[PATCH 2 of 2] sslutil: try to find CA certficates in well-known locations
Yuya Nishihara
yuya at tcha.org
Mon Jul 11 07:51:23 EDT 2016
On Wed, 06 Jul 2016 21:19:37 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1467864960 25200
> # Wed Jul 06 21:16:00 2016 -0700
> # Node ID af8b4f956c0599ebf3749fe9e7740bc35e4f02fe
> # Parent 93723841473c4aa7bb794144e00a8377198c79f3
> sslutil: try to find CA certficates in well-known locations
> +_systemcacertpaths = [
> + # RHEL, CentOS, and Fedora
> + '/etc/pki/tls/certs/ca-bundle.trust.crt',
> + # Debian, Ubuntu, Gentoo
> + '/etc/ssl/certs/ca-certificates.crt',
> +]
> + # Try to find CA certificates in well-known locations. We print a warning
> + # when using a found file because we don't want too much silent magic
> + # for security settings. The expectation is that proper Mercurial
> + # installs will have the CA certs path defined at install time and the
> + # installer/packager will make an appropriate decision on the user's
> + # behalf. We only get here and perform this setting as a feature of
> + # last resort.
> + if not _canloaddefaultcerts:
> + for path in _systemcacertpaths:
> + if os.path.isfile(path):
> + ui.warn(_('(using CA certificates from %s; if you see this '
> + 'message, your Mercurial install is not properly '
> + 'configured; see '
> + 'https://mercurial-scm.org/wiki/SecureConnections '
> + 'for how to configure Mercurial to avoid this '
> + 'message)\n') % path)
> + return path
> +
> + ui.warn(_('(unable to load CA certificates; see '
> + 'https://mercurial-scm.org/wiki/SecureConnections for '
> + 'how to configure Mercurial to avoid this message)\n'))
I know this code is unreachable on Windows, but I think it's better to make
_systemcacertpaths empty on Windows. '/' is user-writable on Windows, so it
could be a security flaw if we accidentally remove "if os.name == 'nt'" line.
More information about the Mercurial-devel
mailing list