate verify failed* (glob)
[255]
#endif
+#if no-sslcontext windows
+ $ hg clone https://localhost:$HGPORT/ copy-pull
+ (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
+ abort: error: *certificate verify failed* (glob)
+ [255]
+#endif
+
#if defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
abort: error: *certificate verify failed* (glob)
[255]
#endif
#if no-defaultcacerts
$ hg clone https://localhost:$HGPORT/ copy-pull
More information about the Mercurial-devel
mailing list