[PATCH 2 of 2] sslutil: try to find CA certficates in well-known locations

Yuya Nishihara yuya at tcha.org
Mon Jul 11 07:51:23 EDT 2016


On Wed, 06 Jul 2016 21:19:37 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1467864960 25200
> #      Wed Jul 06 21:16:00 2016 -0700
> # Node ID af8b4f956c0599ebf3749fe9e7740bc35e4f02fe
> # Parent  93723841473c4aa7bb794144e00a8377198c79f3
> sslutil: try to find CA certficates in well-known locations

> +_systemcacertpaths = [
> +    # RHEL, CentOS, and Fedora
> +    '/etc/pki/tls/certs/ca-bundle.trust.crt',
> +    # Debian, Ubuntu, Gentoo
> +    '/etc/ssl/certs/ca-certificates.crt',
> +]

> +    # Try to find CA certificates in well-known locations. We print a warning
> +    # when using a found file because we don't want too much silent magic
> +    # for security settings. The expectation is that proper Mercurial
> +    # installs will have the CA certs path defined at install time and the
> +    # installer/packager will make an appropriate decision on the user's
> +    # behalf. We only get here and perform this setting as a feature of
> +    # last resort.
> +    if not _canloaddefaultcerts:
> +        for path in _systemcacertpaths:
> +            if os.path.isfile(path):
> +                ui.warn(_('(using CA certificates from %s; if you see this '
> +                          'message, your Mercurial install is not properly '
> +                          'configured; see '
> +                          'https://mercurial-scm.org/wiki/SecureConnections '
> +                          'for how to configure Mercurial to avoid this '
> +                          'message)\n') % path)
> +                return path
> +
> +        ui.warn(_('(unable to load CA certificates; see '
> +                  'https://mercurial-scm.org/wiki/SecureConnections for '
> +                  'how to configure Mercurial to avoid this message)\n'))

I know this code is unreachable on Windows, but I think it's better to make
_systemcacertpaths empty on Windows. '/' is user-writable on Windows, so it
could be a security flaw if we accidentally remove "if os.name == 'nt'" line.


More information about the Mercurial-devel mailing list