[PATCH 02 of 11] sslutil: further refactor sslkwargs
Gregory Szorc
gregory.szorc at gmail.com
Thu May 5 03:53:19 EDT 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1462428109 25200
# Wed May 04 23:01:49 2016 -0700
# Node ID c681048bf0680635752b51e34c6be45e19e9192b
# Parent 03b9752157bd4098b2fd9d7b35c969b5c7dc22c6
sslutil: further refactor sslkwargs
The logic here and what happens with web.cacerts is mind numbing.
Make the code even more explicit.
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -244,27 +244,32 @@ def sslkwargs(ui, host):
if hostfingerprint:
return kws
# dispatch sets web.cacerts=! when --insecure is used.
cacerts = ui.config('web', 'cacerts')
if cacerts == '!':
return kws
+ # If a value is set in the config, validate against a path and load
+ # and require those certs.
if cacerts:
cacerts = util.expandpath(cacerts)
if not os.path.exists(cacerts):
raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
- else:
- # CA certs aren't explicitly listed in the config. See if we can load
- # defaults.
- cacerts = _defaultcacerts()
- if cacerts and cacerts != '!':
- ui.debug('using %s to enable OS X system CA\n' % cacerts)
- ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+
+ kws.update({'ca_certs': cacerts,
+ 'cert_reqs': ssl.CERT_REQUIRED})
+ return kws
+
+ # No CAs in config. See if we can load defaults.
+ cacerts = _defaultcacerts()
+ if cacerts and cacerts != '!':
+ ui.debug('using %s to enable OS X system CA\n' % cacerts)
+ ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
if cacerts != '!':
kws.update({'ca_certs': cacerts,
'cert_reqs': ssl.CERT_REQUIRED,
})
return kws
class validator(object):
More information about the Mercurial-devel
mailing list