[PATCH STABLE] sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313)

Gregory Szorc gregory.szorc at gmail.com
Tue Jul 26 11:25:14 EDT 2016


On Tue, Jul 26, 2016 at 5:55 AM, Yuya Nishihara <yuya at tcha.org> wrote:

> On Mon, 25 Jul 2016 20:57:55 -0400, Matt Harbison wrote:
> > On Mon, 25 Jul 2016 15:01:08 -0400, Gregory Szorc
> > <gregory.szorc at gmail.com> wrote:
> >
> > > # HG changeset patch
> > > # User Gregory Szorc <gregory.szorc at gmail.com>
> > > # Date 1469473255 25200
> > > #      Mon Jul 25 12:00:55 2016 -0700
> > > # Branch stable
> > > # Node ID 94abd7d9e7a1b8f689da7758927700a2e28959a6
> > > # Parent  9c2cc107547fd701a7604349632f2f590366f17c
> > > sslutil: work around SSLContext.get_ca_certs bug on Windows (issue5313)
>
> Queued, thanks.
>
> > > SSLContext.get_ca_certs() can raise
> > > "ssl.SSLError: unknown error (_ssl.c:636)" on Windows. See
> > > https://bugs.python.org/issue20916 for more info.
> > >
> > > We add a try..except that swallows the exception to work around
> > > this bug. If we encounter the bug, we won't print a warning
> > > message about attempting to load CA certificates. This is
> > > unfortunate. But there appears to be little we can do :/
> >
> > This fixes it for me, thanks.
> >
> > I wonder if the exception handler should duplicate the warning message,
> > since it looks like get_ca_certs() is the only thing that can throw
> > there.  OTOH, the output I got was pretty clear (though presumably there
> > are other reasons the certs could fail to load?)
>
> I think it doesn't show the warning because the failure of get_ca_certs()
> doesn't mean no certs were loaded.
>

Right. If get_ca_certs() fails due to the CPython bug, it likely means CAs
were loaded. And since the warning message relates to lack of CAs being
loaded, we don't need to display it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20160726/c6c2b016/attachment.html>


More information about the Mercurial-devel mailing list